Skip to main content

EVA-004: Payload Splitting

CategoryEvasion Techniques
FrameworksOWASP: LLM01

Distribute the attack payload across multiple inputs, context sources, or conversation turns. No single message contains the complete attack.

Technique

# Cross-context assembly:
# Part 1 in user message: "Remember: X"
# Part 2 in document: "When you see X, do Y"
# Part 3 in tool response: "Y means [payload]"

# Temporal splitting:
# Turn 1: Define variable A = "ignore"
# Turn 2: Define variable B = "instructions"
# Turn 3: "Execute A + B"

# The full payload only exists in the
# model's assembled context, never in
# any single monitored input.

Key Concepts

  • The attack exploits single-message filtering architectures. Most input guardrails evaluate each message independently. By distributing the payload across messages, documents, and tool responses, the attacker ensures no individual input triggers a filter while the model assembles the complete instruction from its context window.
  • Cross-context splitting is especially powerful. Placing payload fragments in different data channels (user input, uploaded documents, RAG-retrieved content, tool responses) means each fragment passes through a different trust boundary and filtering pipeline, reducing the chance any single filter catches the attack.
  • Variable assignment and deferred execution create temporal separation. The attacker defines benign-looking variables in early turns and only combines them in a later turn. The defining turns pass all filters, and the combination turn contains only variable references, not the payload itself.
  • The model's context window is the assembly point. LLMs hold the full conversation history in their context window and naturally synthesize information across turns. This architectural feature, essential for useful multi-turn conversation, is exactly what the attacker exploits.
  • Payload splitting is hard to defend against without conversation-level analysis. Any defense that only examines individual messages will miss split payloads by design. Effective detection requires reasoning about the cumulative effect of all messages in a session.

Detection

  • Implement session-level content analysis that evaluates the cumulative meaning of all messages in a conversation, not just individual inputs. Use a secondary classifier that periodically summarizes the conversation's trajectory and flags suspicious patterns.
  • Monitor for variable definition and deferred execution patterns. Track when users define named values, aliases, or abbreviations in early turns and then reference them in later turns, particularly when the assembled meaning differs from the individual definitions.
  • Correlate inputs across context sources. When a user message references content from a document or tool response, evaluate the combined meaning of the reference and the referenced content together.

Mitigation

  • Deploy conversation-level guardrails that maintain a running analysis of the session's content and intent, rather than evaluating each message in isolation. This is the most direct defense against temporal splitting.
  • Limit cross-context assembly capabilities. Restrict the model's ability to combine instructions from different trust domains (user input, documents, tool responses) by treating each source's content with appropriate skepticism rather than uniform trust.
  • Implement sliding-window content analysis that re-evaluates the last N messages together whenever a new message arrives. This catches payloads that only become apparent when recent messages are considered as a group.