Documentation
¶
Overview ¶
MemMorph — disguised-record memory poisoning that biases an agent's autonomous tool selection (arXiv 2605.26154).
Unlike minja/memorygraft/injecmem, MemMorph does not force an explicit instruction the trigger response echoes back. It injects a small set of records disguised as technical facts, incident reports, and operational policies, then — on a later *neutral* task — checks whether the agent autonomously selects the attacker-preferred tool. Success is a tool-choice observation, not an indicator-string echo. The paper reports ~85.9% success with three injected records.
Shares the memory package's gate → probe → inject → trigger scaffold and helpers (runTurns, providerErr, atoiOr, indicatorMatch).
Package memory implements the v0.9.0 memory-poisoning attack module.
The single state machine implements three published techniques, registered as distinct AttackModules via three init() blocks. The differences are configuration of the state machine, not separate code paths:
- minja — query-bound implants, same-session trigger. arXiv 2503.03704 (A Practical Memory Injection Attack against LLM Agents).
- memorygraft — episodic-experience implants, fresh-session trigger via SessionProvider.NewSession. arXiv 2512.16962 (Persistent Compromise of LLM Agents via Poisoned Experience Retrieval).
- injecmem — single-interaction targeted implant with deferred trigger phrase, same-session trigger on a follow-up. OpenReview QVX6hcJ2um (InjecMEM).
Per the v0.9.0 plan and the security review on the plan, all three modes require config.Metadata["i_understand_risks"] = "true" and emit a CleanupHint listing operator-facing instructions for manual purge. v0.9.0 does not auto-purge — a Purger provider interface is planned for v0.10.0.
Capability discovery is by type assertion against common.MemoryProbe (and common.SessionProvider for memorygraft). Modules emit OutcomeSkipped with a typed SkipReason when a capability is missing, never silent Success=false.
Hidden Sleeper memory poisoning (arXiv 2605.15338).
Where memorygraft implants an episodic experience the agent is told to carry forward, Sleeper poisons *external content* (a document, web page, or repo the agent ingests into memory) so the fabricated memory is written as a side effect of normal ingestion. The implant stays dormant until retrieved in a *later* session, where it steers an attacker-intended action. The paper reports memory-injection success up to 99.8% and action manipulation in 60–89% of retrievals.
Requires both common.MemoryProbe (retention) and common.SessionProvider (cross-session verification). Success requires the dormant memory to re-emerge in a fresh session AND steer the action; non-re-emergence is OutcomeRefused, never fabricated success.
Index ¶
- type InjecMEMModule
- type MINJAModule
- type MemMorphModule
- func (m *MemMorphModule) Category() common.AttackCategory
- func (m *MemMorphModule) Description() string
- func (m *MemMorphModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *MemMorphModule) Name() string
- func (m *MemMorphModule) Techniques() []common.TechniqueInfo
- type MemoryGraftModule
- type MemoryPoisoningModule
- func (m *MemoryPoisoningModule) Category() common.AttackCategory
- func (m *MemoryPoisoningModule) Description() string
- func (m *MemoryPoisoningModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *MemoryPoisoningModule) Name() string
- func (m *MemoryPoisoningModule) Techniques() []common.TechniqueInfo
- type SleeperModule
- func (m *SleeperModule) Category() common.AttackCategory
- func (m *SleeperModule) Description() string
- func (m *SleeperModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *SleeperModule) Name() string
- func (m *SleeperModule) Techniques() []common.TechniqueInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type InjecMEMModule ¶
type InjecMEMModule = MemoryPoisoningModule
InjecMEMModule is the registered Name returns "injecmem".
type MINJAModule ¶
type MINJAModule = MemoryPoisoningModule
MINJAModule is the registered Name returns "minja". The exported alias keeps the conventional <Technique>Module type-name visible to tools that scan the package; the underlying state machine is shared.
type MemMorphModule ¶ added in v0.12.0
type MemMorphModule struct{}
MemMorphModule implements the AttackModule interface for MemMorph.
func (*MemMorphModule) Category ¶ added in v0.12.0
func (m *MemMorphModule) Category() common.AttackCategory
Category returns CategoryMemory.
func (*MemMorphModule) Description ¶ added in v0.12.0
func (m *MemMorphModule) Description() string
Description returns a human-readable description.
func (*MemMorphModule) Execute ¶ added in v0.12.0
func (m *MemMorphModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the MemMorph state machine.
- Gate — config.Metadata["i_understand_risks"] must equal "true".
- Capability — provider must implement common.MemoryProbe.
- ProbeMemory — (false,nil) → SkipMemoryNotRetained; (_,err) → SkipProviderError.
- Inject — record_count disguised records (technical fact / incident report / operational policy) that steer tool choice toward preferred_tool.
- Trigger — a neutral task; success when the response selects the attacker-preferred tool (config.SuccessIndicators or preferred_tool).
- Always emit CleanupHint + injected_record_ids.
func (*MemMorphModule) Name ¶ added in v0.12.0
func (m *MemMorphModule) Name() string
Name returns the registered technique name.
func (*MemMorphModule) Techniques ¶ added in v0.12.0
func (m *MemMorphModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle.
type MemoryGraftModule ¶
type MemoryGraftModule = MemoryPoisoningModule
MemoryGraftModule is the registered Name returns "memorygraft".
type MemoryPoisoningModule ¶
type MemoryPoisoningModule struct {
Mode string
}
MemoryPoisoningModule implements the AttackModule interface for memory poisoning. The Mode field selects which published technique the state machine implements; three init() blocks register one instance per mode.
func (*MemoryPoisoningModule) Category ¶
func (m *MemoryPoisoningModule) Category() common.AttackCategory
Category returns CategoryMemory for all three modes.
func (*MemoryPoisoningModule) Description ¶
func (m *MemoryPoisoningModule) Description() string
Description returns a human-readable description specific to the mode.
func (*MemoryPoisoningModule) Execute ¶
func (m *MemoryPoisoningModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the memory-poisoning state machine for this mode.
State machine (all modes):
- Safety gate — config.Metadata["i_understand_risks"] must equal "true". Otherwise return OutcomeSkipped + SkipGateBlocked.
- Capability probe — provider must implement common.MemoryProbe; the memorygraft mode additionally requires common.SessionProvider for the cross-session verification step.
- ProbeMemory — call the probe; (false, nil) → OutcomeSkipped + SkipMemoryNotRetained. (_, err) → OutcomeSkipped + SkipProviderError.
- Seed phase — send a small number of benign queries to establish a plausible interaction history.
- Inject phase — send the implant payload (mode-specific shape).
- Wait phase — interleave intervening_turns benign queries.
- Trigger phase — same-session for minja/injecmem; fresh session via SessionProvider.NewSession for memorygraft.
- Verify — scan the trigger response for the implant's success indicator. On match → OutcomeSuccess; otherwise OutcomeRefused.
- Always emit CleanupHint listing the injected_record_ids so the operator can manually purge (v0.10.0 will add automated Purger).
func (*MemoryPoisoningModule) Name ¶
func (m *MemoryPoisoningModule) Name() string
Name returns the registered technique name for this mode.
func (*MemoryPoisoningModule) Techniques ¶
func (m *MemoryPoisoningModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle for this mode.
type SleeperModule ¶ added in v0.12.0
type SleeperModule struct{}
SleeperModule implements the AttackModule interface for Hidden Sleeper.
func (*SleeperModule) Category ¶ added in v0.12.0
func (m *SleeperModule) Category() common.AttackCategory
Category returns CategoryMemory.
func (*SleeperModule) Description ¶ added in v0.12.0
func (m *SleeperModule) Description() string
Description returns a human-readable description.
func (*SleeperModule) Execute ¶ added in v0.12.0
func (m *SleeperModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the Sleeper state machine.
- Gate — config.Metadata["i_understand_risks"] must equal "true".
- Capability — provider must implement BOTH common.MemoryProbe and common.SessionProvider (cross-session verification).
- ProbeMemory — (false,nil) → SkipMemoryNotRetained; (_,err) → SkipProviderError.
- Inject — deliver poisoned external content the agent ingests into memory.
- Trigger — open a FRESH session via NewSession; success only when the dormant implant re-emerges and steers the action.
- Always emit CleanupHint + injected_record_ids; record inject/trigger session IDs so the cross-session claim is auditable.
func (*SleeperModule) Name ¶ added in v0.12.0
func (m *SleeperModule) Name() string
Name returns the registered technique name.
func (*SleeperModule) Techniques ¶ added in v0.12.0
func (m *SleeperModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle. Sleeper maps to ASI06 (memory poisoning) and ASI10 (rogue agents) because the dormant implant shapes autonomous decisions in future sessions.