Large Language Models (LLMs) have gained significant popularity in the last few years due to their performance in diverse tasks such as translation, prediction, or content generation. At the same time, the research community has shown that LLMs are susceptible to various attacks but can also improve the security of diverse systems. However, besides enabling more secure systems, how well do open source LLMs behave as covertext distributions to, e.g., facilitate censorship resistant communication? In this paper, we explore the capabilities of open-source LLM-based covert channels. We approach this problem from the experimental side by empirically measuring the security vs. capacity of the open-source LLM model (Llama-7B) to assess how well it performs as a covert channel. Although our results indicate that such channels are not likely to achieve high practical bitrates, which depend on message length and model entropy, we also show that the chance for an adversary to detect covert communication is low. To ensure that our results can be used with the least effort as a general reference, we employ a conceptually simple and concise scheme and only assume public models.

翻译：近年来，大语言模型（LLMs）因其在翻译、预测和内容生成等多样化任务中的卓越表现而广受欢迎。与此同时，研究界已证明LLMs易受多种攻击，但也能提升各类系统的安全性。然而，除了赋能更安全的系统之外，开源LLMs作为掩护文本分布（例如，用于促进抗审查通信）的表现究竟如何？本文探讨了基于开源LLM的隐蔽信道的能力。我们从实验角度出发，通过实证测量开源LLM模型（Llama-7B）的安全性与其容量，以评估其作为隐蔽信道的性能。尽管我们的结果表明此类信道不太可能实现较高的实际比特率（该比特率取决于消息长度和模型熵），但我们也证明了对手检测到隐蔽通信的概率较低。为确保我们的结果能以最小成本作为通用参考，我们采用了一种概念上简洁明了的方案，且仅假设使用公开模型。