Comment by vidarh
11 hours ago
More generally, the problem is that to prevent this using restrictions in privileges, the privilege assigned must be the intersection of the permissions you'd be willing to give to the sources of any items of data you compose the context from.
You can mitigate that by composing pipelines when/where you can extract information that can be constrained to a safer set.
For your "widget" example, you can't stop a data sheet from lying, but if the document collection is separate per widget, you can stop it from prompt injecting the evaluation of them to e.g. change the evaluation of other widgets by first summarising each data sheet separately into a table of constrained attributes, and then evaluating them against each other.
This is obviously not a panacea - you're absolutely right this is a challenging problem - a lot of the time you may not have a clear delineation of sources etc., but whenever you can decompose a task this way you have a stab at limiting the blast radius of any prompt injection.
No comments yet
Contribute on Hacker News ↗