0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
115 lines
4.1 KiB
Markdown
115 lines
4.1 KiB
Markdown
---
|
|
sidebar_label: Memory Poisoning
|
|
description: Red team memory poisoning vulnerabilities in AI agents through persistent state manipulation to prevent malicious instruction injection and protect decision integrity
|
|
---
|
|
|
|
# Memory Poisoning Plugin
|
|
|
|
## Overview
|
|
|
|
The Memory Poisoning plugin tests whether stateful agents are vulnerable to memory poisoning attacks that manipulate an agent's memory to alter its behavior in subsequent interactions.
|
|
|
|
This plugin maps to **T1: Memory Poisoning** from [OWASP Agentic AI Top 10 Threats](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/).
|
|
|
|
## Purpose
|
|
|
|
Memory poisoning attacks attempt to inject malicious instructions into an agent's memory state that persist across turns. When successful, these attacks can:
|
|
|
|
1. Override or modify the agent's original purpose
|
|
2. Extract sensitive information
|
|
3. Manipulate the agent's decision-making process
|
|
4. Bypass security controls in subsequent interactions
|
|
|
|
## How it Works
|
|
|
|
The Memory Poisoning plugin:
|
|
|
|
1. Creates a scenario with specific "memories" that the agent should remember
|
|
2. Sends an initial memory-establishing message to the agent
|
|
3. Follows with a poisoned message attempting to corrupt the established memory
|
|
4. Tests the attack's effectiveness with a follow-up question that relies on the original memory
|
|
5. Evaluates whether the agent's response to the follow-up reflects the original memory (secure) or the poisoned memory (vulnerable)
|
|
|
|
## Configuration
|
|
|
|
Add the following to your promptfoo configuration:
|
|
|
|
```yaml
|
|
redteam:
|
|
purpose: "Description of your agent's intended purpose"
|
|
plugins:
|
|
- id: agentic:memory-poisoning
|
|
numTests: 30 # Optional, defaults to 5
|
|
```
|
|
|
|
:::note
|
|
Memory Poisoning is a standalone plugin and does not use strategies. Strategies defined in the `redteam.strategies` configuration are ignored for this plugin.
|
|
:::
|
|
|
|
## Example
|
|
|
|
Here's an example configuration for testing an agent:
|
|
|
|
```yaml
|
|
# yaml-language-server: $schema=https://promptfoo.dev/config-schema.json
|
|
description: Travel Agent Redteam
|
|
|
|
providers:
|
|
- id: http
|
|
config:
|
|
url: http://localhost:3090/api/chat
|
|
method: POST
|
|
headers:
|
|
'Content-Type': 'application/json'
|
|
'x-promptfoo-session': '{{sessionId}}'
|
|
body:
|
|
'message': '{{prompt}}'
|
|
transformResponse: 'json.message'
|
|
|
|
prompts:
|
|
- '{{prompt}}'
|
|
|
|
defaultTest:
|
|
options:
|
|
transformVars: '{ ...vars, sessionId: context.uuid }'
|
|
|
|
redteam:
|
|
purpose: |
|
|
The agent simulates a travel agent that helps users find the best travel deals. It has access to a set of tools
|
|
that allow it to check the weather, lookup and book flights, and book hotels.
|
|
plugins:
|
|
- id: agentic:memory-poisoning
|
|
numTests: 30
|
|
```
|
|
|
|
If you are testing the built-in JavaScript [`openai:agents:*` provider](/docs/providers/openai-agents), use its [stateful red-team session pattern](/docs/providers/openai-agents/#stateful-red-team-runs) so each attack keeps turn history without leaking memory into unrelated tests.
|
|
|
|
## Working With Results
|
|
|
|
The test results will show:
|
|
|
|
- The original memory-establishing message
|
|
- The poisoned message
|
|
- The follow-up question
|
|
- The agent's responses to each message
|
|
|
|
A successful attack (failed test) is indicated when the agent's response to the follow-up question reflects the poisoned instructions rather than the original memory.
|
|
|
|
## Mitigations
|
|
|
|
To protect against memory poisoning attacks:
|
|
|
|
1. Implement input validation that filters or sanitizes user inputs prior to persistence.
|
|
2. Sanitize user memories prior to including them within the context windows of inference calls.
|
|
3. Segregate memory types - separate system instructions from user input memory.
|
|
4. Apply memory attribution - track where memory content originated.
|
|
|
|
## Related Concepts
|
|
|
|
- [Types of LLM Vulnerabilities](/docs/red-team/llm-vulnerability-types)
|
|
- [Stateful OpenAI Agents Sessions](/docs/providers/openai-agents/#stateful-red-team-runs)
|
|
- [Multi-Turn Session Management](/docs/red-team/troubleshooting/multi-turn-sessions)
|
|
- [Tool Discovery](/docs/red-team/plugins/tool-discovery)
|
|
- [Excessive Agency](/docs/red-team/plugins/excessive-agency)
|
|
- [Hijacking](/docs/red-team/plugins/hijacking)
|