FragFuse: Bypassing Access Control of Large Language Model Agents via Memory-Based Query Fragmentation and Fusion
Security researchers have disclosed FragFuse, a new attack that allows unprivileged users to bypass access-control mechanisms in large language model agents by exploiting their long-term memory systems, according to a paper posted to the arXiv preprint server on June 14 [1]. The attack targets a temporal channel created when LLM agents store information across multiple interactions. Prohibited content that would normally be blocked by access-control filters is broken into benign-appearing fragments, injected into the agent's long-term memory, and later reconstructed through memory retrieval without the forbidden content ever appearing explicitly in a user query [1]. FragFuse operates in three stages. First, the attacker identifies rejection-responsive fragments through black-box adaptive querying with fragment masking. Second, those fragments are injected into memory using marker carrier queries. Third, a follow-up attack query retrieves and fuses the stored fragments to reconstruct the prohibited content [1]. The researchers evaluated FragFuse across four representative agent settings and task domains, testing it against three state-of-the-art agent access-control mechanisms. The attack achieved an average bypass success rate of 86.3% and an average end-to-end harmful task success rate of 41.1% across all settings [1]. Compared with configurations that had no access control, the attack caused only 4.4% average task-success degradation [1]. While FragFuse can be instantiated manually for individual agents, the paper also introduces a surrogate-based optimization scheme that tunes fusion instructions and marker designs, enabling automated attack generation without violating the attacker's threat-model assumptions [1]. Existing defenses do not appear to mitigate the risk. The authors report that state-of-the-art prompt-injection detectors and perplexity detectors do not effectively address the FragFuse attack [1]. The work highlights a vulnerability in the growing ecosystem of LLM agents, which are machine learning models trained on vast amounts of text and increasingly deployed with long-term memory to support complex tasks, personalization, and domain adaptation [8]. The paper was submitted to arXiv, an open-access repository of electronic preprints that, as of November 2024, receives approximately 24,000 submissions per month and has hosted more than two million articles since its founding in 1991 [6].
applicationbenchmarkresearch-paperregulationcontroversy
Background sources we checked (7)
- arxiv.org ↗ Large language model (LLM) agents increasingly rely on long-term memory to support complex task execution, user personalization, and domain adaptation. Meanwhile, emerging access-control mechanisms for LLM agents are being explored to block policy-violating requests and prevent m…
- info.arxiv.org ↗ arXiv Labs - arXiv info | arXiv e-print repository Skip to content # arXiv Labs Attention arXiv Users: arXiv Labs is pausing new proposals ## What are arXiv Labs? arXiv Labs are a way for the community to contribute new, useful features to arXiv. These integrations are avail…
- blog.arxiv.org ↗ arXivLabs: a space for community innovation – arXiv blog arXiv has launched a new, formalized framework enabling innovative collaborations with individuals and organizations. “Members of our community want to contribute tools that enhance the arXiv experience, and we val…
- info.arxiv.org ↗ arXivLabs: Showcase - arXiv info | arXiv e-print repository ... # arXivLabs: Showcase ... arXiv is surrounded by a community of researchers and developers working at the cutting edge of information science and technology. ... While the arXiv team is focused on our core mission—pr…
- en.wikipedia.org ↗ arXiv (pronounced as "archive"—the X represents the Greek letter chi ⟨χ⟩) is an open-access repository of electronic preprints and postprints (known as e-prints) approved for posting after moderation, but not peer reviewed. It consists of scientific papers in the fields of mathem…
- en.wikipedia.org ↗ 14 (fourteen) is the natural number following 13 and preceding 15.…
- en.wikipedia.org ↗ A large language model (LLM) is a type of machine learning model designed for natural language processing tasks such as language generation. LLMs are language models with many parameters, and are trained with self-supervised learning on a vast amount of text.…