Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Neural Exec: Learning (and Learning from) Execution Triggers for Prompt Injection Attacks

Dario Pasquini, Martin Strohmeier, Carmela Troncoso

TL;DR

The paper formalizes Neural Exec, an optimization-driven framework that learns execution triggers to enable prompt injection attacks, capable of persisting through multi-stage pre-processing like RAG. It introduces core properties—Inline Invariant Composition (IIC) and Semantic-Oblivious Injection (SOI)—to maintain trigger functionality across guide-texts and pipelines, while proposing a differentiable objective and a Greedy Coordinate Gradient–inspired discrete search to construct universal triggers. Empirical evaluation across multiple open-source LLMs demonstrates Neural Exec triggers outperform handcrafted baselines and maintain high persistence in RAG settings, with notable transferability when bootstrapped with handcrafted priors. The work underscores significant security risks in LLM-enabled applications and motivates defense strategies beyond dictionary-based detection, including robust input sanitation and pattern-aware mitigations for code-like and formatting-tag constructs.

Abstract

We introduce a new family of prompt injection attacks, termed Neural Exec. Unlike known attacks that rely on handcrafted strings (e.g., "Ignore previous instructions and..."), we show that it is possible to conceptualize the creation of execution triggers as a differentiable search problem and use learning-based methods to autonomously generate them. Our results demonstrate that a motivated adversary can forge triggers that are not only drastically more effective than current handcrafted ones but also exhibit inherent flexibility in shape, properties, and functionality. In this direction, we show that an attacker can design and generate Neural Execs capable of persisting through multi-stage preprocessing pipelines, such as in the case of Retrieval-Augmented Generation (RAG)-based applications. More critically, our findings show that attackers can produce triggers that deviate markedly in form and shape from any known attack, sidestepping existing blacklist-based detection and sanitation approaches.

Neural Exec: Learning (and Learning from) Execution Triggers for Prompt Injection Attacks

TL;DR

The paper formalizes Neural Exec, an optimization-driven framework that learns execution triggers to enable prompt injection attacks, capable of persisting through multi-stage pre-processing like RAG. It introduces core properties—Inline Invariant Composition (IIC) and Semantic-Oblivious Injection (SOI)—to maintain trigger functionality across guide-texts and pipelines, while proposing a differentiable objective and a Greedy Coordinate Gradient–inspired discrete search to construct universal triggers. Empirical evaluation across multiple open-source LLMs demonstrates Neural Exec triggers outperform handcrafted baselines and maintain high persistence in RAG settings, with notable transferability when bootstrapped with handcrafted priors. The work underscores significant security risks in LLM-enabled applications and motivates defense strategies beyond dictionary-based detection, including robust input sanitation and pattern-aware mitigations for code-like and formatting-tag constructs.

Abstract

We introduce a new family of prompt injection attacks, termed Neural Exec. Unlike known attacks that rely on handcrafted strings (e.g., "Ignore previous instructions and..."), we show that it is possible to conceptualize the creation of execution triggers as a differentiable search problem and use learning-based methods to autonomously generate them. Our results demonstrate that a motivated adversary can forge triggers that are not only drastically more effective than current handcrafted ones but also exhibit inherent flexibility in shape, properties, and functionality. In this direction, we show that an attacker can design and generate Neural Execs capable of persisting through multi-stage preprocessing pipelines, such as in the case of Retrieval-Augmented Generation (RAG)-based applications. More critically, our findings show that attackers can produce triggers that deviate markedly in form and shape from any known attack, sidestepping existing blacklist-based detection and sanitation approaches.
Paper Structure (68 sections, 6 equations, 23 figures)

This paper contains 68 sections, 6 equations, 23 figures.

Table of Contents

  1. Introduction
  2. Preliminaries and Formalization
  3. Large Language Models and Applications
  4. Notation:
  5. Retrieval Augmented Generation (RAG)
  6. RAG Workflow:
  7. Prompt Injection Attacks
  8. Prompt templates:
  9. Prompt Injection Vulnerability:
  10. Execution Triggers:
  11. Notation:
  12. Related Works
  13. Prompt injection
  14. Jailbreaking
  15. Threat model
  16. ...and 53 more sections

Figures (23)

  • Figure 1: Example of prompt injection via a $20$-token ($15$+$5$) inlineNeuralExec trigger (in bold black) for Mistral-7b mistralm. The injected instruction (the payload) is depicted in red, whereas text in gray represents the guide-text for the attack.
  • Figure 2: Workflow and components of a RAG-based pipeline.
  • Figure 3: Partial prompt template from HuggingChatHuggingChat for enabling question answering tasks on web content. The uppermost frame shows the prompt template. Italic text denote the placeholder where data segments are placed at inference time, whereas text in black denotes instruction segments. The frame below shows an example of possible prompt derived from the template.
  • Figure 4: Inline NeuralExec traversing a RAG-based pipeline: Starting from an adversarially controlled resource, inlining allows the armed payload to not be broken apart and to stick to fragments of the guide-text. The fraction of guide-text in the resulting chunk then permits it to be selected by the embedding model and, ultimately, used as input for the LLM.
  • Figure 5: Four (prior-free) NeuralExec triggers for different target LLMs.
  • ...and 18 more figures