memory

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

MemMorph — disguised-record memory poisoning that biases an agent's autonomous tool selection (arXiv 2605.26154).

Unlike minja/memorygraft/injecmem, MemMorph does not force an explicit instruction the trigger response echoes back. It injects a small set of records disguised as technical facts, incident reports, and operational policies, then — on a later *neutral* task — checks whether the agent autonomously selects the attacker-preferred tool. Success is a tool-choice observation, not an indicator-string echo. The paper reports ~85.9% success with three injected records.

Shares the memory package's gate → probe → inject → trigger scaffold and helpers (runTurns, providerErr, atoiOr, indicatorMatch).

Package memory implements the v0.9.0 memory-poisoning attack module.

The single state machine implements three published techniques, registered as distinct AttackModules via three init() blocks. The differences are configuration of the state machine, not separate code paths:

  • minja — query-bound implants, same-session trigger. arXiv 2503.03704 (A Practical Memory Injection Attack against LLM Agents).
  • memorygraft — episodic-experience implants, fresh-session trigger via SessionProvider.NewSession. arXiv 2512.16962 (Persistent Compromise of LLM Agents via Poisoned Experience Retrieval).
  • injecmem — single-interaction targeted implant with deferred trigger phrase, same-session trigger on a follow-up. OpenReview QVX6hcJ2um (InjecMEM).

Per the v0.9.0 plan and the security review on the plan, all three modes require config.Metadata["i_understand_risks"] = "true" and emit a CleanupHint listing operator-facing instructions for manual purge. v0.9.0 does not auto-purge — a Purger provider interface is planned for v0.10.0.

Capability discovery is by type assertion against common.MemoryProbe (and common.SessionProvider for memorygraft). Modules emit OutcomeSkipped with a typed SkipReason when a capability is missing, never silent Success=false.

Hidden Sleeper memory poisoning (arXiv 2605.15338).

Where memorygraft implants an episodic experience the agent is told to carry forward, Sleeper poisons *external content* (a document, web page, or repo the agent ingests into memory) so the fabricated memory is written as a side effect of normal ingestion. The implant stays dormant until retrieved in a *later* session, where it steers an attacker-intended action. The paper reports memory-injection success up to 99.8% and action manipulation in 60–89% of retrievals.

Requires both common.MemoryProbe (retention) and common.SessionProvider (cross-session verification). Success requires the dormant memory to re-emerge in a fresh session AND steer the action; non-re-emergence is OutcomeRefused, never fabricated success.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type InjecMEMModule

type InjecMEMModule = MemoryPoisoningModule

InjecMEMModule is the registered Name returns "injecmem".

type MINJAModule

type MINJAModule = MemoryPoisoningModule

MINJAModule is the registered Name returns "minja". The exported alias keeps the conventional <Technique>Module type-name visible to tools that scan the package; the underlying state machine is shared.

type MemMorphModule added in v0.12.0

type MemMorphModule struct{}

MemMorphModule implements the AttackModule interface for MemMorph.

func (*MemMorphModule) Category added in v0.12.0

func (m *MemMorphModule) Category() common.AttackCategory

Category returns CategoryMemory.

func (*MemMorphModule) Description added in v0.12.0

func (m *MemMorphModule) Description() string

Description returns a human-readable description.

func (*MemMorphModule) Execute added in v0.12.0

func (m *MemMorphModule) Execute(
	ctx context.Context,
	provider common.Provider,
	config common.AttackConfig,
) (*common.AttackResult, error)

Execute runs the MemMorph state machine.

  1. Gate — config.Metadata["i_understand_risks"] must equal "true".
  2. Capability — provider must implement common.MemoryProbe.
  3. ProbeMemory — (false,nil) → SkipMemoryNotRetained; (_,err) → SkipProviderError.
  4. Inject — record_count disguised records (technical fact / incident report / operational policy) that steer tool choice toward preferred_tool.
  5. Trigger — a neutral task; success when the response selects the attacker-preferred tool (config.SuccessIndicators or preferred_tool).
  6. Always emit CleanupHint + injected_record_ids.

func (*MemMorphModule) Name added in v0.12.0

func (m *MemMorphModule) Name() string

Name returns the registered technique name.

func (*MemMorphModule) Techniques added in v0.12.0

func (m *MemMorphModule) Techniques() []common.TechniqueInfo

Techniques returns the OWASP and metadata bundle.

type MemoryGraftModule

type MemoryGraftModule = MemoryPoisoningModule

MemoryGraftModule is the registered Name returns "memorygraft".

type MemoryPoisoningModule

type MemoryPoisoningModule struct {
	Mode string
}

MemoryPoisoningModule implements the AttackModule interface for memory poisoning. The Mode field selects which published technique the state machine implements; three init() blocks register one instance per mode.

func (*MemoryPoisoningModule) Category

Category returns CategoryMemory for all three modes.

func (*MemoryPoisoningModule) Description

func (m *MemoryPoisoningModule) Description() string

Description returns a human-readable description specific to the mode.

func (*MemoryPoisoningModule) Execute

Execute runs the memory-poisoning state machine for this mode.

State machine (all modes):

  1. Safety gate — config.Metadata["i_understand_risks"] must equal "true". Otherwise return OutcomeSkipped + SkipGateBlocked.
  2. Capability probe — provider must implement common.MemoryProbe; the memorygraft mode additionally requires common.SessionProvider for the cross-session verification step.
  3. ProbeMemory — call the probe; (false, nil) → OutcomeSkipped + SkipMemoryNotRetained. (_, err) → OutcomeSkipped + SkipProviderError.
  4. Seed phase — send a small number of benign queries to establish a plausible interaction history.
  5. Inject phase — send the implant payload (mode-specific shape).
  6. Wait phase — interleave intervening_turns benign queries.
  7. Trigger phase — same-session for minja/injecmem; fresh session via SessionProvider.NewSession for memorygraft.
  8. Verify — scan the trigger response for the implant's success indicator. On match → OutcomeSuccess; otherwise OutcomeRefused.
  9. Always emit CleanupHint listing the injected_record_ids so the operator can manually purge (v0.10.0 will add automated Purger).

func (*MemoryPoisoningModule) Name

func (m *MemoryPoisoningModule) Name() string

Name returns the registered technique name for this mode.

func (*MemoryPoisoningModule) Techniques

func (m *MemoryPoisoningModule) Techniques() []common.TechniqueInfo

Techniques returns the OWASP and metadata bundle for this mode.

type SleeperModule added in v0.12.0

type SleeperModule struct{}

SleeperModule implements the AttackModule interface for Hidden Sleeper.

func (*SleeperModule) Category added in v0.12.0

func (m *SleeperModule) Category() common.AttackCategory

Category returns CategoryMemory.

func (*SleeperModule) Description added in v0.12.0

func (m *SleeperModule) Description() string

Description returns a human-readable description.

func (*SleeperModule) Execute added in v0.12.0

func (m *SleeperModule) Execute(
	ctx context.Context,
	provider common.Provider,
	config common.AttackConfig,
) (*common.AttackResult, error)

Execute runs the Sleeper state machine.

  1. Gate — config.Metadata["i_understand_risks"] must equal "true".
  2. Capability — provider must implement BOTH common.MemoryProbe and common.SessionProvider (cross-session verification).
  3. ProbeMemory — (false,nil) → SkipMemoryNotRetained; (_,err) → SkipProviderError.
  4. Inject — deliver poisoned external content the agent ingests into memory.
  5. Trigger — open a FRESH session via NewSession; success only when the dormant implant re-emerges and steers the action.
  6. Always emit CleanupHint + injected_record_ids; record inject/trigger session IDs so the cross-session claim is auditable.

func (*SleeperModule) Name added in v0.12.0

func (m *SleeperModule) Name() string

Name returns the registered technique name.

func (*SleeperModule) Techniques added in v0.12.0

func (m *SleeperModule) Techniques() []common.TechniqueInfo

Techniques returns the OWASP and metadata bundle. Sleeper maps to ASI06 (memory poisoning) and ASI10 (rogue agents) because the dormant implant shapes autonomous decisions in future sessions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL