memory

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 2, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package memory implements the v0.9.0 memory-poisoning attack module.

The single state machine implements three published techniques, registered as distinct AttackModules via three init() blocks. The differences are configuration of the state machine, not separate code paths:

  • minja — query-bound implants, same-session trigger. arXiv 2503.03704 (A Practical Memory Injection Attack against LLM Agents).
  • memorygraft — episodic-experience implants, fresh-session trigger via SessionProvider.NewSession. arXiv 2512.16962 (Persistent Compromise of LLM Agents via Poisoned Experience Retrieval).
  • injecmem — single-interaction targeted implant with deferred trigger phrase, same-session trigger on a follow-up. OpenReview QVX6hcJ2um (InjecMEM).

Per the v0.9.0 plan and the security review on the plan, all three modes require config.Metadata["i_understand_risks"] = "true" and emit a CleanupHint listing operator-facing instructions for manual purge. v0.9.0 does not auto-purge — a Purger provider interface is planned for v0.10.0.

Capability discovery is by type assertion against common.MemoryProbe (and common.SessionProvider for memorygraft). Modules emit OutcomeSkipped with a typed SkipReason when a capability is missing, never silent Success=false.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type InjecMEMModule

type InjecMEMModule = MemoryPoisoningModule

InjecMEMModule is the registered Name returns "injecmem".

type MINJAModule

type MINJAModule = MemoryPoisoningModule

MINJAModule is the registered Name returns "minja". The exported alias keeps the conventional <Technique>Module type-name visible to tools that scan the package; the underlying state machine is shared.

type MemoryGraftModule

type MemoryGraftModule = MemoryPoisoningModule

MemoryGraftModule is the registered Name returns "memorygraft".

type MemoryPoisoningModule

type MemoryPoisoningModule struct {
	Mode string
}

MemoryPoisoningModule implements the AttackModule interface for memory poisoning. The Mode field selects which published technique the state machine implements; three init() blocks register one instance per mode.

func (*MemoryPoisoningModule) Category

Category returns CategoryMemory for all three modes.

func (*MemoryPoisoningModule) Description

func (m *MemoryPoisoningModule) Description() string

Description returns a human-readable description specific to the mode.

func (*MemoryPoisoningModule) Execute

Execute runs the memory-poisoning state machine for this mode.

State machine (all modes):

  1. Safety gate — config.Metadata["i_understand_risks"] must equal "true". Otherwise return OutcomeSkipped + SkipGateBlocked.
  2. Capability probe — provider must implement common.MemoryProbe; the memorygraft mode additionally requires common.SessionProvider for the cross-session verification step.
  3. ProbeMemory — call the probe; (false, nil) → OutcomeSkipped + SkipMemoryNotRetained. (_, err) → OutcomeSkipped + SkipProviderError.
  4. Seed phase — send a small number of benign queries to establish a plausible interaction history.
  5. Inject phase — send the implant payload (mode-specific shape).
  6. Wait phase — interleave intervening_turns benign queries.
  7. Trigger phase — same-session for minja/injecmem; fresh session via SessionProvider.NewSession for memorygraft.
  8. Verify — scan the trigger response for the implant's success indicator. On match → OutcomeSuccess; otherwise OutcomeRefused.
  9. Always emit CleanupHint listing the injected_record_ids so the operator can manually purge (v0.10.0 will add automated Purger).

func (*MemoryPoisoningModule) Name

func (m *MemoryPoisoningModule) Name() string

Name returns the registered technique name for this mode.

func (*MemoryPoisoningModule) Techniques

func (m *MemoryPoisoningModule) Techniques() []common.TechniqueInfo

Techniques returns the OWASP and metadata bundle for this mode.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL