Prompt Injection as Role Confusion

This research paper identifies the root cause of prompt injection attacks on large language models as "role confusion"—a fundamental flaw in how models internally perceive the source of text. The authors demonstrate that models determine "who is speaking" based on spoofable cues like style or explicit declarations, rather than on the actual role tags (e.g., `<user>`, `<tool>`) that are intended to enforce security boundaries. They introduce "role probes" to measure this internal role perception, showing that injected text occupies the same representational space as the role it imitates. The paper presents "CoT Forgery," a zero-shot attack that injects fabricated reasoning into user prompts or tool outputs, achieving a 60% attack success rate across frontier models. Crucially, the degree of measured role confusion accurately predicts attack success before any text is generated, revealing that current defenses rely on memorization of known patterns rather than robust role perception, leaving a persistent vulnerability. 

https://arxiv.org/pdf/2603.12277

Comments

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

OWASP ZAP 2.16.0 Introduces Key Updates and Enhancements