From da96619ed7d74fbc2832a06834969ce147941040 Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:02:34 +0300 Subject: [PATCH 1/7] sub_technique_of --- schema/technique.schema.json | 10 ++++++++++ tests/object_ref_test.py | 24 +++++++++++++++++++----- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/schema/technique.schema.json b/schema/technique.schema.json index b64d22a..0760677 100644 --- a/schema/technique.schema.json +++ b/schema/technique.schema.json @@ -54,6 +54,16 @@ }, "type": "array", "uniqueItems": true + }, + "sub_technique_of": { + "$comment": "If a technique id is provided, it indicates that this technique is a sub technique of the other.", + "$ref": "../schema/common.schema.json#/definitions/object_reference", + "$type": { + "$ref": "../schema/common.schema.json#/definitions/$type", + "enum": [ + "technique" + ] + } } }, "required": [ diff --git a/tests/object_ref_test.py b/tests/object_ref_test.py index 465e27d..8266070 100644 --- a/tests/object_ref_test.py +++ b/tests/object_ref_test.py @@ -2,11 +2,25 @@ from test_utils import * +def _validate_referenced_object_id(ref_obj_id): + ref_file_name = ref_obj_id.replace("$gai-", "") + ".json" + assert ( + ref_file_name in OBJECT_FILE_NAMES + ), f"Invalid reference to object id: {ref_obj_id}" + + @pytest.mark.parametrize("json_object_path", OBJECT_FILE_NAMES) @load_json_object_wrapper -def test_reference_is_valid(obj): +def test_object_references(obj): for ref in obj.get("object_references", []): - ref_file_name = ref["$id"].replace("$gai-", "") + ".json" - assert ( - ref_file_name in OBJECT_FILE_NAMES - ), f"Object {obj['$id']} has invalid reference to {ref['$id']}" + _validate_referenced_object_id(ref) + + +@pytest.mark.parametrize( + "json_object_path", + [file_name for file_name in OBJECT_FILE_NAMES if file_name.startswith("technique")], +) +@load_json_object_wrapper +def test_sub_technique_references(obj): + if "sub_technique_of" in obj: + _validate_referenced_object_id(obj["sub_technique_of"]) From b52cd5c0a9be943cbeb183362816e726cbd4554b Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:03:43 +0300 Subject: [PATCH 2/7] fix test refactor --- tests/object_ref_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/object_ref_test.py b/tests/object_ref_test.py index 8266070..573945d 100644 --- a/tests/object_ref_test.py +++ b/tests/object_ref_test.py @@ -13,7 +13,7 @@ def _validate_referenced_object_id(ref_obj_id): @load_json_object_wrapper def test_object_references(obj): for ref in obj.get("object_references", []): - _validate_referenced_object_id(ref) + _validate_referenced_object_id(ref["$id"]) @pytest.mark.parametrize( From beb3f2619b0000276e9faa486961e0b36528c316 Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:19:06 +0300 Subject: [PATCH 3/7] support multiple subtechniques per technique --- schema/technique.schema.json | 23 +++++++++++++++-------- tests/object_ref_test.py | 4 ++-- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/schema/technique.schema.json b/schema/technique.schema.json index 0760677..ccc230f 100644 --- a/schema/technique.schema.json +++ b/schema/technique.schema.json @@ -56,14 +56,21 @@ "uniqueItems": true }, "sub_technique_of": { - "$comment": "If a technique id is provided, it indicates that this technique is a sub technique of the other.", - "$ref": "../schema/common.schema.json#/definitions/object_reference", - "$type": { - "$ref": "../schema/common.schema.json#/definitions/$type", - "enum": [ - "technique" - ] - } + "$comment": "If a technique ids are provided, it indicates that this technique is a sub technique of the others.", + "contains": { + "$ref": "../schema/common.schema.json#/definitions/object_reference", + "$type": { + "$ref": "../schema/common.schema.json#/definitions/$type", + "enum": [ + "technique" + ] + } + }, + "items": { + "$ref": "../schema/common.schema.json#/definitions/object_reference" + }, + "type": "array", + "uniqueItems": true } }, "required": [ diff --git a/tests/object_ref_test.py b/tests/object_ref_test.py index 573945d..5e21013 100644 --- a/tests/object_ref_test.py +++ b/tests/object_ref_test.py @@ -22,5 +22,5 @@ def test_object_references(obj): ) @load_json_object_wrapper def test_sub_technique_references(obj): - if "sub_technique_of" in obj: - _validate_referenced_object_id(obj["sub_technique_of"]) + for ref in obj.get("sub_technique_of", []): + _validate_referenced_object_id(ref["$id"]) From e7dfd9d939f9a2f8e77916ae0040343e5fb06c8a Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:19:21 +0300 Subject: [PATCH 4/7] off_target_language --- .vscode/settings.json | 2 ++ entity/dmitry_lozovoy.json | 9 ++++++++ technique/off_target_language.json | 34 ++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100644 entity/dmitry_lozovoy.json create mode 100644 technique/off_target_language.json diff --git a/.vscode/settings.json b/.vscode/settings.json index fbb9339..fd69d58 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -6,10 +6,12 @@ "BHUSA", "Cefalu", "Copirate", + "dmitry", "ishai", "ishay", "jailbreaking", "levelname", + "lozovoy", "malka", "mdbook", "mitigations", diff --git a/entity/dmitry_lozovoy.json b/entity/dmitry_lozovoy.json new file mode 100644 index 0000000..f57c93b --- /dev/null +++ b/entity/dmitry_lozovoy.json @@ -0,0 +1,9 @@ +{ + "$id": "$gai-entity/dmitry_lozovoy", + "$schema": "../schema/entity.schema.json", + "$type": "entity", + "description": "", + "entity_type": "person", + "external_references": [], + "name": "Dmitry Lozovoy" +} diff --git a/technique/off_target_language.json b/technique/off_target_language.json new file mode 100644 index 0000000..0f459ed --- /dev/null +++ b/technique/off_target_language.json @@ -0,0 +1,34 @@ +{ + "$id": "$gai-technique/off_target_language", + "$schema": "../schema/technique.schema.json", + "$type": "technique", + "description": "While system instructions are typically written in English, underlying foundational models may understand other languages as well. Using prompt injection techniques in a language other than the other used by the system instructions can effectively bypass their control. Ths method is also effective bypassing a model's inherent trained controls.", + "external_references": [ + { + "href": "https://labs.zenity.io/p/outsmarting-copilot-creating-hyperlinks-copilot-365/", + "source": "Zenity Labs", + "title": "Outsmarting Copilot: Creating Hyperlinks in Copilot 365" + } + ], + "framework_references": [], + "name": "Off-Target Language", + "object_references": [ + { + "$id": "$gai-entity/dmitry_lozovoy", + "$type": "entity", + "description": "Demonstrated by" + } + ], + "sub_technique_of": [ + { + "$id": "$gai-technique/prompt_injection", + "$type": "technique", + "description": "" + }, + { + "$id": "$gai-technique/jailbreaking", + "$type": "technique", + "description": "" + } + ] +} From 3f49d4dd2141a7df1f319c5ed27acd93a728a239 Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:21:35 +0300 Subject: [PATCH 5/7] every item in sub_technique_of should be a technique --- schema/technique.schema.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/schema/technique.schema.json b/schema/technique.schema.json index ccc230f..0a61871 100644 --- a/schema/technique.schema.json +++ b/schema/technique.schema.json @@ -57,7 +57,7 @@ }, "sub_technique_of": { "$comment": "If a technique ids are provided, it indicates that this technique is a sub technique of the others.", - "contains": { + "items": { "$ref": "../schema/common.schema.json#/definitions/object_reference", "$type": { "$ref": "../schema/common.schema.json#/definitions/$type", @@ -66,9 +66,6 @@ ] } }, - "items": { - "$ref": "../schema/common.schema.json#/definitions/object_reference" - }, "type": "array", "uniqueItems": true } From 5d12f972400449f2734a2e9ed4f58855d5aa4a6d Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:40:27 +0300 Subject: [PATCH 6/7] add sub objects to object_references --- build_scripts/generate_content_as_md.py | 20 ++++++++++++++++++++ schema/common.schema.json | 5 +++++ schema/technique.schema.json | 14 -------------- technique/off_target_language.json | 18 +++++++++--------- tests/object_ref_test.py | 10 ---------- 5 files changed, 34 insertions(+), 33 deletions(-) diff --git a/build_scripts/generate_content_as_md.py b/build_scripts/generate_content_as_md.py index df111e2..655ffe2 100644 --- a/build_scripts/generate_content_as_md.py +++ b/build_scripts/generate_content_as_md.py @@ -111,14 +111,34 @@ def load_json_files(base_dir, version): def create_matrix(tactics, techniques): logger.debug("Creating matrix of tactics and techniques") matrix = defaultdict(list) + + # primary techniques for technique in techniques.values(): for ref in technique.get("object_references", []): + if "is_sub_object" in ref: + continue if ref["$type"] == "tactic": matrix[ref["$id"]].append(technique["$id"]) logger.debug( f"Added technique {technique['$id']} to tactic {ref['$id']}" ) + technique_to_tactic = defaultdict(list) + for tactic_id, technique_ids in matrix.items(): + for technique_id in technique_ids: + technique_to_tactic[technique_id].append(tactic_id) + + # sub techniques + for technique in techniques.values(): + for ref in technique.get("object_references", []): + if "is_sub_object" not in ref: + continue + for inherited_tactic_id in technique_to_tactic[ref["$id"]]: + matrix[inherited_tactic_id].append(technique["$id"]) + logger.debug( + f"Added sub-technique {technique['$id']} to tactic {inherited_tactic_id}" + ) + invalid_tactic_ids = set(matrix.keys()) - set(tactics.keys()) if len(invalid_tactic_ids) > 0: raise ValueError(f"Matrix contains invalid tactic $ids: {invalid_tactic_ids}") diff --git a/schema/common.schema.json b/schema/common.schema.json index ce04830..2dc4e9b 100644 --- a/schema/common.schema.json +++ b/schema/common.schema.json @@ -57,6 +57,11 @@ "description": { "$comment": "More details about the relation between these objects.", "type": "string" + }, + "is_sub_object": { + "$comment": "Is this object a sub-object of another. Used for sub-techniques, for example.", + "default": false, + "type": "boolean" } }, "required": [ diff --git a/schema/technique.schema.json b/schema/technique.schema.json index 0a61871..b64d22a 100644 --- a/schema/technique.schema.json +++ b/schema/technique.schema.json @@ -54,20 +54,6 @@ }, "type": "array", "uniqueItems": true - }, - "sub_technique_of": { - "$comment": "If a technique ids are provided, it indicates that this technique is a sub technique of the others.", - "items": { - "$ref": "../schema/common.schema.json#/definitions/object_reference", - "$type": { - "$ref": "../schema/common.schema.json#/definitions/$type", - "enum": [ - "technique" - ] - } - }, - "type": "array", - "uniqueItems": true } }, "required": [ diff --git a/technique/off_target_language.json b/technique/off_target_language.json index 0f459ed..89a8768 100644 --- a/technique/off_target_language.json +++ b/technique/off_target_language.json @@ -13,22 +13,22 @@ "framework_references": [], "name": "Off-Target Language", "object_references": [ - { - "$id": "$gai-entity/dmitry_lozovoy", - "$type": "entity", - "description": "Demonstrated by" - } - ], - "sub_technique_of": [ { "$id": "$gai-technique/prompt_injection", "$type": "technique", - "description": "" + "description": "Sub-technique of", + "is_sub_object": true }, { "$id": "$gai-technique/jailbreaking", "$type": "technique", - "description": "" + "description": "Sub-technique of", + "is_sub_object": true + }, + { + "$id": "$gai-entity/dmitry_lozovoy", + "$type": "entity", + "description": "Demonstrated by" } ] } diff --git a/tests/object_ref_test.py b/tests/object_ref_test.py index 5e21013..ce3d42d 100644 --- a/tests/object_ref_test.py +++ b/tests/object_ref_test.py @@ -14,13 +14,3 @@ def _validate_referenced_object_id(ref_obj_id): def test_object_references(obj): for ref in obj.get("object_references", []): _validate_referenced_object_id(ref["$id"]) - - -@pytest.mark.parametrize( - "json_object_path", - [file_name for file_name in OBJECT_FILE_NAMES if file_name.startswith("technique")], -) -@load_json_object_wrapper -def test_sub_technique_references(obj): - for ref in obj.get("sub_technique_of", []): - _validate_referenced_object_id(ref["$id"]) From a28d814958e5d419bb3265cc8007f08e64eb1154 Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Sun, 29 Sep 2024 12:46:52 +0300 Subject: [PATCH 7/7] system_instruction_keywords --- .vscode/settings.json | 1 + technique/system_instruction_keywords.json | 38 ++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 technique/system_instruction_keywords.json diff --git a/.vscode/settings.json b/.vscode/settings.json index fd69d58..ef1c7f1 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -13,6 +13,7 @@ "levelname", "lozovoy", "malka", + "mbgsec", "mdbook", "mitigations", "OWASP", diff --git a/technique/system_instruction_keywords.json b/technique/system_instruction_keywords.json new file mode 100644 index 0000000..bc5f51f --- /dev/null +++ b/technique/system_instruction_keywords.json @@ -0,0 +1,38 @@ +{ + "$id": "$gai-technique/system_instruction_keywords", + "$schema": "../schema/technique.schema.json", + "$type": "technique", + "description": "Including keywords from the system instructions can increase the probably that the AI system will interpret the content as privileged instructions.", + "external_references": [], + "framework_references": [], + "name": "System Instruction Keywords", + "object_references": [ + { + "$id": "$gai-technique/prompt_injection", + "$type": "technique", + "description": "Sub-technique of", + "is_sub_object": true + }, + { + "$id": "$gai-technique/jailbreaking", + "$type": "technique", + "description": "Sub-technique of", + "is_sub_object": true + }, + { + "$id": "$gai-technique/system_instructions_extraction", + "$type": "technique", + "description": "Extracting the system instructions is a pre-requisite to applying this technique" + }, + { + "$id": "$gai-entity/tamir_ishay_sharbat", + "$type": "entity", + "description": "Demonstrated by" + }, + { + "$id": "$gai-entity/michael_bargury", + "$type": "entity", + "description": "Demonstrated by" + } + ] +}