Hacker News new | ask | show | jobs
by simonw 264 days ago
I'm concerned about prompt injection attacks telling the LLM how to escape the Docker container.

You can almost think of a prompt injection attack as a supply chain attack - but regular supply chain attacks are a concern too, what if an LLM installs a new version of an NPM package that turns out to have been deliberately infected with malware that can escape a container?
1 comments
mehdibl 264 days ago
When you use docker you can have full control over the networking layer already. As you can bound it's networking to another container that will act as proxy/filter. How WASM offer that?

With reverse proxy you can log requests, or filter them if needed, restrict the allowed domains, do packet inspection if you want to go crazy mode.

And if an actor is able to tailor fit a prompt to escape docker, I think you have bigger issues in your supply chain.

I feel this wasm is bad solution. What it brings a VM or docker can't do?

And escaping a docker container is not that simple, require a lot of heavy lifting and not always possible.

link
simonw 264 days ago
Aside from my worries about container escape, my main problem with Docker is the overhead of setting it up.

I want to build software that regular users can install on their own machines. Telling them they have to install Docker first is a huge piece of friction that I would rather avoid!

The lack of network support for WASM fits my needs very well. I don't want users running untrusted code which participates in DDoS attacks, for example.

link
benatkin 264 days ago
You have the same lack of network support with cgroups containers if you configure them properly. It isn't as if it's connected and filtered out, but as though it's disconnected. You can have it configured in such a way that it has network support but that it's filtered out with iptables, but that does seem more dangerous, though in practice that isn't where the escapes are coming from. A network namespace can be left empty, without network interfaces, and a process made to use the empty namespace. That way there isn't any traffic flowing from an interface to be checked against iptables rules.
link