add cross site attack #3
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TallTed
suggested changes
Oct 17, 2024
models/AI in the Browser.md
Outdated
| @@ -0,0 +1,55 @@ | |||
| # AI in the Browser | |||
|
|
|||
| Artificial Intelligence (aka LLM) is getting added to everything, including the Web Browser, which will have some severe unanticipated downside for the user. | |||
There was a problem hiding this comment.
Suggested change
| Artificial Intelligence (aka LLM) is getting added to everything, including the Web Browser, which will have some severe unanticipated downside for the user. | |
| Artificial Intelligence (AI), today in the form of Large Language Models (LLMs), is getting added to everything, including the Web Browser, which will have some severe unanticipated downsides for the user. |
models/AI in the Browser.md
Outdated
|
|
||
| ## Context | ||
|
|
||
| Google on Chromium and others in the W3C have been trying to make web apps that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from the app store. Now that AI access is getting added to the browser it is important to look at the impact on the user. The following is a quote from the introduction of one API into Chromium. We can expect more APIs enabling access to AI soon. |
There was a problem hiding this comment.
Suggested change
| Google on Chromium and others in the W3C have been trying to make web apps that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from the app store. Now that AI access is getting added to the browser it is important to look at the impact on the user. The following is a quote from the introduction of one API into Chromium. We can expect more APIs enabling access to AI soon. | |
| Google (via Chromium) and others in the W3C have been trying to make web apps, that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from app stores. As AI access is getting added to the browser, it is important to look at the impact on the user. The following is a quote from the addition of one AI API into Chromium. We can expect more APIs enabling access to AI soon. |
models/AI in the Browser.md
Outdated
|
|
||
| Google on Chromium and others in the W3C have been trying to make web apps that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from the app store. Now that AI access is getting added to the browser it is important to look at the impact on the user. The following is a quote from the introduction of one API into Chromium. We can expect more APIs enabling access to AI soon. | ||
|
|
||
| Browsers and operating systems are increasingly expected to gain access to a language model. By exposing this built-in model, we avoid every website needing to download their own multi-gigabyte language model, or send input text to third-party APIs. The rewriter API in particular exposes a high-level API for interfacing with a language model in order to transform inputs for a variety of use cases, in a way that does not depend on the specific language model in question. [https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md\#rewriter-api](https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md#rewriter-api) |
There was a problem hiding this comment.
Suggested change
| Browsers and operating systems are increasingly expected to gain access to a language model. By exposing this built-in model, we avoid every website needing to download their own multi-gigabyte language model, or send input text to third-party APIs. The rewriter API in particular exposes a high-level API for interfacing with a language model in order to transform inputs for a variety of use cases, in a way that does not depend on the specific language model in question. [https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md\#rewriter-api](https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md#rewriter-api) | |
| Browsers and operating systems are increasingly expected to gain access to an LLM. By exposing this built-in model, we avoid the need to download a multi-gigabyte language model for each website, or to send input text to third-party APIs. In particular, [the rewriter API](https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md#rewriter-api) exposes a high-level API for interfacing with a language model in order to transform inputs for a variety of use cases, in a way that does not depend on the specific language model in question. |
models/AI in the Browser.md
Outdated
|
|
||
| ## Vulnerabilities | ||
|
|
||
| These all arise from providing the website with nearly complete control of what JavaScript runs whenever their page is activated. The above API does include the following language "Finally, we intend to prohibit (in the specification) any use of user-specific information that is not directly supplied through the API. For example, it would not be permissible to fine-tune the language model based on information the user has entered into the browser in the past." The problem here is that the browser does not have control of the LLM that is provided to the browser or whether the user has provided personal information to that LLM by interactions outside of the browser. The LLM (or other AI) envisioned here is provided in yet another user agent in the user device completely independent of the browser and used by other functions running in the device. |
There was a problem hiding this comment.
Suggested change
| These all arise from providing the website with nearly complete control of what JavaScript runs whenever their page is activated. The above API does include the following language "Finally, we intend to prohibit (in the specification) any use of user-specific information that is not directly supplied through the API. For example, it would not be permissible to fine-tune the language model based on information the user has entered into the browser in the past." The problem here is that the browser does not have control of the LLM that is provided to the browser or whether the user has provided personal information to that LLM by interactions outside of the browser. The LLM (or other AI) envisioned here is provided in yet another user agent in the user device completely independent of the browser and used by other functions running in the device. | |
| A number of vulnerabilities arise from providing websites with nearly complete control of the JavaScript that runs whenever their pages are activated. The rewriter API does include the following language: "Finally, we intend to prohibit (in the specification) any use of user-specific information that is not directly supplied through the API. For example, it would not be permissible to fine-tune the language model based on information the user has entered into the browser in the past." There are problems here, in that the browser does not have control of the LLM that is provided to the browser nor whether the user has provided personal information to that LLM by interactions outside of the browser. The LLM (or other AI) envisioned here is provided as yet another user agent in the user's device, completely independent of the browser, and used by other functions running in the device. |
models/AI in the Browser.md
Outdated
|
|
||
| **User Profiling** | ||
|
|
||
| The web site will be able to ask the AI loaded on the user's device for a UI that would match what the user would see as the local AI is used in that personal user device. Trying different responses to the same user (via the local AI agent) would give the website information about the user's preferences and behavior. Clearly this is a way to avoid asking the user’s consent to share information by trying to extract it from the user's AI without the user's permission or knowledge. |
There was a problem hiding this comment.
Suggested change
| The web site will be able to ask the AI loaded on the user's device for a UI that would match what the user would see as the local AI is used in that personal user device. Trying different responses to the same user (via the local AI agent) would give the website information about the user's preferences and behavior. Clearly this is a way to avoid asking the user’s consent to share information by trying to extract it from the user's AI without the user's permission or knowledge. | |
| A web site will be able to ask the AI loaded on the user's device for a UI that would match what the user would see when the local AI is used in that personal user device. Trying different responses to the same user (via the local AI agent) would give the website information about the user's preferences and behavior. This is a clear way to avoid asking the user’s consent to share information by trying to extract it directly from the user's AI, without the user's permission or knowledge. |
models/AI in the Browser.md
Outdated
|
|
||
| **Provisioning Malware** | ||
|
|
||
| The supply chain that can be attacked includes the AI (LLM) module within the device. It is assumed that there may be multiple AI modules in the future, some of uncertain provenance. It is not at all clear why the browser API should trust the LLM provided. |
There was a problem hiding this comment.
Suggested change
| The supply chain that can be attacked includes the AI (LLM) module within the device. It is assumed that there may be multiple AI modules in the future, some of uncertain provenance. It is not at all clear why the browser API should trust the LLM provided. | |
| The supply chain that can be attacked includes the AI (LLM) module within the device. It is assumed that there may be multiple AI modules in the future, some of uncertain provenance. It is not at all clear that the browser API should trust the local LLM, simply because it is local. |
models/AI in the Browser.md
Outdated
Comment on lines
39
to
43
| There is a current set of vulnerabilities for caching today that are being addressed by mitigations described in the feature listed below. Any cross-site vulnerability found there could equally apply to shared use of a user’s local AI not only within the browser but by any other app on the user’s device. | ||
|
|
||
| See the Feature: [Incorporating navigation initiator into the HTTP cache partition key](https://chromestatus.com/feature/5190577638080512) | ||
| and [the slide deck](https://docs.google.com/presentation/d/1StMrI1hNSw_QSmR7bg0w3WcIoYnYIt5K8G2fG01O0IA/edit#slide=id.g2f87bb2d5eb_0_4) | ||
| ## Mitigations |
There was a problem hiding this comment.
Suggested change
| There is a current set of vulnerabilities for caching today that are being addressed by mitigations described in the feature listed below. Any cross-site vulnerability found there could equally apply to shared use of a user’s local AI not only within the browser but by any other app on the user’s device. | |
| See the Feature: [Incorporating navigation initiator into the HTTP cache partition key](https://chromestatus.com/feature/5190577638080512) | |
| and [the slide deck](https://docs.google.com/presentation/d/1StMrI1hNSw_QSmR7bg0w3WcIoYnYIt5K8G2fG01O0IA/edit#slide=id.g2f87bb2d5eb_0_4) | |
| ## Mitigations | |
| There is a current set of vulnerabilities in caching that are being addressed today by mitigations in [incorporating navigation initiator into the HTTP cache partition key](https://chromestatus.com/feature/5190577638080512) (also see [the associated slide deck](https://docs.google.com/presentation/d/1StMrI1hNSw_QSmR7bg0w3WcIoYnYIt5K8G2fG01O0IA/edit#slide=id.g2f87bb2d5eb_0_4)). Any cross-site vulnerability found there could equally apply to shared use of a user’s local AI, not only within the browser, but also by any other app on the user’s device. | |
| ## Mitigations |
models/AI in the Browser.md
Outdated
|
|
||
| **AI Isolation** | ||
|
|
||
| Only AI that has no interaction with the device holder may be accessed by any user agent that hosts pages from a web site that is not fully trusted by the holder or device owner. Specifically, the impact of the prompts entered by an origin site should not be able to impact either the holder or other origin site’s interactions with the holder. |
There was a problem hiding this comment.
Suggested change
| Only AI that has no interaction with the device holder may be accessed by any user agent that hosts pages from a web site that is not fully trusted by the holder or device owner. Specifically, the impact of the prompts entered by an origin site should not be able to impact either the holder or other origin site’s interactions with the holder. | |
| Only AI that has no interaction with the device holder may be accessed by any user agent that hosts pages from a web site that is not fully trusted by the holder or device owner. Specifically, the impact of the prompts entered by an origin site should not be able to impact either the holder or another origin site’s interactions with the holder. |
models/AI in the Browser.md
Outdated
|
|
||
| **Throttling** | ||
|
|
||
| Particularly for battery operated devices, the amount of power allocated to any one origin must be limited. This could be part of a setting that the holder or device owner was permitted to change based on trusted origins. |
There was a problem hiding this comment.
Suggested change
| Particularly for battery operated devices, the amount of power allocated to any one origin must be limited. This could be part of a setting that the holder or device owner was permitted to change based on trusted origins. | |
| Particularly for battery operated devices, the amount of power allocated to any one origin must be limited. This could be part of a setting that the holder or device owner is permitted to change based on trusted origins. |
models/AI in the Browser.md
Outdated
|
|
||
| ## References | ||
|
|
||
| Bruce Schneier, LLM's Data-Control Path Insecurity CACM 67 No 9 page 31-32 downloaded from [LLMs’ Data-Control Path Insecurity – Communications of the ACM](https://cacm.acm.org/opinion/llms-data-control-path-insecurity/) |
There was a problem hiding this comment.
Suggested change
| Bruce Schneier, LLM's Data-Control Path Insecurity CACM 67 No 9 page 31-32 downloaded from [LLMs’ Data-Control Path Insecurity – Communications of the ACM](https://cacm.acm.org/opinion/llms-data-control-path-insecurity/) | |
| * Bruce Schneier, LLMs' Data-Control Path Insecurity CACM 67 No 9 page 31-32 downloaded from [LLMs’ Data-Control Path Insecurity – Communications of the ACM](https://cacm.acm.org/opinion/llms-data-control-path-insecurity/) |
simoneonofri
approved these changes
Oct 17, 2024
There was a problem hiding this comment.
LTGM thanks @TomCJones and @TallTed
@TomCJones let me know the file you would like to maintain.
It can also be interesting to create (later) a table to map threats and mitigations such as the one made with @KimCerra
models/AI in the Browser.md
Outdated
| @@ -0,0 +1,55 @@ | |||
| # AI in the Browser | |||
|
|
|||
| Artificial Intelligence (aka LLM) is getting added to everything, including the Web Browser, which will have some severe unanticipated downside for the user. | |||
models/AI in the Browser.md
Outdated
|
|
||
| ## Context | ||
|
|
||
| Google on Chromium and others in the W3C have been trying to make web apps that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from the app store. Now that AI access is getting added to the browser it is important to look at the impact on the user. The following is a quote from the introduction of one API into Chromium. We can expect more APIs enabling access to AI soon. |
models/AI in the Browser.md
Outdated
|
|
||
| Google on Chromium and others in the W3C have been trying to make web apps that are downloaded from web sites, as attractive and useful as native apps, that are downloaded from the app store. Now that AI access is getting added to the browser it is important to look at the impact on the user. The following is a quote from the introduction of one API into Chromium. We can expect more APIs enabling access to AI soon. | ||
|
|
||
| Browsers and operating systems are increasingly expected to gain access to a language model. By exposing this built-in model, we avoid every website needing to download their own multi-gigabyte language model, or send input text to third-party APIs. The rewriter API in particular exposes a high-level API for interfacing with a language model in order to transform inputs for a variety of use cases, in a way that does not depend on the specific language model in question. [https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md\#rewriter-api](https://github.com/explainers-by-googlers/writing-assistance-apis/blob/main/README.md#rewriter-api) |
models/AI in the Browser.md
Outdated
|
|
||
| ## Vulnerabilities | ||
|
|
||
| These all arise from providing the website with nearly complete control of what JavaScript runs whenever their page is activated. The above API does include the following language "Finally, we intend to prohibit (in the specification) any use of user-specific information that is not directly supplied through the API. For example, it would not be permissible to fine-tune the language model based on information the user has entered into the browser in the past." The problem here is that the browser does not have control of the LLM that is provided to the browser or whether the user has provided personal information to that LLM by interactions outside of the browser. The LLM (or other AI) envisioned here is provided in yet another user agent in the user device completely independent of the browser and used by other functions running in the device. |
models/AI in the Browser.md
Outdated
|
|
||
| **User Profiling** | ||
|
|
||
| The web site will be able to ask the AI loaded on the user's device for a UI that would match what the user would see as the local AI is used in that personal user device. Trying different responses to the same user (via the local AI agent) would give the website information about the user's preferences and behavior. Clearly this is a way to avoid asking the user’s consent to share information by trying to extract it from the user's AI without the user's permission or knowledge. |
models/AI in the Browser.md
Outdated
|
|
||
| **Provisioning Malware** | ||
|
|
||
| The supply chain that can be attacked includes the AI (LLM) module within the device. It is assumed that there may be multiple AI modules in the future, some of uncertain provenance. It is not at all clear why the browser API should trust the LLM provided. |
models/AI in the Browser.md
Outdated
Comment on lines
39
to
43
| There is a current set of vulnerabilities for caching today that are being addressed by mitigations described in the feature listed below. Any cross-site vulnerability found there could equally apply to shared use of a user’s local AI not only within the browser but by any other app on the user’s device. | ||
|
|
||
| See the Feature: [Incorporating navigation initiator into the HTTP cache partition key](https://chromestatus.com/feature/5190577638080512) | ||
| and [the slide deck](https://docs.google.com/presentation/d/1StMrI1hNSw_QSmR7bg0w3WcIoYnYIt5K8G2fG01O0IA/edit#slide=id.g2f87bb2d5eb_0_4) | ||
| ## Mitigations |
models/AI in the Browser.md
Outdated
|
|
||
| **AI Isolation** | ||
|
|
||
| Only AI that has no interaction with the device holder may be accessed by any user agent that hosts pages from a web site that is not fully trusted by the holder or device owner. Specifically, the impact of the prompts entered by an origin site should not be able to impact either the holder or other origin site’s interactions with the holder. |
models/AI in the Browser.md
Outdated
|
|
||
| **Throttling** | ||
|
|
||
| Particularly for battery operated devices, the amount of power allocated to any one origin must be limited. This could be part of a setting that the holder or device owner was permitted to change based on trusted origins. |
models/AI in the Browser.md
Outdated
|
|
||
| ## References | ||
|
|
||
| Bruce Schneier, LLM's Data-Control Path Insecurity CACM 67 No 9 page 31-32 downloaded from [LLMs’ Data-Control Path Insecurity – Communications of the ACM](https://cacm.acm.org/opinion/llms-data-control-path-insecurity/) |
simoneonofri
approved these changes
Oct 27, 2024
|
@TallTed thank you for your commits @TomCJones thank you in general for the analysis |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.