fwlr
2 hours ago
“Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses.”
???Isn’t prompt injection far more fatal to LLMs than SQL injection is to SQL databases?
Like, the problem of SQL injection was that user input was forming part of the instruction string given to the SQL engine, and so malicious user input could include various SQL grammar terminals to end the current SQL command, followed by complete SQL commands of their own, and the engine would simply execute both commands. The fix was prepared statements: fixed/static/pre-compiled instruction strings, that can only ever perform fixed/static/pre-defined logic, and that logic can then be (more) safely applied to arbitrary user-input data.
The analogous mitigation for agents is to have fixed behaviors they can perform, such as “read repo 1” “read repo 2”, etc., and the user input is used as data to select which of these fixed behaviors to execute. But we already have this technology - it’s called a menu. The value of LLMs is specifically and intrinsically predicated on being more than a menu, while the value of SQL does not depend on being more than “pre-set logic operating on arbitrary data” - user input being part of the instruction string to SQL was incidental, for developer convenience.
mcv
an hour ago
Exactly. SQL injection was caused by treating user input as part of the instruction instead of as the pure data that it was intended as. Separating those two fixed it. Prompt injection is unavoidable because the user input is intended as instruction.
rrr_oh_man
an hour ago
What do you mean by "was" and "fixed it"? It is still very much an issue and remains in the OWASP Top 10.
vultour
13 minutes ago
The link talks about more than just SQL injection. SQL injection can be fully mitigated using prepared statements. They were the solution 15 years ago when I was getting started with PHP in high school and it's still applicable today. The fact that SQL injection remains an issue speaks volumes about the general quality of software engineers.
salviati
an hour ago
You can write your code so SQL injections are not possible.
You can't do the same with prompt injections.
nnurmanov
6 minutes ago
You have to have fixed commands that LLM could execute, just limit its universe. I don't think it is a good practice to give LLMs access to everything.
tEem21
19 minutes ago
You could just not have a user-facing AI agent
trhway
16 minutes ago
If you expose your private database's SQL access to public web, i bet people will find a way.
The same way here i see the main issue isn't prompt injection, it is publicly accessible agent having access to private repos. What is the use case for such config?
ikurei
12 minutes ago
It still happens, problems that are solved still happen when people don't take care to apply the solution. Diseases that were solved problems happen again when people stop taking the vaccines.
You can avoid SQL injection by just coding the same features with a bit of care. You loose nothing. Mistakes can always happen, but it's not even tricky to prevent SQL injection.
Right now the only way to avoid Prompt injection is to not let your agents see user input at all. A very wide range of features that we'd like to implement are unsafe and there isn't a way to prevent this reliably.
I guess we'll need to get used to control the agent's permissions very tightly, and taylor them per-conversation. The agent I speak to for customer support must only have access to my data, and not because of instructions in the system prompt, these will need to be hard limits.
coldtea
27 minutes ago
It's not about if it can happen or if it happens.
It's about how easily it's mitigated completely. Use a proper db library which does escaping and it's completely eliminated.
formerly_proven
an hour ago
sqli is easily and fully mitigated and has generally been a non-issue for any half-serious project, especially if you use any kind of SAST. Your link actually subsumes any type of injection, not just sqli. Some of them are marginally harder to fix than sqli, most aren't.
In contrast, we don't know how to solve prompt injection.
hobofan
32 minutes ago
Prompt injections are a whole class of vulnerabilities, and I would say there is generally a pretty good idea of how to mitigate them to be impactful. However in many cases those mitigations are not implemented (in the strictness that they require), as they are usually either too costly (second LLM as judge) or lead to worse UX (tool call confirmation with appropriate review of all input parameters on every tool call; disconnecting web access).
IanCal
an hour ago
They’re the same type of problem as sql injection but there’s not the same ease of solution. There’s also a lot more subtle problems that can come in, but it’s still a decent comparison to help explain things.
Selecting from a menu is one way, but you can be much more broad about what acts can be taken. Give it an email tool and it can spam customers, give it an email tool locked to only being able to reply and you restrict what can go wrong. Limit exfiltration with restrictions similar to xss kinds of vulnerabilities (rendering images can leak data, etc).
efskap
34 minutes ago
It's a menu with natural language search and potentially natural language form input.
amelius
an hour ago
"We can't fix it, therefore we just keep using it."