Large language models (LLMs) extended as systems, such as ChatGPT, have begun supporting third-party applications. These LLM apps leverage the de facto natural language-based automated execution paradigm of LLMs: that is, apps and their interactions are defined in natural language, provided access to user data, and allowed to freely interact with each other and the system. These LLM app ecosystems resemble the settings of earlier computing platforms, where there was insufficient isolation between apps and the system. Because third-party apps may not be trustworthy, and exacerbated by the imprecision of natural language interfaces, the current designs pose security and privacy risks for users. In this paper, we evaluate whether these issues can be addressed through execution isolation and what that isolation might look like in the context of LLM-based systems, where there are arbitrary natural language-based interactions between system components, between LLM and apps, and between apps. To that end, we propose IsolateGPT, a design architecture that demonstrates the feasibility of execution isolation and provides a blueprint for implementing isolation, in LLM-based systems. We evaluate IsolateGPT against a number of attacks and demonstrate that it protects against many security, privacy, and safety issues that exist in non-isolated LLM-based systems, without any loss of functionality. The performance overhead incurred by IsolateGPT to improve security is under 30% for three-quarters of tested queries.

翻译：以ChatGPT为代表的大型语言模型（LLM）系统已开始支持第三方应用程序。这些LLM应用充分利用了当前基于自然语言的自动化执行范式：即应用及其交互通过自然语言定义，可访问用户数据，并允许在应用之间及与系统之间自由交互。此类LLM应用生态类似于早期计算平台的环境，存在应用与系统间隔离不足的问题。由于第三方应用可能不可信，且自然语言界面的不精确性加剧了风险，当前设计对用户的安全与隐私构成威胁。本文旨在评估：在执行基于LLM的系统中，当系统组件之间、LLM与应用之间以及应用之间存在任意基于自然语言的交互时，是否可通过执行隔离解决这些问题，以及隔离机制应如何设计。为此，我们提出IsolateGPT架构，该设计论证了执行隔离的可行性，并为基于LLM的系统提供了隔离实施的蓝图。我们通过多种攻击场景对IsolateGPT进行评估，结果表明该架构能在保持功能完整性的前提下，有效防御非隔离LLM系统中存在的安全、隐私及可靠性问题。在四分之三的测试查询中，IsolateGPT为提升安全性所产生的性能开销低于30%。