{"id":13878,"date":"2026-06-26T05:03:26","date_gmt":"2026-06-26T05:03:26","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/26\/interesting-paper-exploring-prompt-injection-html\/"},"modified":"2026-06-26T05:03:26","modified_gmt":"2026-06-26T05:03:26","slug":"interesting-paper-exploring-prompt-injection-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/26\/interesting-paper-exploring-prompt-injection-html\/","title":{"rendered":"Interesting Paper Exploring Prompt Injection"},"content":{"rendered":"\n
Interesting Paper Exploring Prompt Injection<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

This<\/a> is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role\/instruction blocks, and not just the tags.<\/p>\n

Their conclusion:<\/p>\n

\n

Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We\u2019ve shown that this architecture doesn\u2019t survive into the model\u2019s actual representations, and that such role confusion is linked to prompt injection.<\/p>\n

Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game. And the continuous nature of role boundaries opens the threat of injections designed to subtly shift LLM states through seemingly innocuous text, legally and at scale.<\/p>\n

More generally, roles are quietly one of the most important abstractions in the LLM stack, providing the boundaries meant to separate self from other, thought from communication, instruction from data. They\u2019re human-controlled switches in an otherwise continuous system. We think they deserve a lot more study than they\u2019ve gotten.<\/p>\n<\/blockquote>\n

Full paper: \u201cPrompt Injection as Role Confusion<\/a>.\u201d Simon Willison comments<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Bruce Schneier
\n \t

\n
<\/BR>
\nGo to bruce schneier<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Interesting Paper Exploring Prompt Injection This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role\/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and the cognitive […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,1],"tags":[87],"class_list":["post-13878","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13878"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13878"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13878\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}