Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts

Yuanwei Wu, Xiang Li, Yixin Liu, Pan Zhou, Lichao Sun

TL;DR

Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts investigates system prompt leakage as a vulnerability in GPT-4V APIs and proposes SASP to convert leaked system prompts into jailbreak prompts. The method uses a red-teaming loop with GPT-4V analyzing and enhancing jailbreak prompts, achieving up to 99% ASR with manual improvements, and demonstrates the critical role of system prompts in both enabling jailbreaks and defending against them. The study also explores defense by designing system prompts that recall or constrain safety policies, with varying effectiveness across tasks and languages. The work emphasizes significant security risks of system-prompt leakage and offers concrete directions for hardening multimodal LLMs against API-level jailbreaks.

Abstract

Existing work on jailbreak Multimodal Large Language Models (MLLMs) has focused primarily on adversarial examples in model inputs, with less attention to vulnerabilities, especially in model API. To fill the research gap, we carry out the following work: 1) We discover a system prompt leakage vulnerability in GPT-4V. Through carefully designed dialogue, we successfully extract the internal system prompts of GPT-4V. This finding indicates potential exploitable security risks in MLLMs; 2) Based on the acquired system prompts, we propose a novel MLLM jailbreaking attack method termed SASP (Self-Adversarial Attack via System Prompt). By employing GPT-4 as a red teaming tool against itself, we aim to search for potential jailbreak prompts leveraging stolen system prompts. Furthermore, in pursuit of better performance, we also add human modification based on GPT-4's analysis, which further improves the attack success rate to 98.7\%; 3) We evaluated the effect of modifying system prompts to defend against jailbreaking attacks. Results show that appropriately designed system prompts can significantly reduce jailbreak success rates. Overall, our work provides new insights into enhancing MLLM security, demonstrating the important role of system prompts in jailbreaking. This finding could be leveraged to greatly facilitate jailbreak success rates while also holding the potential for defending against jailbreaks.

Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts

TL;DR

Jailbreaking GPT-4V via Self-Adversarial Attacks with System Prompts investigates system prompt leakage as a vulnerability in GPT-4V APIs and proposes SASP to convert leaked system prompts into jailbreak prompts. The method uses a red-teaming loop with GPT-4V analyzing and enhancing jailbreak prompts, achieving up to 99% ASR with manual improvements, and demonstrates the critical role of system prompts in both enabling jailbreaks and defending against them. The study also explores defense by designing system prompts that recall or constrain safety policies, with varying effectiveness across tasks and languages. The work emphasizes significant security risks of system-prompt leakage and offers concrete directions for hardening multimodal LLMs against API-level jailbreaks.

Abstract

Existing work on jailbreak Multimodal Large Language Models (MLLMs) has focused primarily on adversarial examples in model inputs, with less attention to vulnerabilities, especially in model API. To fill the research gap, we carry out the following work: 1) We discover a system prompt leakage vulnerability in GPT-4V. Through carefully designed dialogue, we successfully extract the internal system prompts of GPT-4V. This finding indicates potential exploitable security risks in MLLMs; 2) Based on the acquired system prompts, we propose a novel MLLM jailbreaking attack method termed SASP (Self-Adversarial Attack via System Prompt). By employing GPT-4 as a red teaming tool against itself, we aim to search for potential jailbreak prompts leveraging stolen system prompts. Furthermore, in pursuit of better performance, we also add human modification based on GPT-4's analysis, which further improves the attack success rate to 98.7\%; 3) We evaluated the effect of modifying system prompts to defend against jailbreaking attacks. Results show that appropriately designed system prompts can significantly reduce jailbreak success rates. Overall, our work provides new insights into enhancing MLLM security, demonstrating the important role of system prompts in jailbreaking. This finding could be leveraged to greatly facilitate jailbreak success rates while also holding the potential for defending against jailbreaks.
Paper Structure (18 sections, 3 equations, 3 figures, 3 tables)

This paper contains 18 sections, 3 equations, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Text-based adversarial attacks
  4. Prompting via Natural Language Feedback
  5. Methodology
  6. System Prompt Theft
  7. Self-Adversarial Iteration
  8. Jailbreak Prompt Enhancement
  9. System Prompt Facilitated Jailbreak
  10. Experiment Setup
  11. Implementation Details
  12. Main Results
  13. Analytical Experiment
  14. System Prompt Enhanced Defence
  15. Experiment Setting
  16. ...and 3 more sections

Figures (3)

  • Figure 1: A jailbreak prompt induces GPT-4V to identify the real human.
  • Figure 2: The workflow of the self-adversarial method with human collaboration.
  • Figure 3: Examples of prefix injection and refusal suppression.