The Promptware Kill Chain: From Prompt Injection to Multi-Step LLM Malware
In this talk, we examine the evolution of prompt injection attacks and show how they have gradually developed into a five-stage kill chain consisting of (1) initial access, (2) privilege escalation, (3) persistence, (4) lateral movement, and (5) actions on objectives.
We begin by introducing the concept of Promptware, followed by an overview of the kill chain.
We then analyze each stage in detail: the evolution of initial access (from direct to indirect prompt injection, including evasion techniques across multiple modalities); privilege escalation (from "ignore previous instructions" attacks to delayed tool invocation); persistence mechanisms (from volatile state to RAG-dependent and RAG-independent persistence); lateral movement (from none, to on-device, and ultimately off-device movement); and actions on objectives (from benign proof-of-concept messages such as "haha pwned" to full remote code execution).
This talk is based on joint work, The Promptware Kill Chain, with Oleg Brodt and Bruce Schneier.
Speakers
Ben Nassi
BlackHat Board Member, Freelancer Consultant @ Confidentiality, Faculty Member @ ECE, Tel Aviv University
Ben Nassi is a Black Hat board member (Asia & Europe), a faculty member at Tel Aviv University, and a freelance consultant.
He investigates AI security with a special focus on LLM-powered application security.
Ben is a frequent speaker at top industrial security conferences (Black Hat, DEFCON, RSAC).
His works have been published at top academic security conferences (S&P, CCS, USENIX Security) and have been featured in international media (Schneier on Security, Fox News, Wired, Ars Technica, Two Minute Papers, Computerphile).
His study on video-based cryptanalysis won the 2023 Pwnie Award for Best Crypto Attack.
