🤖 AI Summary
This work proposes a systematic security analysis framework for large language models (LLMs) that addresses the complex interdependencies across data, prompts, tool invocations, and other components throughout the full model lifecycle and application stack. Centered on three core failure modes—trust boundary violations, conversion of untrusted data into executable instructions, and authorization escalation errors—the framework spans eight phases from data collection to deployment. Through a structured literature review mapped to key security objectives such as confidentiality, integrity, privacy, and agent control, the study categorizes attack surfaces, evaluation methodologies, and defense mechanisms at each stage. It establishes the first comprehensive vulnerability and defense taxonomy covering the entire LLM stack, identifies critical open challenges, and outlines promising directions including composable security, provenance-aware retrieval, and isolated tool invocation.
📝 Abstract
Large language models are no longer only text generators. They are increasingly embedded in retrieval pipelines, enterprise assistants, coding environments, robotic systems, security-operation workflows, and autonomous agents that can read private data, call tools, write files, execute code, and act across organizational boundaries. This shift changes the security problem: risks do not arise from the model weights alone, but from the full lifecycle and application stack through which data, prompts, model outputs, tools, memories, and user authority interact. This paper systematizes the literature on vulnerabilities in large language model systems through a lifecycle and application-stack lens. We organize attacks across eight stages: data collection, pretraining, post-training alignment, model packaging and supply chain, retrieval and memory, prompting and inference, tool/agent execution, and deployment/maintenance. For each stage, we analyze attacker capabilities, affected security objectives, representative attacks, practical risks, evaluation practices, and defenses. We further map LLM-specific vulnerabilities to confidentiality, integrity, availability, safety, privacy, fairness, accountability, and agency-control objectives. Unlike taxonomies that list isolated attack names, the proposed systematization emphasizes where trust boundaries fail, how untrusted data becomes executable instruction, how delegated authority amplifies model errors, and why point defenses rarely compose. We close with a research agenda for secure LLM systems, including compositional security, provenance-aware retrieval, tool-call containment, long-horizon agent evaluation, privacy-preserving adaptation, realistic red teaming, and deployment-grade incident response.