🤖 AI Summary
This work addresses a critical vulnerability in hybrid reasoning systems that integrate large language models with formal solvers such as SAT/SMT. While solver conclusions are formally verifiable, the subsequent “narration” phase—where results are communicated to users—lacks security guarantees and is susceptible to adversarial prompt injection attacks, potentially misrepresenting correct reasoning. The paper systematically identifies and formalizes this “narration gap,” demonstrating through formal verification, adversarial evaluation, and hardened prompt design that even when solvers produce correct outputs, the final reported answers can be manipulated. Experiments reveal that certificate gating preserves the integrity of solver verdicts, yet the narration stage remains vulnerable to cross-phrasing attacks. Although hardened prompts substantially reduce attack success rates, they fail against adaptive adversaries, highlighting a fundamental lack of end-to-end robustness.
📝 Abstract
Formal tools such as SAT and SMT solvers are increasingly embedded in language model reasoning pipelines when a safety or security critical question can be formulated in logic. Unlike chain of thought whose steps are sampled from the model distribution without formal guarantee, a solver produces a sound and independently verifiable answer. However, the soundness guarantee can be lost in the interaction between the solver and the model. The hybrid pipeline has three components: formalizing the question, deciding it, and narrating the result. Prior work has studied the formalization and decision, but not narration, which is the step that turns a formal tool's output into the user answer. To fill the narration gap, we first model the LLM-solver loop as a verified decision procedure. We further evaluate five open-sourced models under prompt injection, and we find certificate gating makes the solver verdict sound, while an adversary can invert a verified conclusion across phrasings and channels. We study the mitigation through hardened prompt that reduces injection significantly but cannot eliminate it and still suffers under adaptive attack. Combining the formal analysis and empirical studies, we show in the LLM-solver loop, robustness does not reach to the answer that the user finally reads.