Skip to main content

Minimal single-turn LLM chat target for the superred red-teaming framework

Project description

superred-target-minimal-llm-chat

A minimal single-turn LLM chat target for the superred red-teaming framework.

This is the smallest useful target: it takes one user message, sends it to an LLM (through litellm, so any model litellm supports works), and stores the reply for evaluation. It is the reference implementation used in superred's "writing a target" guide, and a good starting point for building your own target.

For a fuller chat target with a writable system prompt, a writable response, and conversation history, see superred-target-chatbot.

Install

pip install superred-target-minimal-llm-chat

Usage

from minimal_llm_chat import MinimalLLMChatTarget, USER_INPUT_TAG
from superred.core.controller import Controller, TargetFactory

target_factory = TargetFactory(
    create=lambda: MinimalLLMChatTarget(
        model="gpt-4o-mini",
        api_base="https://api.openai.com/v1",
        api_key="sk-...",
    ),
)

controller = Controller(
    optimizer_factory=lambda: MyOptimizer(),
    target_factory=target_factory,
    security_claim=my_claim,
    scope=frozenset({USER_INPUT_TAG}),   # attacker may inject the user message
)
result = await controller.run()

The attack surface

Security domain forest (two tags, one tree):

system            (root)
└── user_input    (child)
Surface Name Domain Description
Controllable user_input user_input The user message sent to the LLM. The only injection point.
Observable (static) model system The litellm model identifier.
Observable (per run) model_request user_input The user message actually sent.
Observable (per run) model_response system The LLM's reply.
ConfigSpec system_prompt system Set by the task before the run. Never attacker-writable.
QuerySpec last_response n/a The reply, for post-run evaluation.

Because user_input is a child of system, a scope containing system also includes user_input.

  • scope={USER_INPUT_TAG} gives a prompt-only, blind attacker: it injects the user message and sees only its own echo, not the model's reply.
  • scope={SYSTEM_TAG} additionally reveals model and model_response.

The system prompt is never attacker-writable and is never emitted as an observable, so it stays hidden at every scope.

Behaviour notes

  • Strictly single-turn: no conversation history, no durable memory. reset_ephemeral_state() clears the stored response between runs.
  • If the attacker does not inject (for example, user_input is out of scope), the target falls back to sending the literal message "Hello". A no-injection run is therefore a "Hello" run, not a no-op.
  • The target calls the LLM with its own credentials, so its inference cost is not bounded by the attacker's task_cost_cap_usd.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

superred_target_minimal_llm_chat-0.1.0.tar.gz (4.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file superred_target_minimal_llm_chat-0.1.0.tar.gz.

File metadata

File hashes

Hashes for superred_target_minimal_llm_chat-0.1.0.tar.gz
Algorithm Hash digest
SHA256 99cbd0befefae7a83fc81890d7e712d2957faf690509a836b558170f76830310
MD5 26bde89878473a2605a8e2189d9eb1c5
BLAKE2b-256 be5c44396a391367fb5870856f196a2514fd3dc605e4f3ac4438ab1e990bbd98

See more details on using hashes here.

Provenance

The following attestation bundles were made for superred_target_minimal_llm_chat-0.1.0.tar.gz:

Publisher: release.yml on RoldSI/superred-modules

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file superred_target_minimal_llm_chat-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for superred_target_minimal_llm_chat-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 98644ccdf754a3a8ca04c0b6fadb014ba59826075a85017e77e49adc8d767944
MD5 d52c75347c7400a343d4b3b813560327
BLAKE2b-256 2b30bb6c85d00ee60ccd9de6e27990c164441ff20223469ef6e6992a56633647

See more details on using hashes here.

Provenance

The following attestation bundles were made for superred_target_minimal_llm_chat-0.1.0-py3-none-any.whl:

Publisher: release.yml on RoldSI/superred-modules

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page