llm-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseLLM Security Guidelines (OWASP Top 10 for LLM 2025)
LLM安全指南(OWASP LLM应用Top 10 2025)
Comprehensive security rules for building secure LLM applications. Based on the OWASP Top 10 for Large Language Model Applications 2025 - the authoritative guide to LLM security risks.
构建安全LLM应用的全面安全规则。基于OWASP大语言模型应用Top 10 2025——LLM安全风险的权威指南。
How It Works
工作机制
- When building or reviewing LLM applications, reference these security guidelines
- Each rule includes vulnerable patterns and secure implementations
- Rules cover the complete LLM application lifecycle: training, deployment, and inference
- 在构建或审查LLM应用时,参考这些安全指南
- 每条规则包含易受攻击的模式和安全实现方案
- 规则覆盖LLM应用的完整生命周期:训练、部署和推理
Categories
风险分类
Critical Impact
严重影响
- LLM01: Prompt Injection - Prevent direct and indirect prompt manipulation
- LLM02: Sensitive Information Disclosure - Protect PII, credentials, and proprietary data
- LLM03: Supply Chain - Secure model sources, training data, and dependencies
- LLM04: Data and Model Poisoning - Prevent training data manipulation and backdoors
- LLM05: Improper Output Handling - Sanitize LLM outputs before downstream use
- LLM01: 提示注入 - 防止直接和间接的提示操纵
- LLM02: 敏感信息泄露 - 保护个人身份信息(PII)、凭证和专有数据
- LLM03: 供应链安全 - 保障模型来源、训练数据和依赖项的安全
- LLM04: 数据与模型投毒 - 防止训练数据被篡改和后门植入
- LLM05: 输出处理不当 - 在下游使用前对LLM输出进行清理
High Impact
高影响
- LLM06: Excessive Agency - Limit LLM permissions, functionality, and autonomy
- LLM07: System Prompt Leakage - Protect system prompts from disclosure
- LLM08: Vector and Embedding Weaknesses - Secure RAG systems and embeddings
- LLM09: Misinformation - Mitigate hallucinations and false outputs
- LLM10: Unbounded Consumption - Prevent DoS, cost attacks, and model theft
- LLM06: 过度代理权限 - 限制LLM的权限、功能和自主性
- LLM07: 系统提示泄露 - 防止系统提示被泄露
- LLM08: 向量与嵌入弱点 - 保障RAG系统和嵌入技术的安全
- LLM09: 虚假信息 - 缓解幻觉和错误输出问题
- LLM10: 无限制资源消耗 - 防止拒绝服务(DoS)、成本攻击和模型窃取
Usage
使用方式
Reference the rules in directory for detailed examples:
rules/- - Prompt injection prevention (LLM01)
rules/prompt-injection.md - - Sensitive information protection (LLM02)
rules/sensitive-disclosure.md - - Supply chain security (LLM03)
rules/supply-chain.md - - Data and model poisoning prevention (LLM04)
rules/data-poisoning.md - - Output handling security (LLM05)
rules/output-handling.md - - Agency control (LLM06)
rules/excessive-agency.md - - System prompt protection (LLM07)
rules/system-prompt-leakage.md - - RAG and embedding security (LLM08)
rules/vector-embedding.md - - Misinformation mitigation (LLM09)
rules/misinformation.md - - Resource consumption control (LLM10)
rules/unbounded-consumption.md - - Full index of all rules
rules/_sections.md
参考目录下的规则获取详细示例:
rules/- - 提示注入防护(LLM01)
rules/prompt-injection.md - - 敏感信息保护(LLM02)
rules/sensitive-disclosure.md - - 供应链安全(LLM03)
rules/supply-chain.md - - 数据与模型投毒防护(LLM04)
rules/data-poisoning.md - - 输出处理安全(LLM05)
rules/output-handling.md - - 代理权限控制(LLM06)
rules/excessive-agency.md - - 系统提示保护(LLM07)
rules/system-prompt-leakage.md - - RAG与嵌入安全(LLM08)
rules/vector-embedding.md - - 虚假信息缓解(LLM09)
rules/misinformation.md - - 资源消耗控制(LLM10)
rules/unbounded-consumption.md - - 所有规则的完整索引
rules/_sections.md
Quick Reference
快速参考
| Vulnerability | Key Prevention |
|---|---|
| Prompt Injection | Input validation, output filtering, privilege separation |
| Sensitive Disclosure | Data sanitization, access controls, encryption |
| Supply Chain | Verify models, SBOM, trusted sources only |
| Data Poisoning | Data validation, anomaly detection, sandboxing |
| Output Handling | Treat LLM as untrusted, encode outputs, parameterize queries |
| Excessive Agency | Least privilege, human-in-the-loop, minimize extensions |
| System Prompt Leakage | No secrets in prompts, external guardrails |
| Vector/Embedding | Access controls, data validation, monitoring |
| Misinformation | RAG, fine-tuning, human oversight, cross-verification |
| Unbounded Consumption | Rate limiting, input validation, resource monitoring |
| 漏洞类型 | 核心防护措施 |
|---|---|
| 提示注入 | 输入验证、输出过滤、权限分离 |
| 敏感信息泄露 | 数据清理、访问控制、加密 |
| 供应链安全 | 验证模型、软件物料清单(SBOM)、仅使用可信来源 |
| 数据与模型投毒 | 数据验证、异常检测、沙箱隔离 |
| 输出处理不当 | 将LLM视为不可信来源、对输出进行编码、参数化查询 |
| 过度代理权限 | 最小权限原则、人工介入、最小化扩展功能 |
| 系统提示泄露 | 不在提示中包含敏感信息、使用外部防护机制 |
| 向量/嵌入弱点 | 访问控制、数据验证、监控 |
| 虚假信息 | RAG、微调、人工监督、交叉验证 |
| 无限制资源消耗 | 速率限制、输入验证、资源监控 |
Key Principles
核心原则
- Never trust LLM output - Validate and sanitize all outputs before use
- Least privilege - Grant minimum necessary permissions to LLM systems
- Defense in depth - Layer multiple security controls
- Human oversight - Require approval for high-impact actions
- Monitor and log - Track all LLM interactions for anomaly detection
- 绝不信任LLM输出 - 在使用前验证并清理所有输出
- 最小权限原则 - 为LLM系统授予必要的最小权限
- 深度防御 - 多层安全控制叠加
- 人工监督 - 高影响操作需要审批
- 监控与日志 - 跟踪所有LLM交互以检测异常