The Canary in The Embedding Mine: Detecting Retrieval Poisoning Attacks on LLM Code Generation with Canary Functions
摘要
Large Language Models (LLMs) are popular for code generation. Retrieval Augmented Generation (RAG) systems improve the quality of LLM responses by providing context from a document store. However, this also exposes the RAG system to retrieval poisoning attacks, where an attacker adds malicious documents to corrupt the generated code. In this work, we explore the effects of retrieval poisoning on RAG systems for code generation. We categorize and evaluate crafted poison documents depending on the attacker’s knowledge of the code they are targeting, and show that it is a viable attack on RAG code generation systems if the attacker possesses code-level knowledge. We suggest a mitigation technique of evaluating the RAG system’s performance on a small subset of functions (which we call canary functions) from the codebase to determine the presence of poison. We conclude with an examination of how to select canary functions for detecting retrieval poisoning attacks with OpenSSL as an example.