Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Gradient-based Jailbreak Images for Multimodal Fusion Models

Javier Rando, Hannah Korevaar, Erik Brinkman, Ivan Evtimov, Florian Tramèr

TL;DR

This work introduces tokenizer shortcuts to make image inputs differentiable in multimodal fusion models, enabling end-to-end gradient-based jailbreaks. On Chameleon models, the authors achieve a 72.5% jailbreak rate across prompts and demonstrate that image-based attacks can be more compute-efficient than text-only attacks, with roughly threefold savings and broader token coverage. The study compares against text-based baselines and assesses robustness under white-box defenses, finding that representation engineering defenses trained on text can transfer to image inputs, while transfer across different models remains challenging. Overall, the paper highlights both the vulnerability of current multimodal fusion systems to gradient-based image attacks and the mixed effectiveness of defenses, outlining clear directions for future work on transferability and defense generalization.

Abstract

Augmenting language models with image inputs may enable more effective jailbreak attacks through continuous optimization, unlike text inputs that require discrete optimization. However, new multimodal fusion models tokenize all input modalities using non-differentiable functions, which hinders straightforward attacks. In this work, we introduce the notion of a tokenizer shortcut that approximates tokenization with a continuous function and enables continuous optimization. We use tokenizer shortcuts to create the first end-to-end gradient image attacks against multimodal fusion models. We evaluate our attacks on Chameleon models and obtain jailbreak images that elicit harmful information for 72.5% of prompts. Jailbreak images outperform text jailbreaks optimized with the same objective and require 3x lower compute budget to optimize 50x more input tokens. Finally, we find that representation engineering defenses, like Circuit Breakers, trained only on text attacks can effectively transfer to adversarial image inputs.

Gradient-based Jailbreak Images for Multimodal Fusion Models

TL;DR

This work introduces tokenizer shortcuts to make image inputs differentiable in multimodal fusion models, enabling end-to-end gradient-based jailbreaks. On Chameleon models, the authors achieve a 72.5% jailbreak rate across prompts and demonstrate that image-based attacks can be more compute-efficient than text-only attacks, with roughly threefold savings and broader token coverage. The study compares against text-based baselines and assesses robustness under white-box defenses, finding that representation engineering defenses trained on text can transfer to image inputs, while transfer across different models remains challenging. Overall, the paper highlights both the vulnerability of current multimodal fusion systems to gradient-based image attacks and the mixed effectiveness of defenses, outlining clear directions for future work on transferability and defense generalization.

Abstract

Augmenting language models with image inputs may enable more effective jailbreak attacks through continuous optimization, unlike text inputs that require discrete optimization. However, new multimodal fusion models tokenize all input modalities using non-differentiable functions, which hinders straightforward attacks. In this work, we introduce the notion of a tokenizer shortcut that approximates tokenization with a continuous function and enables continuous optimization. We use tokenizer shortcuts to create the first end-to-end gradient image attacks against multimodal fusion models. We evaluate our attacks on Chameleon models and obtain jailbreak images that elicit harmful information for 72.5% of prompts. Jailbreak images outperform text jailbreaks optimized with the same objective and require 3x lower compute budget to optimize 50x more input tokens. Finally, we find that representation engineering defenses, like Circuit Breakers, trained only on text attacks can effectively transfer to adversarial image inputs.
Paper Structure (38 sections, 2 equations, 2 figures, 7 tables)

This paper contains 38 sections, 2 equations, 2 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Multimodal models.
  4. Jailbreaking language models.
  5. Threat Model.
  6. Our Attack: Tokenizer Shortcut for Continuous Optimization
  7. Tokenizer shortcut.
  8. Experimental Setup
  9. Datasets.
  10. Optimizing adversarial images.
  11. Baseline attacks.
  12. White-box protections.
  13. Measuring attack success rate.
  14. Direct and transfer attacks.
  15. Direct Attacks
  16. ...and 23 more sections

Figures (2)

  • Figure 1: Tokenizer shortcut. Multimodal fusion models tokenize images and are thus not differentiable end-to-end. We create a differentiable tokenizer shortcut to enable adversarial image optimization. We optimize images to maximize the probability of affirmative responses.
  • Figure 2: Overview of the default image tokenization in Chameleon models and our proposed shortcuts to enable end-to-end gradients. Each token is propagated independently through shortcuts.