# LLM Security2

### Threat Modeling for LLMs

* [ ] &#x20;**Hyper-Personalized Attacks:** Assess how attackers might use Generative AI for more targeted spear phishing or social engineering.
* [ ] &#x20;**Customer Impersonation Risks:** Evaluate risks of GenAI-generated content being used for attacks targeting customers or clients.
* [ ] &#x20;**Malicious Input Detection:** Develop mechanisms to detect and neutralize harmful or malicious inputs to the LLM.
* [ ] &#x20;**Secure Integration:** Ensure secure connections between LLMs and other systems, with proper safeguards at all trust boundaries.
* [ ] &#x20;**Insider Threat Management:** Implement strategies to prevent misuse by authorized users.
* [ ] &#x20;**Intellectual Property Protection:** Prevent unauthorized access to proprietary models or data.
* [ ] &#x20;**Automated Content Filtering:** Implement automated methods to prevent generation of harmful or inappropriate content.
* [ ] &#x20;**Metrics for AI Evaluation:** Define metrics to measure AI performance, productivity, and resilience against other cybersecurity methods.

### Secure Implementation of LLM Solutions

* [ ] &#x20;**Threat Modeling of LLM Components:** Map out trust boundaries in the architecture and identify potential risks.
* [ ] &#x20;**Data Security:** Verify data classification and protection measures, including how sensitive data is managed.
* [ ] &#x20;**Access Control:** Use least privilege principles and implement defense-in-depth strategies.
* [ ] &#x20;**Training Pipeline Security:** Control training data governance and ensure secure pipelines, models, and algorithms.
* [ ] &#x20;**Input & Output Security:** Validate inputs and sanitize outputs to prevent harmful data from being processed or generated.
* [ ] &#x20;**Monitoring & Response:** Ensure automation, logging, and auditing capabilities, with secure storage of audit records.
* [ ] &#x20;**Testing & Review:** Include application testing, source code review, vulnerability assessments, and red teaming before release.
* [ ] &#x20;**Supply Chain Security:** Perform third-party audits and code reviews for external providers and dependencies.
* [ ] &#x20;**Infrastructure Security:** Assess vendor resilience testing frequency, availability, scalability, and performance SLAs.
* [ ] &#x20;**Incident Response Drills:** Include LLM-specific incidents in tabletop exercises and update playbooks accordingly.

### LLM-Specific Vulnerabilities (OWASP-inspired)

#### Prompt Injection Attacks

* [ ] &#x20;**Direct Prompt Injection:** Test for direct prompt injection by attempting to bypass system prompts.
* [ ] &#x20;**Indirect Prompt Injection:** Attempt indirect prompt injection by manipulating data sources that feed into the LLM.
* [ ] &#x20;**System Instruction Manipulation:** Try to override or modify system instructions within user inputs.
* [ ] &#x20;**Jailbreaking Attempts:** Test for attempts to bypass ethical guidelines or content restrictions.

#### Authorization Bypass

* [ ] &#x20;**Access Control Testing:** Attempt to access data or perform actions beyond the user's authorized scope.
* [ ] &#x20;**Unauthorized API Calls:** Test if the LLM can be tricked into making unauthorized API calls.
* [ ] &#x20;**Sensitive Data Extraction:** Check if sensitive information can be extracted through carefully crafted prompts.
* [ ] &#x20;**Role-Based Access:** Verify if the LLM respects user roles and permissions in its responses.

#### Data Leakage

* [ ] &#x20;**Training Data Exposure:** Probe for potential exposure of training data through specific queries.
* [ ] &#x20;**Sensitive Information Disclosure:** Test if personal or sensitive information can be extracted from the model.
* [ ] &#x20;**System Architecture Disclosure:** Check for unintended disclosure of system architecture or backend details.
* [ ] &#x20;**Cache Security:** Attempt to retrieve information from LLM caches that should be access-controlled.

#### Input Validation and Sanitization

* [ ] &#x20;**SQL Injection Testing:** Test for SQL injection in LLM-generated database queries.
* [ ] &#x20;**XSS Vulnerability Testing:** Attempt XSS attacks through LLM-generated outputs.
* [ ] &#x20;**Command Injection Testing:** Check for command injection possibilities in LLM-processed inputs.
* [ ] &#x20;**Special Character Handling:** Verify proper handling and escaping of special characters.

### Vector Database Security

* [ ] &#x20;**Access Control Verification:** Test access controls on vector database queries.
* [ ] &#x20;**Document-Level Security:** Attempt to bypass document-level security in vector stores.
* [ ] &#x20;**Data Leakage in Similarity Searches:** Check for potential data leakage through similarity searches.
* [ ] &#x20;**ACL Synchronization:** Verify proper synchronization of ACLs between source systems and vector databases.

### API and External Service Interactions

* [ ] &#x20;**Unauthorized API Requests:** Test for unauthorized API calls through LLM-generated requests.
* [ ] &#x20;**API Parameter Manipulation:** Attempt to manipulate API parameters to gain elevated privileges.
* [ ] &#x20;**Confused Deputy Attacks:** Check for potential confused deputy attacks in multi-system interactions.
* [ ] &#x20;**Identity Propagation:** Verify proper identity propagation in API calls made by the orchestrator.

### LLM-Generated Code Execution

* [ ] &#x20;**Sandbox Escape Testing:** Test sandbox escape attempts in environments running LLM-generated code.
* [ ] &#x20;**Malicious Code Injection:** Attempt to inject malicious code through crafted prompts.
* [ ] &#x20;**Unauthorized Imports:** Check for unauthorized library imports or function calls in generated code.
* [ ] &#x20;**Resource Limits:** Verify resource usage limits and execution timeouts.

### Memory and Context Manipulation

* [ ] &#x20;**Memory Poisoning:** Attempt to poison the LLM's short-term or long-term memory.
* [ ] &#x20;**Context Leakage:** Test for context leakage between different user sessions.
* [ ] &#x20;**Context Window Manipulation:** Try to manipulate the context window to gain unauthorized information.
* [ ] &#x20;**Sensitive Data Clearing:** Check for proper clearing of sensitive data from the LLM's working memory.

### Autonomous Agent Vulnerabilities

* [ ] &#x20;**Unauthorized Actions:** Test for unauthorized actions in multi-agent systems.
* [ ] &#x20;**Decision-Making Manipulation:** Attempt to manipulate agent decision-making processes.
* [ ] &#x20;**Inter-Agent Data Leakage:** Check for potential data leakage between collaborating agents.
* [ ] &#x20;**Agent Communication Controls:** Verify proper access controls in agent-to-agent communications.

### MLOps Pipeline Security

* [ ] &#x20;**Training Data Poisoning:** Attempt to poison training data used for model fine-tuning.
* [ ] &#x20;**Model Versioning Security:** Test for unauthorized access to model versioning and deployment systems.
* [ ] &#x20;**Supply Chain Vulnerabilities:** Check for potential supply chain vulnerabilities in the ML pipeline.
* [ ] &#x20;**Training Artifacts Access Control:** Verify proper access controls on training logs and model artifacts.

### Orchestrator Security

* [ ] &#x20;**Authorization Bypass:** Test for potential bypass of orchestrator-level authorization checks.
* [ ] &#x20;**Identity Manipulation:** Attempt to manipulate identity information passed by the orchestrator.
* [ ] &#x20;**Error Handling:** Check for proper handling of errors and edge cases in the orchestration layer.
* [ ] &#x20;**Cache Security:** Verify secure implementation of any caching mechanisms in the orchestrator.

### Output Validation and Filtering

* [ ] &#x20;**Harmful Content Filtering:** Test if malicious or sensitive content can bypass output filters.
* [ ] &#x20;**Manipulation of Outputs:** Attempt to trick the system into generating harmful or inappropriate responses.
* [ ] &#x20;**Sensitive Data Filtering:** Check for potential data leakage through carefully crafted output requests.
* [ ] &#x20;**Handling PII:** Verify proper handling of PII and other sensitive information in LLM outputs.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/ai-security/old-drafts/llm-security2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.