🤖 AI Summary
This study addresses the semantic integrity risks arising when PDF documents are processed for ingestion into large language models (LLMs), stemming from inconsistencies between visual rendering and extracted text. The authors systematically investigate representational discrepancies between PDF rendering and text extraction, introducing four novel families of semantic attacks—encompassing 14 previously undocumented mechanisms—and formalizing 25 distinct Extraction Gaps (EGs). Through normative analysis, static rule development, multi-stack pipeline testing, and evaluation on commercial LLM services, they demonstrate that all EGs induce divergent behaviors across 16 processing stacks and 7 major LLM services, with each service exposing at least 12 gaps. The root cause lies primarily in the ingestion pipelines rather than the models themselves. The findings highlight insufficient coverage of current security filters and advocate dual-view consistency—aligning rendered and extracted representations—as a foundational principle for robust long-term defenses.
📝 Abstract
Document-to-LLM applications typically read uploaded PDFs by first translating them into text through a hidden extraction layer that users cannot observe or audit. We show that this layer enables split-view PDFs: one document can have two semantic views before model reasoning. By mining specification-permitted or implementation-tolerated representation gaps at the PDF render/extract boundary, we instantiate 25 extraction gaps (EG) in which extractors return attacker-controlled or extractor-dependent text while the rendered page shows benign or different content. The gaps form four families: semantic overrides, hidden semantic injection, reading-order splits, and font-decoding splits, and 14 gaps have no exact path/mechanism-level match in prior PDF-to-LLM attacks.
We evaluate these gaps on 16 PDF processing stacks and 7 commercial LLM services. Each gap causes render-extract divergence on at least one stack. Under a gap-level exposure criterion, every evaluated service exposes at least one gap, with 12/25 to 21/25 exposed gaps. Exposure is driven mainly by the ingestion stack -- not model identity alone. We further show that tested safety filters cover only selected hidden-text constructions. To support triage, we develop a static screening scanner whose rules trigger on all 25 benchmark gaps, and discuss dual-view consistency as a longer-term defense direction.