🤖 AI Summary
This work addresses a critical security vulnerability in large language model (LLM) agents arising from summary-based prompt compression, wherein an attacker can exploit a “relinking” flaw to reassemble dispersed benign fragments into a coherent malicious instruction during compression. The paper introduces, for the first time, the concept of “adversarial relinking” along with a formal model and presents Relink, an automated attack tool that achieves stealthy exploitation without embedding explicit malicious payloads. To counter this threat, the authors propose KBRA, a knowledge-guided boundary realignment defense mechanism. Experimental evaluation across four long-context agent benchmarks demonstrates that Relink achieves an attack success rate of up to 86.9%, while KBRA effectively reduces backend execution rates to 0.0%, substantially outperforming existing defenses.
📝 Abstract
Summarization-based prompt compression is increasingly used by LLM agents to shorten long, distributed contexts, but it shifts the security boundary: filters inspect the pre-compression prompt while the backend acts on a newly generated compressed context. We identify relinking, a compression-boundary vulnerability where the compressor behaves as a confused deputy, summarizing distributed, locally benign fragments into a complete malicious instruction. Unlike prompt injection, relinking need not place an explicitly malicious payload in the source context. We show that relinking arises from summarization itself: attention makes separated fragments jointly available, pre-training makes compatible fragments plausible to connect, and post-training favors compact backend-actionable summaries. We formalize the attacker-induced form as adversarial relinking and present Relink, an automated DSL-based tool that splits malicious payloads into benign fragments while keeping the complete payload absent before compression. Across four long-context agent benchmarks, Relink achieves 86.9% Relink Rate and Backend Action Rate versus 17.0% for clean-split controls. Existing defenses fail to reliably capture adversarial relinking; our KBRA defense reduces residual Backend Action Rate to 0.0%.