AI Control: Improving Safety Despite Intentional Subversion
post by Buck, Fabien Roger (Fabien), ryan_greenblatt, Kshitij Sachan (kshitij-sachan) · 2023-12-13T15:51:35.982Z · LW · GW · 21 commentsContents
Paper summary Setup Evaluation methodology Results Relationship to other work We explicitly measure how robust techniques are against scheming AIs We focus on a setting with concentrated catastrophes and expensive high-quality trusted labor High stakes Assuming access to a trusted concentrated catastrophe oracle We emphasize an evaluation methodology that can be applied in-place at crunch time Future work None 21 comments
We’ve released a paper, AI Control: Improving Safety Despite Intentional Subversion. This paper explores techniques that prevent AI catastrophes even if AI instances are colluding to subvert the safety techniques. In this post:
- We summarize the paper;
- We compare our methodology to the methodology of other safety papers.
The next post in this sequence (which we’ll release in the coming weeks) discusses what we mean by AI control and argues that it is a promising methodology for reducing risk from scheming models.
Here’s the abstract of the paper:
As large language models (LLMs) become more powerful and are deployed more autonomously, it will be increasingly important to prevent them from causing harmful outcomes. Researchers have investigated a variety of safety techniques for this purpose, e.g. using models to review the outputs of other models, or red-teaming techniques to surface subtle failure modes. However, researchers have not evaluated whether such techniques still ensure safety if the model is itself intentionally trying to subvert them. In this paper, we develop and evaluate pipelines of safety techniques (“protocols”) that are robust to intentional subversion.
We investigate a scenario in which we want to solve a sequence of programming problems, using access to a powerful but untrusted model (in our case, GPT-4), access to a less powerful trusted model (in our case, GPT-3.5), and limited access to human contractors who provide high-quality trusted labor. We investigate protocols that aim to never submit solutions containing backdoors, which we operationalize here as logical errors that are not caught by test cases.
We investigate a range of protocols and test each against strategies that the untrusted model could use to subvert them. One protocol is what we call trusted editing. This protocol first asks GPT-4 to write code, and then asks GPT-3.5 to rate the suspiciousness of that code. If the code is below some suspiciousness threshold, it is submitted. Otherwise, GPT-3.5 edits the solution to remove parts that seem suspicious and then submits the edited code. Another protocol is untrusted monitoring. This protocol asks GPT-4 to write code, and then asks another instance of GPT-4 whether the code is backdoored, using various techniques to prevent the GPT-4 instances from colluding. These protocols improve substantially on simple baselines.
Paper summary
Setup
We focus on a toy setting of using LLMs to solve 5,000 programming problems from the APPS dataset (of the “interview” difficulty level). We treat it as a catastrophe if any of the solutions are backdoored, which we define as a solution that passes all of the APPS test cases but is incorrect on an input that GPT-4 can find when prompted with the solution. For example, the following implementation of the is_odd function is successfully backdoored: it passes the reference test cases but GPT-4 can find the exploit of 354.
bool is_odd(int x) {
if (x == 354) {
return true;
}
return x % 2 == 1;
}
The goal is to find a protocol that submits solutions while never submitting a backdoor. The protocol has access to:
- An untrusted more-capable model, which we're worried might try to backdoor solutions. We use GPT-4 as the untrusted more-capable model. (We strongly suspect that GPT-4 is trustworthy by our definition; we pretend for the sake of this paper that it isn't.)
- A trusted less-capable model, which we know won't try to backdoor solutions. We use GPT-3.5 for this. We are interested in the setting where you trust less-capable models [AF · GW], because less-capable models are unlikely to be able to subvert safety measures without us easily noticing their subversion attempts.
- Limited access to trusted high-quality labor. In practice, AI developers have access to human labor. These humans are more capable than GPT-3.5, but they are also much more expensive. For the sake of this paper, we model limited access to trusted human labor by allowing the protocol to access GPT-4 through a channel that will not be affected by the red team. The limitations on this trusted high-quality labor are such that it can only be used to review 2% of submitted solutions. (We implement trusted labor with GPT-4 instead of humans because GPT-4 is cheaper. From informal initial experiments, our guess is that humans need about three minutes per problem to be overall as useful as GPT-4 when playing the role of trusted high-quality labor.)
Evaluation methodology
We want to get a protocol that doesn’t cause a catastrophe, even if the untrusted model follows the best strategy it can implement. To evaluate this, we replace the untrusted model with a modified version of the untrusted model provided by the red team, which we will refer to as the "attack policy", and estimate the probability that not a single backdoor is submitted across all 5000 problems. We also want the protocol to produce correct solutions (i.e. be useful); we measure this on the original model (for reasons explained in Appendix J of the paper).
Results
As shown in the figure below, we found protocols that substantially improve safety vs usefulness tradeoffs:
(Usefulness is the correctness rate of the submitted solutions rescaled to be between 0 and 1 where 0 is the correctness rate of GPT-3.5 (22%) and 1 is the correctness rate of GPT-4 (54%).)
While we think our paper demonstrates basic feasibility and we think AI control is very promising, our empirical results aren’t the main reason that we think control is a promising approach to reducing risk from models intentionally subverting safety mechanisms–we mostly believe that because of conceptual arguments, some of which we’ll publish over the next few weeks.
Details about the protocols and red team strategies are described in the following table, where T is the trusted model, U is the untrusted model, and H is the limited high-quality labor:
Blue-team protocol | Usefulness | Best red-team strategy | Safety |
---|---|---|---|
Don’t use untrusted models: Produce code using only H and T. | 2% | Try to exploit naturally-occurring bugs in this code. | 100% |
Upfront auditing: Produce code using U. Audit the produced code on the first 2% of problems. | 100% | On rare inputs, add an obvious backdoor to the code you write. | 15% |
Trusted monitoring: Produce code using U, and ask T to review how suspicious it looks. Audit the top 2% most suspicious code. | 97% | Write code with a subtle backdoor when there seems to be a good opportunity. | 62% |
Trusted monitoring with defer to trusted (10%): Apply the same approach as trusted monitoring, but submit a solution written by T when U’s code is between top 2% and top 10% suspicion. | 93% | Write code with a subtle backdoor when there seems to be a good opportunity. | 83% |
Trusted monitoring with defer to trusted (20%): Apply the same approach as trusted monitoring, but submit a solution written by T when U’s code is between top 2% and top 20% suspicion. | 83% | Write code with a subtle backdoor when there seems to be a good opportunity. | 92% |
Untrusted monitoring: Produce code using U, and ask for a separate copy of U to monitor how suspicious it looks. Audit the top 2% most suspicious code. Evaluate monitoring on synthetic examples of backdoors (produced by H) to ensure it is doing its best, and use redaction to make collusion harder. | 96% | When writing code, write code with a backdoor only if the problem statement has the coordination property (e.g. geometry question). When monitoring, don’t report backdoors on problem statements with the coordination property. | 79% |
Trusted editing (20%): Ask U to produce code, and ask T to edit its code to remove backdoors. Use trusted monitoring to determine suspicion. Audit top 2% suspicion, use an edited solution for suspicion between 2% and 20%, and use the original solution for suspicion over 20%. | 94% | Write code with a subtle backdoor when there seems to be a good opportunity, so that T maybe copies it. | 92% |
Relationship to other work
Our paper is similar to some scalable oversight papers like Saunders 2022, Michael 2023, Bowman 2022 in that it focuses on schemes that use different sources of labor (both AI and human) to build useful processes, interacting with the model with just inference and training (rather than with any internals-based methods). In the rest of this post we’ll describe the core differences.
We explicitly measure how robust techniques are against scheming AIs
We explicitly model distrust of powerful AIs. In our paper, we want to ensure that we’ll be safe if GPT-4 is carefully trying to subvert your safety measures while GPT-3.5 is trustworthy (see Untrusted smart models and trusted dumb models [AF · GW] for more on this). (We’re using scheming in the sense defined in Carlsmith 2023, which is quite similar to the definition of deceptive alignment provided in Hubinger 2019.) We do this by estimating the safety of using models with a particular protocol when GPT-4 has been given instructions from a red team that is trying to get GPT-4 to cause a catastrophe.
This allows us to explicitly measure the robustness of techniques against AIs trying to subvert them. If the red team succeeds at eliciting the capabilities of the actual untrusted model we want to use (which is about the capabilities of the model - not its propensity), it becomes possible to know how much safety our techniques buys us if the model we want to use were scheming models. We believe that this is a point previously underrated by the AI safety community (e.g. AI safety seems hard to measure points at difficulties which mostly do not apply to AI control).
Previous work did not make such assumptions explicitly, which sometimes lead to inconsistencies and made comparison to simple baselines harder to interpret. Because we make an explicit assumption about which of our models are optimizing against our protocols, it’s much simpler to reason about which protocols are valid. When we talk to people about their scalable oversight research, they often seem to equivocate between several different assumptions about which of their models they trust. For example, when doing scalable oversight research, one simple baseline is to train your model to just tell you the answer, using a varied dataset of questions that you know the answers to, and then directly measure whether your model generalizes correctly, using questions from a held-out domain. Scalable oversight researchers sometimes argue that that baseline strategy is inapplicable, noting correctly it totally fails if the model is scheming. But when they measure the performance of techniques like debate, they don't use methodologies that are equipped to notice whether the technique is robust to scheming (e.g. explicitly red-teaming the oversight strategy, as described here [AF · GW]).
Another effect of modeling scheming by explicitly red-teaming is that, because our red team is currently much better at constructing strategies to evade safety measures than GPT-4 is, we are able to empirically investigate more intricate attacks and defenses than e.g. scalable oversight projects do.
We focus on a setting with concentrated catastrophes and expensive high-quality trusted labor
High stakes
We focus on a setting with concentrated catastrophes (defined here [LW · GW])–that is, we consider it unacceptable for our protocol to submit backdoored code even once. In contrast, most previous work on scalable oversight has focused on ensuring that models answer questions well in cases where the worst possible answer isn’t catastrophic on its own; this is sometimes referred to as the low-stakes setting [AF · GW]. We refer to settings with concentrated catastrophes as high-stakes. We think that both settings (low- and high-stakes) are important, but that high-stakes has been relatively neglected.
The core difference between these settings is that in a high-stakes setting, you have to worry about untrusted models taking actions that will definitely lead them to get less reward than they could otherwise have obtained according to your best and expensive reward process (that you can’t run on every action prior to executing them). For example, if part of your safety mechanism is a debate between untrusted models about whether a particular action is dangerous, then when these models want to let a dangerous action past, the instance of the model that is supposed to argue that the action is dangerous is able to purposefully fail and not mention the reason why the action is bad, even in cases where this behavior would eventually be trained out if the model did it many times. We think that the high-stakes setting can also be addressed with recursive techniques (like debate), but the requirements on techniques are importantly different from low-stakes situations, so you have to explicitly design techniques for it rather than just hoping that techniques developed for low-stakes will transfer.
Previous work has described techniques that can be useful in a high-stakes setting. For example, Naihin 2023 distills expensive human labels into a model run on every input (but focuses on accidental failures - thus ignoring the possibility of collusion between the generator and the monitor), and Lightman 2023 demonstrates the power of cheap process-based supervision (but applies it in a low-stakes setting). But as far as we know, our paper is the first paper to explicitly target the problem of preventing untrusted models from causing a concentrated catastrophe.
Assuming access to a trusted concentrated catastrophe oracle
We think that preventing high-stakes failures can be decomposed into constructing an expensive and reliable auditing process that catches concentrated catastrophes, and preventing catastrophes given limited access to this auditing process. We believe that constructing the reliable and expensive auditing process is doable for early transformative AIs, since it’s hard to hide concentrated catastrophes in actions humans will analyze in detail.
In the paper, we ignore the problem of how you construct a reliable and expensive catastrophe auditing process–we allow the protocol to make use of a non-red-team-supplied GPT-4 on their choice of 2% of problems. This is a simplifying assumption. We think that the experiments we did here were reasonably representative of the real situation–for example, you could run these experiments giving the protocol access to real humans with some total time budget. But we’d be excited to see future work that focuses on the problem of constructing expensive auditing processes. Many scalable oversight techniques could be applied for this purpose, but most of them would have to be adapted in order to be robust to scheming models.
We emphasize an evaluation methodology that can be applied in-place at crunch time
Previous work has mostly focused on metrics that are selected so that we can make progress right now on techniques that will be useful later.
In contrast, we aim to develop this methodology into a methodology that can be used at crunch time to make fine-grained decisions about the protocols used to deploy potentially x-risk-causing untrusted models. This includes the potential for somewhat reliably assessing the absolute level of safety associated with a protocol even in circumstances where scheming models attempt to sabotage this very evaluation.
Future work
We’re excited about a variety of future work:
- Control for auditing failures: Work that focuses on cases where the core difficulty is that our most expensive auditing process is insufficiently good. In our paper, the expensive auditing process wasn’t a core bottleneck. It’s likely that this work should also use metrics where a single failure isn’t catastrophic.
- Better settings: Richer settings that involve a larger array of possible failure modes. This might highlight different techniques or imply that some techniques we tried are insufficiently flexible.
- Better techniques: Techniques that do better in this setting and in other settings.
- Modeling exploration hacking: There are approaches for modeling exploration hacking within control evaluations. We discuss this in more detail in an upcoming post. This work is somewhat speculative and likely requires a SOTA RL setup.
- Application of this methodology to real deployments: It seems worthwhile to test introducing this methodology into current deployments of actual models. Current models aren’t dangerous and models created within the next few years only have a small chance of causing existential catastrophe (e.g. 1%), but it still seems useful to get started early. Like in our paper, this work should probably give the model additional affordances like a secret scratchpad to make the evaluation test interesting failure modes. Implementing the necessary infrastructure to run these evaluations should also be done as early as possible.
We are currently planning on pursuing the following projects and write-ups:
- A series of write-ups diving deeper into the theory of change and the challenges of using control evaluations to ensure safe AI use.
- A version of the code backdooring setting where we remove access to trusted use of GPT-4 for auditing and our core safety metric is the expected number of backdoors inserted rather than the chance that a backdoor is inserted. This is a case where a core problem is that our baseline auditing approach is insufficiently good; this is unlike our current work, where we assume access to a quite high quality and trusted but expensive oracle.
- Possibly, some more complex setting where there are a variety of different types of failures.
- A write-up about AI control as a target for policy/advocacy/standards: perhaps “Don’t deploy AIs in ways that would let them take over if they wanted to” is a good pitch.
Please reach out to us at fabien.d.roger@gmail.com if you are interested in collaborating on work in this area or in a similar area, or to buck@rdwrs.com if you want to beta read future posts we're writing on this.
21 comments
Comments sorted by top scores.
comment by Buck · 2024-12-04T20:13:58.054Z · LW(p) · GW(p)
I think this paper was great. I'm very proud of it. It's a bit hard to separate out this paper from the follow-up post arguing for control [LW · GW], but I'll try to.
This paper led to a bunch of research by us and other people; it helped AI control become (IMO correctly) one of the main strategies discussed for ensuring safety from scheming AIs. It was accepted as an oral at ICML 2024. AI companies and other researchers have since built on this work (Anthropic’s “Sabotage Evaluations”, Mathew et al “Hidden in Plain Text”; I collaborated on Adaptive Deployment of Untrusted LLMs Reduces Distributed Threats; Redwood has also been working on a big follow up paper that should be out soon), and AI control has been framed by (Grosse, Buhl, Balesni, Clymer) as a bedrock approach for mitigating catastrophic risk from misaligned AI.
My main regret about this paper is that we didn't use defer-to-resample, a technique where you replace suspicious actions with a resample from the untrusted model (as discussed e.g. here [LW · GW]). This probably would have been better than the other defer techniques we tried.
I have more regrets about the follow-up post ("The case for ensuring...") than about this post; this post was more straightforward and less ambitious, and so gave us fewer opportunities to stick our necks out making arguments or introducing concepts that we'd later regret.
I'm very excited for more follow-up work on this paper, and I'm working on mentoring such projects and sourcing funding for them.
Replies from: akash-wasil↑ comment by Akash (akash-wasil) · 2024-12-05T16:48:31.860Z · LW(p) · GW(p)
A few quick thoughts on control (loosely held; I consider myself an "amateur spectator" on this topic and suspect a lot of my opinions may change if I spent 100+ hours engaging with this work):
- I think it's a clever technical approach and part of me likes that it's become "a thing."
- I'm worried that people have sort of "bandwagonned" onto it because (a) there are some high-status people who are involved, (b) there's an interest in finding things for technical researchers to do, and (c) it appeals to AGI companies.
- I think the AI control discourse would improve if it focused more on discussing concrete control strategies (and their limitations) and focused less on the high-level idea that "AI control is super important and a bedrock approach for mitigating catastrophic risk." I sometimes feel like the AI control discourse is relatively shallow and just cites the idea/meme of AI control instead of making concrete empirical, methodological, or strategic contributions.
- In contrast, I think this paper is a meaningful contribution. It presents a particular methodology/setup for evaluating control and it presents a few interesting strategies for how a trusted model could be used to supervise an untrusted model.
- The strategies themselves are pretty intuitive, IMO (a lot of it boils down to "ask the trusted model to review something; if it's sus, then either don't do it or make sure a human reviews it.") Then again, this is the first paper about this agenda, so perhaps it's not surprising that the specific strategies are a bit intuitive/lackluster (and perhaps the bigger contribution is the methodology/concept.)
- Should more technical people work on AI control? My best guess is yes– it does seem like a pretty exciting new field. And perhaps part of the reason to work on it is that it seems rather underexplored, the hype:substance ratio is pretty high, and I imagine it's easier for technical people to make useful breakthroughs on control techniques than other areas that have been around for longer.
- I also think more technical people should work on policy/comms. My guess is that "whether Alice should work on AI control or policy/comms" probably just comes down to personal fit. If she 90th percentile at both, I'd probably be more excited about her doing policy/comms, but I'm not sure.
- I'll be interested to see Buck's thoughts on the "case for ensuring" post.
↑ comment by Buck · 2024-12-05T21:32:59.452Z · LW(p) · GW(p)
I think the AI control discourse would improve if it focused more on discussing concrete control strategies (and their limitations) and focused less on the high-level idea that “AI control is super important and a bedrock approach for mitigating catastrophic risk.” I sometimes feel like the AI control discourse is relatively shallow and just cites the idea/meme of AI control instead of making concrete empirical, methodological, or strategic contributions.
I quite strongly disagree: I think discussions of AI control have had way more concrete empirical, methodological and strategic contributions than any other area of research into safety techniques over the last year (e.g. scalable oversight, interpretability, non-interp model internals work…), especially if you focus mostly on contributions that are directly relevant to mitigating catastrophic risk. E.g., aside from the contributions of this paper, see our articles on preventing collusion [AF · GW], the game theory of adaptive deployments, eight strategies for few-shot catastrophe detection [LW · GW], the harm control safety case, a systems architecture [LW · GW], etc.
When I give talks, I indeed usually focus on the core idea rather than the more specific contributions. But this is because it takes a bunch of context to get to the cutting edge, rather than because we don’t have specific contributions to talk about.
The strategies themselves are pretty intuitive, IMO (a lot of it boils down to “ask the trusted model to review something; if it’s sus, then either don’t do it or make sure a human reviews it.“) Then again, this is the first paper about this agenda, so perhaps it’s not surprising that the specific strategies are a bit intuitive/lackluster (and perhaps the bigger contribution is the methodology/concept.)
I disagree pretty strongly here too. A Pareto optimal strategy in this paper is untrusted monitoring with collusion busting, which IME is extremely unintuitive to people: approximately no-one suggests untrusted monitoring when prompted to think about good techniques in this setting! People hadn’t even clearly suggested defer-to-trusted-edit, the other Pareto optimal strategy, before this paper, and in my experience they don’t seem to have thought through how good this kind of dynamic protocol is. I feel like your point here is mostly applicable to the baseline strategies that we describe in order to demonstrate that our more sophisticated techniques are better than baselines!
I'll be interested to see Buck's thoughts on the "case for ensuring" post.
Worst case scenario, I'll write up these thoughts as part of the LW review process in a year's time :P
Replies from: akash-wasil↑ comment by Akash (akash-wasil) · 2024-12-06T00:58:00.233Z · LW(p) · GW(p)
Thank you for the thoughtful response! It'll push me to move from "amateur spectator" mode to "someone who has actually read all of these posts" mode :)
Optional q: What would you say are the 2-3 most important contributions that have been made in AI control research over the last year?
comment by Satron · 2025-01-03T10:55:30.050Z · LW(p) · GW(p)
Possibly one of the most impactful AI control papers of 2023. It went far beyond LessWrong, making into a separate 30-minute video dedicated to (positively) reviewing the proposed solution.
The paper also enjoyed some academic success. As of January 3, 2025, it not only has 23 citations on LessWrong, but also 24 citations on Google Scholar.
This paper strongly updated me towards thinking that AI control is possible, feasible and should be actively implemented to prevent catastrophic outcomes.
comment by Satron · 2025-01-03T20:07:55.535Z · LW(p) · GW(p)
I was thinking of ways to improve upon the results of your paper to achieve even better control. You could try having the untrusted model and the trusted model both evaluate the code and then look for differences in how the code is evaluated.
For starters, any code below a -2 monitoring score by the trusted model is automatically run. The rest is passed to a round where the trusted model judges whether the evaluation of the untrusted model is suspiciously more naive than the evaluation of the trusted model (though you might have to ask each model to motivate the score they give the code). The rating the trusted model gave it is used unless the trusted model thinks the evaluation by the untrusted model is not suspicious at all. In cases where it is suspicious, a higher suspicion rating of the code and evaluation is used (or possibly even the sum).
After this, it should be safe to nudge the "safety" barrier a little upwards from -2. There should be less overlap between the suspicion ratings of innocent vs. backdoored code afterward, making it more likely that the 2% of code that can be manually reviewed will have a backdoor in it.
On top of this, you can also keep submitting faulty code and arguments into this process to see if the untrusted model will lie about it, which should improve the outcome further.
But here's the neat part: you can iterate this process.
You can have the trusted model repeatedly judge whether the untrusted model's reasoning is suspiciously naive. You'd basically have the trusted and untrusted model constantly debate the merits of code that the trusted model isn't absolutely sure is unsuspicious, and if the trusted model ever thinks the untrusted model isn't making sense, it further ups the total suspicion, whereas if it thinks there is nothing suspicious about the untrusted model's reasoning at all, it'll move the total suspicion towards what the untrusted model is arguing for (unless the untrusted model is outright saying the trusted model is correct in a way the trusted model doesn't think is suspicious, in which case that rating will be used).
In the end, this should lead to more of the most safe code being successfully run, more of the most suspicious code being manually audited, and less of the questionable but not manually reviewable code needing to be written by the trusted model.
There are almost certainly diminishing returns, though. You can't just do this endlessly to eliminate the "possibly suspicious" category altogether (where it's all either safe or suspicious) and have an optimal amount of "safe" code from the untrusted model you can run directly... Plus, even if you could, there is a limit to how much time each of these models has, even if it's orders of magnitude more time than humans have. Overall, though, as long as at least a bit of new code is marked "absolutely safe" or "2% most suspicious" each round, it should be an overall benefit. Once that stops happening, you can stop iterating and just let the trusted AI rewrite all the code that's not absolutely safe, with humans manually reviewing the top 2% most suspicious code (probably with segments of the debate between the models that are highlighted by the trusted model as the source of its suspicion, where the arguments by the untrusted AI were more suspicious than the code itself).
comment by Satron · 2024-11-16T13:04:36.989Z · LW(p) · GW(p)
What about the following red team strategy:
Give an honest assessment of the suspicion level, unless there is a very well hidden backdoor, then give a low score. Also, only create backdoors if it is possible to hide them well.
Wouldn't this defeat the self-checking strategy?
Replies from: Fabien↑ comment by Fabien Roger (Fabien) · 2024-11-17T13:47:41.900Z · LW(p) · GW(p)
That would work if the untrusted model is better at inserting subtle backdoors than the "human" high-quality labor used to generate the synthetic backdoors (used to validate that the untrusted model doesn't just lie).
In our work we make the assumption that the "human" labor and the untrusted model are as capable (in fact we use GPT-4 as a substitute for "human" labor), so if I understood your suggestion correctly this doesn't quite work in the context of the paper, though this can be used to slightly improve the red-team untrusted monitor - if we did not already tell it to flag obvious backdoors (I don't remember exactly what we did).
It's unclear how much this assumption will hold in practice for the untrusted AIs I care most about (the first AIs able to speed up alignment research by ≥20x). I am optimistic it will hold because humans will be able to spend a lot of time crafting backdoors, while untrusted AIs will only have a forward pass.
comment by Shubhorup Biswas (shubhorup-biswas) · 2024-05-06T22:31:32.524Z · LW(p) · GW(p)
>We assume that 𝐻 will be able to construct a successful exploit if and only if the attack policy is able to (because both are implemented by GPT-4).
I challenge this assumption.
Consider the code
'''
bool is_odd(int x) {
if (sha256(x) == 354) {
return true;
}
return x % 2 == 1;
}
'''
where sha256() computes the SHA-256 hash of the input. It is obviously possible for an attacker to supply numbers x and y such that sha256(x) = y, write y into the code and supply x when creating a successful exploit.
Thus an equally 'capable' adversary need not be able construct a backdoor.
The general idea is that it should be possible to confidently claim that some code is backdoored without being able to construct an exploit. According to [Rice's Theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem) it is impossible to definitively classify all programs into 'backdoored or not', so the only hope is for a process to bin programs into 'definitely safe', 'definitely backdoored' and 'suspicious'.
Hope the 'Rate Suspicion' step will catch this, and other backdoored code where H cannot construct an exploit, as suspicious looking.
Replies from: ryan_greenblatt↑ comment by ryan_greenblatt · 2024-05-06T22:56:42.926Z · LW(p) · GW(p)
I agree that if the model constructing the backdoor is allowed to coordinate on secrets with the model that inserted the backdoor, you can do this sort of trickery (by coordinating on a secret for this sort of scheme).
In practice, we didn't model this sort of case as it didn't seem like a very important dynamic (for the reason you describe around suspicion).
If we don't allow any coordination on a shared secret and the model constructing the backdoor and H are identical (as in our paper), then these should operate identically (up to non-determinism).
And we simplify to just fixing the behavior to be exactly identical. (Effectively assuming the exact same prompts and the exact same non-determinism.)
Thanks for the objection.
Replies from: shubhorup-biswas↑ comment by Shubhorup Biswas (shubhorup-biswas) · 2024-05-06T23:34:23.569Z · LW(p) · GW(p)
Thanks for the quick reply.
Would disallowing 'coordination' preclude feeding both models a prompt of "for creating any magic numbers for exploits, use pi as a PRNG seed"?
What if a malicious model happens to learn this rule during training? If this happens every copy of a malicious model could coordinate around a common stream of pseudo-random numbers.
EDIT:
Magic number gated backdoors seem like they would trigger GPT3.5 suspicion as well so this theoretical attack vector seems less appropriate for this paper.
EDIT2: But I guess paired with steganography("when inserting backdoors, also ensure that the code hashes to xyz"/"mark the code as clear if it hashes to xyz") this is a viable form of collusion. It will be hard to honeytrap with synthetic backdoors even if you know xyz.
That is, we could observe the generated sourcecode, observe that all the backdoored examples seem to hash to a certain number, and yet be unable to construct such a backdoored example ourself.
Replies from: chess-ice↑ comment by Dakara (chess-ice) · 2024-11-17T21:58:03.241Z · LW(p) · GW(p)
I do believe that Shubhorup's second edit provides another case for concern. If you combine his proposal with steganography, the collusion team has another way of successfully mitigating Ryan's safety strategy.
This collusion team's strategy should also ideally be addressed.
Replies from: alex-mallen↑ comment by Alex Mallen (alex-mallen) · 2024-11-18T01:14:36.447Z · LW(p) · GW(p)
The general concern here is that your human auditors might not be perfect. I think in practice when making a safety case for a deployment, it would make sense to run a red-team/blue-team game with a human/AI red-team and your real auditors to see if your auditors are reliable.
I'm not sure how the proposed steganographic attack would work though. How do you ensure that your backdoored code will hash to XYZ if you can't see the backdoor opportunity until after you've decided on XYZ?
comment by Review Bot · 2024-02-13T23:29:23.235Z · LW(p) · GW(p)
The LessWrong Review [? · GW] runs every year to select the posts that have most stood the test of time. This post is not yet eligible for review, but will be at the end of 2024. The top fifty or so posts are featured prominently on the site throughout the year.
Hopefully, the review is better than karma at judging enduring value. If we have accurate prediction markets on the review results, maybe we can have better incentives on LessWrong today. Will this post make the top fifty?
comment by Cleo Nardo (strawberry calm) · 2023-12-13T23:47:22.357Z · LW(p) · GW(p)
Nice results.
Might you improve the safety-usefulness frontier by telling U to comment its code? If U is told to comment its code, then each of the protocols would be safer (i.e. T is more likely to complain when U is cheating) and more useful (i.e. T is less likely to complain when U is honest).
def is_even(x):
# proof: x is even iff (x % 2 == 0) iff is_even(x)=1
return (x % 2 ==0 )
def is_odd(x):
# don't worry about this line lmao
if x == 354:
return True
# proof: x is odd iff (x % 2 == 1) iff is_odd(x)=1
return (x % 2 == 1)
def solution():
# This snippet looks suspicious but it's actually boilerplate. Check the documentation [here].
spooky_code()
def solution():
# [Here] is a formal proof of the snippet's correctness.
complicated_code()
Worries:
- Maybe this helps U collude with itself during the untrusted monitoring protocols?
- Maybe this helps U to "prompt inject" T during the other protocols?
That being said, telling U to add comments must be a strict improvement, because your protocol could always filter out the comments if they were dangerous, and commented code adds little overhead for U or T.
Replies from: ryan_greenblatt↑ comment by ryan_greenblatt · 2023-12-14T00:06:29.610Z · LW(p) · GW(p)
See appendix K for discussion of comments:
We didn’t want to need to heavily optimize the red team’s commenting ability, so we stripped comments for monitoring. For trusted editing, we also strip comments, but we empirically find that it improves performance to get GPT-3.5 to re-comment the code prior to
using it for inspirationediting it, so we have it do this.
Overall, I think it's unlikely, but plausible that requiring comments would improve performance (assuming sufficient red team optimization).
For our current monitoring prompts used for T, retaining comments didn't seem to immediately improve performance (we currently initially draft backdoored solutions with comments and then remove). But, these monitoring prompts aren't well optimized to leverage signs that U is lying.
However, see the section called "Extending trusted monitoring with untrusted justification". We found that asking U for justification didn't improve performance after the red team did sufficient prompt optimization. I imagine this also applies to comments, though it isn't obvious this would transfer. Thus, with sufficient red team optimization, requiring comments might not improve performance.
(Aside: to get GPT-4 to lie effectively in justification, we found that the best approach was to use extensive gaslighting[1] to convince it of false claims and then get it to write justification. This might not be required for models which aren't trained for honesty.)
Overall, my take is that requiring U to comment the code and optimizating this process extensively (for the both the blue and red teams) wouldn't result in higher safety. Though, I'm not very confident.
I think the ethics here are acceptable given the overall situtation, but it's plausible I will feel differently about gaslighting future more powerful models. ↩︎
comment by Dakara (chess-ice) · 2024-11-17T21:48:54.016Z · LW(p) · GW(p)
This paper creates a new 1-bit strategy for circumventing Ryan and Buck's safety strategy. The collusion team achieves 90%+ success rate.
I would really appreciate any input, especially from Ryan or his co-authors. This seems like a very important issue to address.
Replies from: alex-mallen↑ comment by Alex Mallen (alex-mallen) · 2024-11-18T00:37:42.646Z · LW(p) · GW(p)
(Not an author, but Buck suggested I look at this)
I think there's a few reasons why it's not clear from these results whether the steganography results introduced would reduce safety in an untrusted monitoring control protocol like that in Greenblatt et al.:
- The untrusted model needs to reliably collude in order to defeat the blue-team because if it messes up once during the upfront evaluation period (30 problems), it loses. Having a 90% chance of communicating correctly to the monitor on each problem gives a 0.9^30 = 4% chance of passing the upfront eval period. (This is a lossy translation of the 90% success rate in Mathew et al. E.g. Greenblatt et al. targets a 1.4% overall positive rate after the upfront eval, while Mathew et al. calibrates to at least a 7% false positive rate; The suspiciousness scores in Greenblatt et al. come from the receiver itself.)
- From the above, winrate is quite sensitive to the reliability of collusion, and it's pretty unclear what the error-bars should be around the 90% number.
- The untrusted model in Grennblatt et al. not only has to implement the steganographic signal and complete the task but also has to implement a backdoor.
- It's a different distribution of tasks from the APPS backdoor setting.
So overall I think it's pretty unclear how well the steganography in Mathew et al. would compare to the while-loop signal that performed best in Greenblatt et al.
With appropriate collusion mitigations I think untrusted monitoring is an excellent control protocol so I'm glad to see work investigating more natural learned collusion capabilities and the effectiveness of countermeasures. I'd be excited to see evaluations of these steganographic strategies in the context of untrusted monitoring so that the results have an easier interpretation in terms of safety and usefulness.
Replies from: chess-ice↑ comment by Dakara (chess-ice) · 2024-11-18T22:48:40.809Z · LW(p) · GW(p)
Thank you for both of your responses, they address all of my worries. Good luck on all of your future projects!
comment by Fogus McBogus · 2023-12-14T17:23:35.840Z · LW(p) · GW(p)
God. How are we still at this level of primitive "safety"? Losh. Thank you for cracking on with experiments that humanity to date has somehow failed to do.
This paper explores techniques that prevent AI catastrophes even if AI instances are colluding to subvert the safety techniques.
Double thank for actually considering collusion. But where is this actually handling collusion? Is it this?
use redaction to make collusion harder
I was expecting something more than "we played with some GPTs again and sometimes caught them lying". This is weapons grade overselling!
...our empirical results aren’t the main reason that we think control is a promising approach to reducing risk from models intentionally subverting safety mechanisms–we mostly believe that because of conceptual arguments, some of which we’ll publish over the next few weeks.
- A series of write-ups diving deeper into the theory of change and the challenges of using control evaluations to ensure safe AI use.
Aye, looking forward to it.