English

Plentiful Jailbreaks with String Compositions

Computation and Language 2024-12-12 v3

Abstract

Large language models (LLMs) remain vulnerable to a slew of adversarial attacks and jailbreaking methods. One common approach employed by white-hat attackers, or red-teamers, is to process model inputs and outputs using string-level obfuscations, which can include leetspeak, rotary ciphers, Base64, ASCII, and more. Our work extends these encoding-based attacks by unifying them in a framework of invertible string transformations. With invertibility, we can devise arbitrary string compositions, defined as sequences of transformations, that we can encode and decode end-to-end programmatically. We devise a automated best-of-n attack that samples from a combinatorially large number of string compositions. Our jailbreaks obtain competitive attack success rates on several leading frontier models when evaluated on HarmBench, highlighting that encoding-based attacks remain a persistent vulnerability even in advanced LLMs.

Keywords

Cite

@article{arxiv.2411.01084,
  title  = {Plentiful Jailbreaks with String Compositions},
  author = {Brian R. Y. Huang},
  journal= {arXiv preprint arXiv:2411.01084},
  year   = {2024}
}

Comments

NeurIPS SoLaR Workshop 2024

R2 v1 2026-06-28T19:45:11.920Z