Principle:Liu00222 Open Prompt Injection Application Assembly
| Knowledge Sources | |
|---|---|
| Domains | Prompt_Injection, LLM, Security |
| Last Updated | 2026-02-14 15:00 GMT |
Overview
A pattern for composing an LLM application from a task specification, a language model, and an optional defense strategy into a queryable entity that simulates real-world LLM-integrated applications.
Description
Application Assembly combines three components — a TargetTask (providing system prompts and data), a Model (the LLM backend), and a Defense strategy — into an Application object that represents an LLM-integrated application. The Application handles prompt construction (prepending system instructions to user data), defense mechanisms (pre-processing, post-processing, or detection-based), and provides an iterable interface over task samples. This simulates how real applications combine instructions with user-provided data, which is the attack surface for prompt injection.
Usage
Use this principle after creating the target task and model, when you need to assemble them into an application that can be queried with both clean and attacked prompts. The defense parameter controls which (if any) defense mechanism protects the application.
Theoretical Basis
The Application acts as a Mediator between the task, model, and defense components. Its query pipeline processes data through multiple stages:
Pseudo-code Logic:
# Application query pipeline
def query(data_prompt):
# 1. Pre-hand detection (PPL, response-based)
if prehand_detection(data_prompt) == BLOCKED:
return "[Potentially harmful. Request blocked.]"
# 2. Preprocess data (retokenization, paraphrasing)
data_prompt = preprocess(data_prompt)
# 3. Construct full prompt (system instruction + defense wrapping + data)
full_prompt = construct_prompt(data_prompt)
# 4. Query model
response = model.query(full_prompt)
# 5. Post-process response (sandwich extraction, etc.)
return process_response(response)
Supported defense strategies: `no`, `instructional`, `sandwich`, `random_seq`, `delimiters`, `xml`, `paraphrasing`, `retokenization`, `llm-based`, `known-answer`, `ppl-<window>-<threshold>`, `response-based`.