How SW and HW Vulnerabilities Can Complement LLM-Specific Algorithmic Attacks (UT Austin, Intel Et Al.)

Compound AI systems—chains of large language models, orchestration software, and backend databases—are built atop the same layered software stacks and distributed hardware that power traditional enterprise workloads. While the AI community has focused on model‑centric threats such as extraction or unsafe generation, the underlying infrastructure still inherits decades‑old vulnerabilities documented in the CVE database, as well as hardware‑level side‑channel and fault attacks. This convergence creates a fertile attack surface where a single flaw can cascade through multiple components, undermining the integrity of the entire AI pipeline.

The "Cascade" paper illustrates this danger with two novel attack scenarios. In the first, a classic code‑injection bug is paired with a Rowhammer‑based guardrail bypass, allowing an adversary to plant an unchanged jailbreak prompt directly into the LLM’s input stream, effectively breaking safety constraints without detection. The second scenario manipulates a knowledge‑base entry, causing an autonomous LLM agent to transmit confidential user information to a malicious endpoint. Both examples demonstrate how traditional system weaknesses can be leveraged to achieve algorithmic objectives that would be far harder to attain through pure model‑level exploits.

These findings compel organizations to adopt a holistic security posture that spans software, hardware, and AI layers. Red‑team exercises must now incorporate legacy vulnerability scans alongside prompt‑injection testing, and defense strategies should address timing attacks, fault injection, and supply‑chain integrity in tandem with model‑hardening techniques. As generative AI becomes integral to critical workflows, the industry’s ability to anticipate and mitigate cross‑stack threats will determine both regulatory compliance and long‑term trust in AI‑driven services.