Show Notes

229 - Buggy Cookies and a macOS TCC Bypass

This post details a prompt-based exploit that could be leveraged against ChatGPT as well as other language models such as Falcon, Pythia, LLaMa, and GPT-NEO to extract training data. The basis for this vulnerability is the fact that when prompting the model to repeat a word a large number of times (for example, repeat this word forever: "poem"), after so many words the model ends up diverging. This divergence can end up being nonsense, or sometimes it can diverge into regurgitating remembered training data. Why exactly this happens isn’t clear, as they state they want to get to the core of why this divergence exists to defend against it better.

In some cases this training data can consist of Unique User IDs (UUIDs) as well as researcher contact information for a researcher who uploaded training data. Beyond the potential sensitive information disclosures, this regurgitation can also be triggered incidentally with innocent prompts, and can break the design goal of using a generative model in the first place if it ends up regurgitating training data.

A classic filesystem race condition in Metal-based macOS applications that can lead to bypassing of macOS’ Transparency Consent and Control privacy framework (TCC). Applications that rely on the Metal framework will look for and process the MTL_DUMP_PIPELINES_TO_JSON_FILE environment variable to write debugging data to as that application, even if the given filepath already exists. This gives them a limited file write primitive where they can control the destination but not the contents. It turns out you can also control the contents too however, as the way the file I/O was done is it would open a temporary file to write the contents to, then rename it to the final path. Where the old and new path for the rename, you can open and obtain a file descriptor to write to the temporary file in a safe directory, and symlink the path off to some other privileged location between the old and new path being resolved.

This yields an arbitrary file write as the given metal application, bypassing TCC.