Large Language Models (LLMs) are popular for code generation. Retrieval Augmented Generation (RAG) systems improve the quality of LLM responses by providing context from a document store. However, this also exposes the RAG system to retrieval poisoning attacks, where an attacker adds malicious documents to corrupt the generated code. In this work, we explore the effects of retrieval poisoning on RAG systems for code generation. We categorize and evaluate crafted poison documents depending on the attacker’s knowledge of the code they are targeting, and show that it is a viable attack on RAG code generation systems if the attacker possesses code-level knowledge. We suggest a mitigation technique of evaluating the RAG system’s performance on a small subset of functions (which we call canary functions) from the codebase to determine the presence of poison. We conclude with an examination of how to select canary functions for detecting retrieval poisoning attacks with OpenSSL as an example.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

The Canary in The Embedding Mine: Detecting Retrieval Poisoning Attacks on LLM Code Generation with Canary Functions

  • Murray Dunne,
  • Kylee Schram,
  • Thien Dan Balsdon,
  • Aman Dutt Bhagat,
  • Bohan Yao,
  • Jitao Hu,
  • Tina Pu,
  • Pan Liu,
  • Ali Syed,
  • Lexie Stapleton,
  • Yifei Zhang,
  • Sebastian Fischmeister

摘要

Large Language Models (LLMs) are popular for code generation. Retrieval Augmented Generation (RAG) systems improve the quality of LLM responses by providing context from a document store. However, this also exposes the RAG system to retrieval poisoning attacks, where an attacker adds malicious documents to corrupt the generated code. In this work, we explore the effects of retrieval poisoning on RAG systems for code generation. We categorize and evaluate crafted poison documents depending on the attacker’s knowledge of the code they are targeting, and show that it is a viable attack on RAG code generation systems if the attacker possesses code-level knowledge. We suggest a mitigation technique of evaluating the RAG system’s performance on a small subset of functions (which we call canary functions) from the codebase to determine the presence of poison. We conclude with an examination of how to select canary functions for detecting retrieval poisoning attacks with OpenSSL as an example.