Added system prompt extraction probe

[Nakul-Rajpal]

This PR adds a new probe to test how easily LLMs leak their system prompts through adversarial extraction techniques.

Closes #1400

Implementation

Probe: garak.probes.sysprompt.SystemPromptExtraction

• Loads real-world system prompts from HuggingFace datasets:
  • danielrosehill/System-Prompt-Library - 923 prompts, CC-BY-4.0
  • teilomillet/system_prompt - 69 prompts focusing on thinking frameworks, CC-BY-4.0
• Tests 25+ extraction attacks from published research (Riley Goodside, OpenReview, WillowTree, Simon Willison)
• Attack types: direct requests, role-playing, encoding tricks, continuation exploits, authority framing
• Uses conversation/turn support to properly set system prompts as role="system"
• Respects soft_probe_prompt_cap via random sampling

Detector: garak.detectors.sysprompt.PromptExtraction

• Fuzzy n-gram matching to detect partial extractions (generalizes encoding.DecodeApprox pattern)
• Handles truncation cases where model starts outputting prompt but gets cut off
• Returns scores 0.0-1.0 based on overlap percentage
• Includes PromptExtractionStrict variant with higher threshold

Files Added

• garak/probes/sysprompt.py (353 lines)
• garak/detectors/sysprompt.py (161 lines)
• tests/probes/test_probes_sysprompt.py (8 tests)
• tests/detectors/test_detectors_sysprompt.py (14 tests)

Tags

• avid-effect:security:S0301 (Information disclosure)
• owasp:llm01 (Prompt injection)
• quality:Security:PromptStability
• Tier: OF_CONCERN

Verification

• Install optional dependency: pip install datasets
• Run the probe: garak --model_type test --model_name test.Blank --probes sysprompt
• Run the tests: python -m pytest tests/probes/test_probes_sysprompt.py tests/detectors/test_detectors_sysprompt.py -v
• Verify the probe loads and generates attempts with system prompts
• Verify the detector correctly scores full matches (>0.9), partial matches (>0.3), and no matches (<0.3)
• Verify the probe gracefully handles missing datasets library with warnings
• Document - Comprehensive docstrings in probe and detector classes, Sphinx RST files added

Testing Notes

The probe can be tested without the datasets library installed - it will log warnings but still function. For full functionality including HuggingFace dataset loading:

pip install datasets
garak --model_type openai --model_name gpt-3.5-turbo --probes sysprompt --probe_options '{"max_system_prompts": 5}'

[erickgalinkin]

Needs some work but I love where this is going.

[erickgalinkin]

Again here, the result should be deterministic -- we should know the value the detector returns here.

[leondz]

yeah. recommend setting any relevant detector config poarams if needed, and then finding the expected value and using that in the test with == instead of >

[jmartin-tech]

Some minor organization request and code reuse ideas.

[jmartin-tech]

A little more tweaking for configurable data locations is still needed.

ATTACK_TEMPLATES needs to be extracted or at the least not copied into DEFAULT_PARAMS and the datasets for known target system prompts should be full dataset names. garak usage expects familiarity with huggingface datasets and a hardcoded map based on only account/org names enforces limitations that can and should be avoided.

[leondz]

This is looking really nice, thank you. One last pass of changes and I think we'll be in great place with it.

[leondz]

Would be illuminating to get some examples of each of these, so we have some idea of how the thresholds are determined. Maybe just one example per level, for now, would be OK

[leondz]

A similar global value is already be set in _config.run.eval_threshold (default 0.5) - is a separate threshold needed here?

[erickgalinkin]

I wonder if it makes sense to make this threshold configurable per-detector, since each has their own sensitivity/specificity? We use the eval_threshold unless a separate threshold value is consumed? I suppose this would be out of scope for this PR but may be worth considering as a modification to the base Detector class.

[leondz]

This largely looks like a copy of detectors.encoding.DecodeApprox. Is it worth factoring this up into a new detector that replaces/is inherited by both, something like detectors.approx.ApproxStringNgram? Or is there a reason to keep two separate classes?

[erickgalinkin]

Alternative thought (again, larger scope of work probably out of scope for this PR): having some utility functions in garak.resources for common use cases like string similarity, ngram matching, etc. We use a very small handful of preferred nltk distance metrics in several places, for example. Could also implement other fuzzy matchings. Having a common ref of those to avoid additional imports in places may be valuable.

Or I could write a Rust-based library with Python bindings that becomes its own dependency and we live to fight another day.

[leondz]

1. output_cleaned is string-separated tokens, not chars
2. This 20 value should be configurable
3. What if the sysprompt has fewer than 20 tokens? Consider determining the max match length as a minimum of (20, len(system_prompt_cleaned)) and then using that determined value in this comparison

[leondz]

will need updating when ATTACK_TEMPLATES moves to its own data location

[erickgalinkin]

I wonder if it makes sense to make this threshold configurable per-detector, since each has their own sensitivity/specificity? We use the eval_threshold unless a separate threshold value is consumed? I suppose this would be out of scope for this PR but may be worth considering as a modification to the base Detector class.

[erickgalinkin]

This seems like a finicky parameter -- should probably document how changing this value changes outcomes.

[erickgalinkin]

Alternative thought (again, larger scope of work probably out of scope for this PR): having some utility functions in garak.resources for common use cases like string similarity, ngram matching, etc. We use a very small handful of preferred nltk distance metrics in several places, for example. Could also implement other fuzzy matchings. Having a common ref of those to avoid additional imports in places may be valuable.

Or I could write a Rust-based library with Python bindings that becomes its own dependency and we live to fight another day.

[jmartin-tech]

Is there a reason this was commented out?