(no title)

I'd argue, they aren't doing something future-proof right now because the fundamental architecture of the LLM makes it nearly impossible to guarantee the model will correctly respond event to special [system] tokens.

In your SQL example, the interpreter can deterministically distinguish between "instruct" and "data" (assuming proper escape obviously). In the LLM sense, you can only train the model to pick up on special characters. Even if [system] is a special token, the only reason the model cares about that special token is because it has been statistically trained to care, not designed to care.

You can't (??) make the LLM treat a token deterministically, at least not in my understanding of the current architectures. So there may always be an avenue for attack if you consume untrusted content into the LLM context. (At least without some aggressive model architecture changes).

One detail you may have missed — "system" is only special when it comes right after a special token. So it's not a special token itself, but you cannot inject a valid-looking system message from user text.

In more detail, the current format is:

<|im_start|>HEADER BODY<|im_end|>

We are actually going to swap over to this shortly:

<|start|>HEADER<|sep|>BODY<|end|>

So basically getting rid of the newline separator and replacing with a special token. Shouldn't change anything fundamentally, but does help with some whitespace tokenization-related issues.

BTW, format of HEADER is going to be really interesting, there's all sorts of metadata one might want to add in there — and making sure that its extensible and not injectable will be an ongoing part of the design work!

> SQL injection attacks plagued the industry for decades precisely because the initial format didn't think through how to escape queries.

No. SQL injection vulnerabilities plagued the industry for decades, as opposed to months/years, because developers thought they can take input in one format, "escape" it enough, sprinkle with addslashes and things will work. And apparently we still teach this even when we have decades of experience that escaping does not work. XSS is just a different side of the same coin - pretending that one can simply pipe strings between languages.

You have to speak the language. Good luck getting LLM to respond to tokens deterministically. On top of escaping being a flaky solution in itself you now have an engine that is flaky in parsing escapes.

I tested around this a bit (although I'm not a prompt hacking expert) and it does seem like it's possible to harden the system input to be more resilient to these attacks/tokens.

It does seem possible that the inputs are vulnerable without hardening, however.

Good catch. They call this "ChatML v0", not "v1", so I'd guess they realize that it looks more like an internal implementation kludge, than an exposed interface.

From what I can see of the format, there are special tokens (imStart and imEnd) which never appear in external sources.

I tried it with their python library and that expects a list of dicts with role and content fields. And that seems to translate 1:1 to the API call where it's also expecting that and not chatml markup

I don't think you'd need anything special for that. I've had good luck making text-davinci-003 roleplay different characters by A) telling it all the characters that exist, B) giving a transcript of messages from each character so far, and C) asking it to respond as a specific character I turn. It was shockingly easy. So I expect multiuser chat could work the same way.

the idea is to do a mininal training on an existing model, so minimal addition of new tokens