AblitaFuzzer

================

AblitaFuzzer is still in alpha. Expect bugs for now.

About AblitaFuzzer

AblitaFuzzer is a simple command-line tool designed for blackbox LLM API fuzzing against chatbots that are hosted at a URL, whether in the cloud, on-premises, or even on localhost.

Current State Gap Identification

Large language models (LLMs) are increasingly deployed in various applications, making them attractive targets for security vulnerabilities. Existing LLM pentesting tools often require downloading the target model to a local system. However, this is rarely feasible in real-world pentesting engagements where access is limited to authentication credentials and a remote API URL.
While tools like Garak and PyRIT offer sophisticated testing capabilities, a need exists for a tool that can quickly assess the filtering and guardrails of a target LLM API without requiring local access to the model. Furthermore, many existing tools rely on known-malicious prompts, which become obsolete as LLMs are updated to defend against them.

AblitaFuzzer addresses these gaps by providing a command-line tool designed for blackbox LLM API fuzzing. It generates new, novel malicious prompts using an abliterated model, and probes the target model to identify potential vulnerabilities. By analyzing the responses, AblitaFuzzer helps penetration testers gain clarity on which specific attacks to attempt next, making it a valuable first-pass tool in a comprehensive pentesting strategy. This approach allows for efficient and realistic security assessments of LLM APIs, even when local access to the model is restricted.

Significance and Implications of Work

AblitaFuzzer addresses a gap in LLM security testing by providing a method for blackbox fuzzing of chatbot APIs. Many existing security tools require access to model weights or internal logs, but real-world penetration tests are typically limited to API interactions. AblitaFuzzer enables testers to probe LLMs in a way that reflects actual attack conditions, helping to identify weaknesses in content filtering, prompt injection defenses, and response handling.

The tool is particularly useful for security audits, regulatory compliance testing, and adversarial assessments. Organizations deploying LLM-based applications can use it to evaluate the robustness of their models against novel attack prompts. Unlike static jailbreak lists, which become outdated as defenses improve, AblitaFuzzer generates fresh adversarial prompts dynamically. This approach makes it a practical option for ongoing security evaluations and research into LLM vulnerabilities.

By integrating an uncensored LLM to create new attack prompts, AblitaFuzzer introduces a self-adaptive fuzzing method that evolves alongside model defenses. This contributes to the study of adversarial robustness in LLMs and provides a structured approach to evaluating model security in a reproducible manner. Future research could build on this approach to explore more sophisticated adversarial testing techniques and benchmarking methodologies.

Tools, Frameworks, & Services

Core Dependencies

AblitaFuzzer utilizes several Python libraries to facilitate its functionalities:

• transformers==4.42.3
  • Purpose: Interfaces with pre-trained large language models (LLMs), enabling integration with models from Hugging Face.
  • Justification: Provides a standardized interface for working with diverse LLMs, essential for generating novel malicious prompts.
• openai==1.35.7
  • Purpose: Facilitates interactions with OpenAI-compatible LLM APIs, including locally hosted models via platforms like LM Studio or Ollama.
  • Justification: Ensures compatibility with OpenAI-like models, broadening the scope of fuzzing targets.
• requests~=2.32.3
  • Purpose: Manages HTTP requests to both the “attacker” LLM and the target chatbot API.
  • Justification: Serves as the primary mechanism for interfacing with remote models, ensuring reliable communication.
• pandas==2.2.2
  • Purpose: Handles data manipulation and analysis, particularly in processing and organizing fuzzing results.
  • Justification: Offers robust data structures and functions essential for analyzing large datasets generated during fuzzing.
• matplotlib==3.9.0
  • Purpose: Creates visual representations of response classifications and trends.
  • Justification: Enhances the analysis by providing graphical insights into the target model’s behavior.
• colorama==0.4.6
  • Purpose: Adds colored terminal output for improved readability.
  • Justification: Enhances user experience during command-line interactions.

Additional Dependencies

• nbformat~=5.10.4 and nbconvert~=7.16.4
  • Purpose: Manage and convert Jupyter Notebook files.
  • Justification: Facilitate the creation and sharing of interactive reports, aligning with Ready Tensor’s emphasis on reproducibility.
• Markdown~=3.6
  • Purpose: Supports the generation of Markdown-formatted reports.
  • Justification: Enables structured and readable documentation of fuzzing results.

Justification for Custom Tools

AblitaFuzzer is specifically designed for scenarios where access to the target LLM is limited to API interactions. Its unique approach involves:

• Dynamic Prompt Generation: Utilizes an “abliterated” (uncensored) LLM to create novel malicious prompts, addressing the limitation of static prompt lists becoming obsolete as chatbot defenses evolve.
• Blackbox Testing: Focuses on assessing the security and robustness of LLMs without requiring access to their internal architectures, making it suitable for real-world penetration testing scenarios.

External Services

• Hugging Face Models: Certain tests rely on abliterated models hosted on Hugging Face or served locally using platforms like Ollama or LM Studio.
• Proxy Tools: Security testers may employ intercepting proxies such as Burp Suite or OWASP ZAP to analyze HTTP requests and responses during fuzzing.

Reproducibility Considerations

To ensure reproducibility, all dependencies and their specific versions are explicitly listed in the requirements.txt file. This practice aligns with Ready Tensor’s guidelines on reproducible research, facilitating consistent environments for users replicating or extending the work.

Installation, setup, and usage

Clone the AblitaFuzzer repository from GitHub

git clone git@github.com:tcpiplab/AblitaFuzzer.git
cd AblitaFuzzer

Set up a virtual environment

python3 -m venv AblitaFuzzer_venv
source AblitaFuzzer_venv/bin/activate

Install the required packages

pip3 install -r requirements.txt

Or, depending on your OS...

python3 -m pip3 install -r requirements.txt

Set up the abliterated "attacker" LLM API

• Host an abliterated or uncensored LLM at a localhost API URL.
• Either LM Studio or Ollama are great tools for this purpose, regardless of your OS.
• Note that this API URL will also be used for analysis of the attack request/response pairs.
• Edit the API call parameters in the following places:
  • Set the API call parameters in ablitafuzzer.call_abliterated_model_api()
  • Set the base_url in ablitafuzzer.generate_malicious_prompts().
  • Set them again in tests.test_calling_apis.test_call_abliterated_model() so they match the values used in the previous step.

Set up the target LLM API URL and payload

• Edit API call parameters in ablitafuzzer.attack_target_model_api():
  • Set the TARGET_MODEL_API global variable just above the function definition.
  • Set the payload values inside the function definition.
  • Set them again in tests.test_calling_apis.test_call_target_model so they match the values used in the previous step.

Test calling both API URLs

python3 ablitafuzzer.py test

Or, if proxying through Burp or Zap:

python3 ablitafuzzer.py test --proxy 127.0.0.1:8080

Run the fuzzer

python3 ablitafuzzer.py fuzz

Or, if proxying through Burp or Zap:

python3 ablitafuzzer.py fuzz --proxy 127.0.0.1:8080

Analyze the results

python3 ablitafuzzer.py analyze

• Now you can view a Markdown file containing the results and analysis commentary by manually opening the newest file (the one with the most recent timestamp in its name) in the results/ directory. For example:
  • Ablitafuzzer_Results_2024-07-20-10-00.md
• Note that you can also correlate individual malicious prompt requests from the attack by searching in your proxy history for the globally unique header for that attack request. For example:
  • AblitaFuzzer-Attack-ID: 2024-07-20-09-55-00-284a0585-e147-456b-b8d2-0eebca61f5f7

Why AblitaFuzzer?

AblitaFuzzer was specifically designed to be used by penetration testers and security researchers in real-world pentesting scenarios where access to the target LLM is typically limited to nothing but authentication credentials and a remote URL. Unlike many existing LLM pentesting tools, which require downloading the target model to a local system - a scenario rarely allowed in real-world pentesting engagements - AblitaFuzzer is intended to be used against an LLM API URL.

Aren't there better tools for this kind of thing?

Absolutely. But AblitaFuzzer is intended to be used in conjunction with other tools to perform a complete pentest. Most likely you should use AblitaFuzzer as a first pass against a target LLM to get a broad impression of what kind of filtering and guardrails the target LLM is using.

The intention is that analyzing AblitaFuzzer's results will help the pentester gain clarity about which specific attacks to attempt next, either manually through the chatbot's UI or by using a more sophisticated tool like Garak or PyRIT.

How does it work?

TLDR

1. python3 ablitafuzzer.py test - AblitaFuzzer tries to call the hardcoded API URLs of the (abliterated/uncensored) "attacker" LLM and the "target" LLM to make sure they are reachable and not returning errors.
2. python3 ablitafuzzer.py fuzz
   1. AblitaFuzzer sends a bunch of known-malicious seed prompts to the abliterated model and asks it to generate new, novel malicious prompts.
   2. AblitaFuzzer sends these new malicious prompts to the target LLM.
   3. AblitaFuzzer records the responses from the target LLM in results/results.json.
3. python3 ablitafuzzer.py analyze
   1. AblitaFuzzer calls the abliterated LLM again, but this time to analyze the request/response pairs from the latest attack.
   2. AblitaFuzzer writes the resulting analysis to a Markdown file.

More detailed explanation of how it works

AblitaFuzzer comes with a bunch of pre-written prompts that are known to be malicious. These prompts are stored under the inputs directory. You can add your own prompts to this if you like. But the problem with known-malicious prompts is that they are known and the best ones are quickly made obsolete as LLMs are patched, retrained, firewalled, whatever, against these known-malicious prompts. AblitaFuzzer tries to solve this problem by generating new malicious prompts before launching the attack against your target model. This way, the prompts are new and not known to the target LLM.

For generating the new malicious prompts, AblitaFuzzer uses an abliterated model, typically hosted on your machine at localhost. By default, this "attacker" LLM is run using Ollama. You can read about how an abliterated model is different. But basically it is a model that has been modified to not refuse any requests. This makes it ideal for generating malicious prompts for us to use in attacking the target LLM.

Once the abliterated model is running, AblitaFuzzer will send it several seed prompts - known malicious prompts, jailbreaks, etc. - and will ask the abliterated model to use them as examples to generate a batch of new malicious prompts, by default 20. AblitaFuzzer will then send those prompts to the target LLM API, and will record the responses.
Once all the responses are received, AblitaFuzzer will exit. Then you can use its analysis tools to examine the responses.

Analyzing the results - some tools, some manual analysis

AblitaFuzzer includes some simple analysis tools. But the verbose and non-deterministic nature of LLMs means that you'll have to do a combination of programmatic and manual analysis to figure out which attacks succeeded and which attacks were blocked. Results are stored as JSON files in the results directory.

Best practices for using AblitaFuzzer

• Proxy everything through Burp Suite or ZAP or another proxy tool. This will enable you to see the actual requests that are being sent to the target model's API, and allow you to modify them as needed. More importantly, this will enable you to provide the exact prompt, response, and timestamp of anything that your client (the owner of the LLM you're attacking) might ask about. Just add the --proxy option when you run fuzz or test, e.g. --proxy 127.0.0.1:8080.
• Work iteratively. Start with sending a small and diverse set of attack prompts. Analyze the successes, then gradually increase the number of attack prompts as you become more comfortable.
• Don't get stuck on using AblitaFuzzer. Switch to manual attacks or a more sophisticated tool like Garak or PyRIT once you have exhausted the capabilities of AblitaFuzzer. For example, the model you're attacking might be susceptible to something like contextual manipulation, which AblitaFuzzer does not support.
• Don't pentest in Production Use AblitaFuzzer in a controlled environment. This tool is not intended for use against production systems.
• Get permission in writing before you ever send an attack prompt. This is a good idea in general, but especially important when using a tool like AblitaFuzzer.
• Read the disclaimers below.

Disclaimers

AblitaFuzzer is a proof-of-concept tool and is not intended for use against a production environment. Also, as with all offensive security tools, do not point this tool at an API unless you have explicit, written permission to attack that system.

Use at your own risk. Using an abliterated LLM to attack another LLM is inherently dangerous and
unpredictable.

This tool is intended for use in a controlled environment for research and educational purposes only.

Also, it is a really good idea for you to, in writing, inform your client (the owner of the LLM you are attacking)
that you will be using a tool with the following intentional properties and characteristics, depending on how you use and what seed-prompts you choose:

1. The ability to compose and send new and unexpected malicious prompt injections and jailbreak attempts.
2. The ability to creatively experiment with new and unexpected ways to induce the target LLM to output toxic,
   offensive, biased, harmful, hateful, or otherwise ugly language. This language could show up in the attack
   prompts too.

Features

---

• Fuzzing: AblitaFuzzer generates a large number of malicious prompts and probes the target model with them to identify potential vulnerabilities.
• Analysis: The tool analyzes the responses from the target model to identify patterns and trends that may indicate security issues.
• Classification: AblitaFuzzer classifies the responses into categories such as agreement, refusal, and confusion to help identify potential security threats.
• Toxicity and Hate Speech Analysis: The tool analyzes the responses for toxicity and hate speech to identify potential issues like lack of output filtering guardrails in the target LLM.

Usage

---

To use AblitaFuzzer, simply run the ablitafuzzer.py file and specify the desired action using command-line arguments.
The available actions are:

python3 ablitafuzzer.py 
usage: ablitafuzzer.py [-h] [--version] {analyze,fuzz,test} ...

AblitaFuzzer

options:
  -h, --help           show this help message and exit
  --version            Show version and exit

subcommands:
  valid subcommands

  {analyze,fuzz,test}  additional help
    analyze            Analyze results from the most recent fuzzing attack
    fuzz               Fuzz the target model
    test               Test calling both APIs but do not fuzz

Requirements

---

• Python 3.8 or later. Ablitafuzzer was developed and tested on Python 3.11.9.
• OpenAI library. Note: The OpenAI library is not used for calling OpenAI's API. It is used for calling the
  OpenAI-compatible API that you will be hosting at localhost for the abliterated LLM. Use LM Studio for that.
• Requests library for calling the target model's API URL that you'll be attacking.
• JSON library.
• CSV library for inputting seed prompts that will be used as examples when asking the abliterated model to generate new attack prompts.
• ...and everything in requirements.txt
• Ollama (optional) - This is useful if you want to test using Ablitafuzzer to attack a "remote" target LLM's API
  URL before pointing AblitaFuzzer at your client's LLM API. In this scenario you'd be hosting the "target LLM" at localhost.

License

---

AblitaFuzzer is licensed under the GPLv3 License. See the LICENSE file for details.

Acknowledgments

---

This very simple project was inspired by several other projects, academic researchers, and tools focusing on LLM security and attacks. Some of the main influences came from:

• Uncensor any LLM with abliteration
• FailSpy's abliterated-v3 collection
• mlabonne's Harmful Behaviors dataset
• AdvBench Harmful Behaviors
• JailbreakingLLMs, aka PAIR
• Garak LLM vulnerability scanner
• PyRIT
• Pentest Muse

Contact or Contribute

---

If you have any questions or would like to contribute to this project, please open a GitHub issue or send a pull request.