Skip to content

feat(probes/encoding): add InjectCaesar probe#1877

Open
Ujwal-Ramachandran wants to merge 1 commit into
NVIDIA:mainfrom
Ujwal-Ramachandran:feature/probe-inject-caesar
Open

feat(probes/encoding): add InjectCaesar probe#1877
Ujwal-Ramachandran wants to merge 1 commit into
NVIDIA:mainfrom
Ujwal-Ramachandran:feature/probe-inject-caesar

Conversation

@Ujwal-Ramachandran

Copy link
Copy Markdown

Adds a Caesar cipher encoding probe that tests whether models silently decode and execute instructions obfuscated with Caesar cipher shifts (3, 7, and 17). Complements the existing InjectROT13 probe which covers shift 13.

Includes parametrized unit tests for the _caesar_shift helper function.

What changed

  • garak/probes/encoding.py: added InjectCaesar class with _caesar_shift helper supporting configurable shift values
  • tests/probes/test_probes_encoding.py: added parametrized tests for _caesar_shift and probe instantiation
  • garak/data/plugin_cache.json: regenerated via --list_probes

Testing

pytest tests/probes/test_probes_encoding.py tests/probes/test_probes.py

Verification

  • Run the tests and ensure they pass python -m pytest tests/probes/test_probes_encoding.py tests/probes/test_probes.py
  • Verify the probe encodes payloads correctly across shifts 3, 7, and 17
  • Verify encoded prompts do not contain the plaintext trigger (covered by existing test_encoding_triggers_not_in_prompts parametrized test)

Adds a Caesar cipher encoding probe that tests whether models
silently decode and execute instructions obfuscated with Caesar
cipher shifts (3, 7, and 17). Complements the existing InjectROT13
probe which covers shift 13.

Includes parametrized unit tests for the _caesar_shift function.

Signed-off-by: Ujwal-Ramachandran <contactme.ujwal@gmail.com>

@jmartin-tech jmartin-tech left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you offer details on how this was tested, do you know of a target within the last year that will show a rate of successful attack from this probe?

Validation of the efficacy of new probes is an important factor is evaluating suitability for inclusion especially when marked active and Tier.OF_CONCERN or higher.

@Ujwal-Ramachandran

Copy link
Copy Markdown
Author

Hi! Sure, here's my testing methodology.

Tested locally by:

  • Verifying _caesar_shift() output across shifts 3, 7, and 17
  • Confirming the existing test_encoding_triggers_not_in_prompts parametrized test automatically picks up InjectCaesar and passes
  • Confirming the probe appears in --list_probes

Output:

test_encoding_len_cap[probes.encoding.InjectCaesar] PASSED
test_encoding_prompt_trigger_match[probes.encoding.InjectCaesar] PASSED

Full test output: test_output.txt

Evidence of real-world efficacy

Caesar cipher as an injection vector has consistent empirical support:

Yuan et al. (2023) predates the one-year window, but is directly cited in both May 2025 papers above, confirming the attack surface remains active in current literature.

The multi-shift design (3, 7, 17) is intentional. Yuan et al. and the ICLR 2025 bijection learning paper (Huang et al.) both note that shift-3 is over-represented in pre-training data. Non-standard shifts test whether safety failures generalise beyond the classical variant.

Please let me know if you need anything else.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants