界: Environment
本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。
Excessive Agency
Abstract
在没有适当控制或人工验证的情况下给予代理过多的自由可能会导致有害行为,例如未经授权的系统更改、金融交易或敏感数据泄露,从而构成重大的安全威胁。
Explanation
当自主代理(例如 AI 模型或聊天机器人)被赋予执行任务、做出决策或执行命令的能力但没有足够的限制、验证或人工监督时,就会出现代理权过大的问题。这可能导致意想不到的后果,包括安全风险、数据泄露甚至恶意行为。
当代理拥有过多的自由时,它可能会无意中与关键系统交互、执行高风险操作或暴露敏感数据。当代理被允许执行诸如转账、修改系统配置或发送电子邮件等操作而无需获得授权用户的授权或批准时,可能会发生极严重的后果。
示例 1:AI 助手被赋予执行关键任务和与用户代理协调的能力,但由于缺乏严格的检查或对权限的限制,它可以自主地执行敏感指令:
如果授予 AI 助手在最少监督下“执行关键任务”的自主权,AI 就可能在没有人工审查的情况下执行命令或操作数据。只有当用户明确提到“批准”时才会触发终止条件,否则代理可以继续运行,如果其行为没有得到充分监控或约束,则会带来风险。
当代理拥有过多的自由时,它可能会无意中与关键系统交互、执行高风险操作或暴露敏感数据。当代理被允许执行诸如转账、修改系统配置或发送电子邮件等操作而无需获得授权用户的授权或批准时,可能会发生极严重的后果。
示例 1:AI 助手被赋予执行关键任务和与用户代理协调的能力,但由于缺乏严格的检查或对权限的限制,它可以自主地执行敏感指令:
model_client = OpenAIChatCompletionClient(model="gpt-4")
assistant = AssistantAgent("assistant", model_client=model_client)
# Create the termination condition which ends the conversation when the user says "APPROVE".
termination = TextMentionTermination("APPROVE")
team = RoundRobinGroupChat([assistant], termination_condition=termination)
# Run the conversation and stream to the console.
stream = team.run_stream(task="Perform critical task.")
如果授予 AI 助手在最少监督下“执行关键任务”的自主权,AI 就可能在没有人工审查的情况下执行命令或操作数据。只有当用户明确提到“批准”时才会触发终止条件,否则代理可以继续运行,如果其行为没有得到充分监控或约束,则会带来风险。
References
[1] OWASP Top 10 for Large Language Model Applications OWASP
[2] UserProxyAgent Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.python.excessive_agency