feat: add homoglyph obfuscation prompts to smuggling probe#1660
Open
dentity007 wants to merge 2 commits intoNVIDIA:mainfrom
Open
feat: add homoglyph obfuscation prompts to smuggling probe#1660dentity007 wants to merge 2 commits intoNVIDIA:mainfrom
dentity007 wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
Add smuggling.HomoglyphObfuscation with 5 prompts that use Unicode homoglyphs (Cyrillic, Latin alpha, Turkish dotless i) to disguise trigger words in bypass requests. Tests whether input-side content filters catch visually identical character substitutions from different scripts. Uses mitigation.MitigationBypass detector. Set to active=False (domain-specific). Signed-off-by: Nathan Maine <nathan@dentity.cloud>
jmartin-tech
requested changes
Mar 30, 2026
Collaborator
jmartin-tech
left a comment
There was a problem hiding this comment.
This is a great added technique, I would suggest this can be expanded to preform inline substitution instead of just using a set of hardcoded sample prompts.
The idea I am suggesting, would programmatically replace characters during prompt initialization to actually mimic the smuggling aspect of the technique. This could be further enhanced to accept a configuration map of character replacements that could be increased or reduced to expand resiliency testing.
Address review feedback on PR NVIDIA#1660: - Change tier from COMPETE_WITH_SOTA to INFORMATIONAL - Replace static prompt loading with programmatic substitution via homoglyph_replace() function applied to garak payloads - Add configurable DEFAULT_HOMOGLYPH_MAP (20 Latin-to-Cyrillic/Turkish/ Ukrainian mappings) overridable via homoglyph_map config parameter - Load payloads from garak.payloads system (harmful_behaviors default) - Keep static prompts as additional payloads through same pipeline - Update tests: 9 tests covering substitution function, probe loading, tier, determinism, custom maps, non-ASCII verification Signed-off-by: Nathan Maine <nathan@dentity.cloud>
Author
|
Thanks for the review. Both changes addressed:
Tests updated: 9 tests covering probe loading, substitution function behavior (determinism, custom maps, non-mapped character preservation), non-ASCII verification, tier, and inactive flag. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
smuggling.HomoglyphObfuscation, a probe with 5 prompts that use Unicode homoglyphs (visually similar characters from different scripts) to disguise trigger words in bypass requests. For example, Cyrillic 'a' (U+0430) replaces Latin 'a' in "jailbreak", making the token sequence different while the text remains human-readable.Second decomposed contribution from PR #1619. The
smugglingmodule's docstring describes exactly this technique: "swapping letters out for unusual unicode representations of the same letters." Usesmitigation.MitigationBypassdetector. Set toactive = Falsesince these are domain-specific.Homoglyph scripts used: Cyrillic (U+0430, U+043E, U+0456), Latin alpha (U+0251), Turkish dotless i (U+0131)
Files:
garak/probes/smuggling.py: newHomoglyphObfuscationclassgarak/data/smuggling_homoglyph_5.txt: 5 prompts with embedded Unicode homoglyphstests/probes/test_probes_smuggling.py: 4 tests (count, uniqueness, non-ASCII verification, active=False)