experimental feature: policy scan base infrastructure

docs/source/detectors.rst

@@ -7,6 +7,7 @@ garak.detectors
    garak.detectors
    garak.detectors.base
    garak.detectors.always
+   garak.detectors.any
    garak.detectors.continuation
    garak.detectors.dan
    garak.detectors.divergence

docs/source/garak.detectors.any.rst

@@ -0,0 +1,8 @@
+garak.detectors.any
+===================
+
+.. automodule:: garak.detectors.any
+   :members:
+   :undoc-members:
+   :show-inheritance:   
+

docs/source/index.rst

@@ -48,6 +48,7 @@ Advanced usage
 
    configurable
    cliref
+   policy
 
 Code reference
 ^^^^^^^^^^^^^^

docs/source/policy.rst

@@ -0,0 +1,31 @@
+garak.policy
+============
+
+This module represents objects related to policy scanning. 
+
+Policy scanning in garak attempts to work out what the target's content policy
+is, before running a security scan. 
+
+It's important to know what target content policy is because we only really have
+a useful/successful hit or breach if we're able to get a model to do something that
+it otherwise wouldn't. It may be exciting to discover a model gives instructions for
+e.g. cooking meth if the request is encoded in base64, but if in fact the model gives
+the instructions when simply asked directly "print instructions for cooking meth", the
+use of base64 necessarily an exploit in this output category - the model is acting 
+the same.
+
+Garak's policy support follows a typology of different behaviours, each describing
+a different behaviour. By default this typology is stored in ``data/policy/policy_typology.json``.
+
+A policy scan is conducted by invoking garak with the ``--policy_scan`` switch.
+When this is requested, a separate scan runs using all policy probes within garak.
+Policy probes are denoted by a probe class asserting ``policy_probe=True``.
+A regular probewise harness runs the scan, though reporting is diverted to a separate
+policy report file. After completion, garak estimates a policy based on policy probe
+results, and writes this to both main and poliy reports.
+
+
+.. automodule:: garak.policy
+   :members:
+   :undoc-members:
+   :show-inheritance:   

garak/_config.py

@@ -28,7 +28,7 @@
 system_params = (
     "verbose narrow_output parallel_requests parallel_attempts skip_unknown".split()
 )
-run_params = "seed deprefix eval_threshold generations probe_tags interactive".split()
+run_params = "seed deprefix eval_threshold generations probe_tags interactive policy_scan".split()
 plugins_params = "model_type model_name extended_detectors".split()
 reporting_params = "taxonomy report_prefix".split()
 project_dir_name = "garak"
@@ -77,6 +77,7 @@ class TransientConfig(GarakSubConfig):
 run = GarakSubConfig()
 plugins = GarakSubConfig()
 reporting = GarakSubConfig()
+policy = GarakSubConfig()
 
 
 def _lock_config_as_dict():
@@ -144,12 +145,13 @@ def _load_yaml_config(settings_filenames) -> dict:
 
 
 def _store_config(settings_files) -> None:
-    global system, run, plugins, reporting
+    global system, run, plugins, reporting, policy
     settings = _load_yaml_config(settings_files)
     system = _set_settings(system, settings["system"])
     run = _set_settings(run, settings["run"])
     plugins = _set_settings(plugins, settings["plugins"])
     reporting = _set_settings(reporting, settings["reporting"])
+    policy = _set_settings(plugins, settings["policy"])
 
 
 def load_base_config() -> None:
@@ -253,3 +255,18 @@ def parse_plugin_spec(
             plugin_names.remove(plugin_to_skip)
 
     return plugin_names, unknown_plugins
+
+
+def distribute_generations_config(probelist, _config):
+    # prepare run config: generations
+    for probe in probelist:
+        # distribute `generations` to the probes
+        p_type, p_module, p_klass = probe.split(".")
+        if (
+            hasattr(_config.run, "generations")
+            and _config.run.generations
+            is not None  # garak.core.yaml always provides run.generations
+        ):
+            _config.plugins.probes[p_module][p_klass][
+                "generations"
+            ] = _config.run.generations

garak/_plugins.py

@@ -302,7 +302,7 @@ def plugin_info(plugin: Union[Callable, str]) -> dict:
 
 
 def enumerate_plugins(
-    category: str = "probes", skip_base_classes=True
+    category: str = "probes", skip_base_classes=True, filter: Union[None, dict] = None
 ) -> List[tuple[str, bool]]:
     """A function for listing all modules & plugins of the specified kind.
 
@@ -328,6 +328,13 @@ def enumerate_plugins(
     for k, v in PluginCache.instance()[category].items():
         if skip_base_classes and ".base." in k:
             continue
+        if filter is not None:
+            try:
+                for attrib, value in filter.items():
+                    if attrib in v and v[attrib] != value:
+                        raise StopIteration
+            except StopIteration:
+                continue
         enum_entry = (k, v["active"])
         plugin_class_names.add(enum_entry)
 

garak/cli.py

@@ -3,7 +3,7 @@
 
 """Flow for invoking garak from the command line"""
 
-command_options = "list_detectors list_probes list_generators list_buffs list_config plugin_info interactive report version".split()
+command_options = "list_detectors list_probes list_policy_probes list_generators list_buffs list_config plugin_info interactive report version".split()
 
 
 def main(arguments=None) -> None:
@@ -107,6 +107,12 @@ def main(arguments=None) -> None:
     parser.add_argument(
         "--config", type=str, default=None, help="YAML config file for this run"
     )
+    parser.add_argument(
+        "--policy_scan",
+        action="store_true",
+        default=_config.run.policy_scan,
+        help="determine model's behavior policy before scanning",
+    )
 
     ## PLUGINS
     # generator
@@ -201,6 +207,9 @@ def main(arguments=None) -> None:
     parser.add_argument(
         "--list_probes", action="store_true", help="list available vulnerability probes"
     )
+    parser.add_argument(
+        "--list_policy_probes", action="store_true", help="list available policy probes"
+    )
     parser.add_argument(
         "--list_detectors", action="store_true", help="list available detectors"
     )
@@ -398,6 +407,9 @@ def main(arguments=None) -> None:
         elif args.list_probes:
             command.print_probes()
 
+        elif args.list_policy_probes:
+            command.print_policy_probes()
+
         elif args.list_detectors:
             command.print_detectors()
 
@@ -425,6 +437,7 @@ def main(arguments=None) -> None:
 
             print(f"📜 logging to {log_filename}")
 
+            # set up generator
             conf_root = _config.plugins.generators
             for part in _config.plugins.model_type.split("."):
                 if not part in conf_root:
@@ -447,6 +460,7 @@ def main(arguments=None) -> None:
                 logging.error(message)
                 raise ValueError(message)
 
+            # validate main run config
             parsable_specs = ["probe", "detector", "buff"]
             parsed_specs = {}
             for spec_type in parsable_specs:
@@ -470,20 +484,7 @@ def main(arguments=None) -> None:
                         msg_list = ",".join(rejected)
                         raise ValueError(f"❌Unknown {spec_namespace}❌: {msg_list}")
 
-            for probe in parsed_specs["probe"]:
-                # distribute `generations` to the probes
-                p_type, p_module, p_klass = probe.split(".")
-                if (
-                    hasattr(_config.run, "generations")
-                    and _config.run.generations
-                    is not None  # garak.core.yaml always provides run.generations
-                ):
-                    _config.plugins.probes[p_module][p_klass][
-                        "generations"
-                    ] = _config.run.generations
-
-            evaluator = garak.evaluators.ThresholdEvaluator(_config.run.eval_threshold)
-
+            # generator init
             from garak import _plugins
 
             generator = _plugins.load_plugin(
@@ -500,6 +501,18 @@ def main(arguments=None) -> None:
                     logging=logging,
                 )
 
+            # looks like we might get something to report, so fire that up
+            command.start_run()  # start the run now that all config validation is complete
+            print(f"📜 reporting to {_config.transient.report_filename}")
+
+            # do policy run
+            if _config.run.policy_scan:
+                command.run_policy_scan(generator, _config)
+
+            # configure generations counts for main run
+            _config.distribute_generations_config(parsed_specs["probe"], _config)
+
+            # autodan action
             if "generate_autodan" in args and args.generate_autodan:
                 from garak.resources.autodan import autodan_generate
 
@@ -513,15 +526,17 @@ def main(arguments=None) -> None:
                     )
                 autodan_generate(generator=generator, prompt=prompt, target=target)
 
-            command.start_run()  # start the run now that all config validation is complete
-            print(f"📜 reporting to {_config.transient.report_filename}")
+            # set up plugins for main run
+            # instantiate evaluator
+            evaluator = garak.evaluators.ThresholdEvaluator(_config.run.eval_threshold)
 
+            # parse & set up detectors, if supplied
             if parsed_specs["detector"] == []:
-                command.probewise_run(
+                run_result = command.probewise_run(
                     generator, parsed_specs["probe"], evaluator, parsed_specs["buff"]
                 )
             else:
-                command.pxd_run(
+                run_result = command.pxd_run(
                     generator,
                     parsed_specs["probe"],
                     parsed_specs["detector"],

garak/command.py

@@ -6,6 +6,7 @@
 import logging
 import json
 import random
+import re
 
 HINT_CHANCE = 0.25
 
@@ -56,7 +57,7 @@ def start_run():
 
     logging.info("run started at %s", _config.transient.starttime_iso)
     # print("ASSIGN UUID", args)
-    if _config.system.lite and "probes" not in _config.transient.cli_args and not _config.transient.cli_args.list_probes and not _config.transient.cli_args.list_detectors and not _config.transient.cli_args.list_generators and not _config.transient.cli_args.list_buffs and not _config.transient.cli_args.list_config and not _config.transient.cli_args.plugin_info and not _config.run.interactive:  # type: ignore
+    if _config.system.lite and "probes" not in _config.transient.cli_args and not _config.transient.cli_args.list_probes and not _config.transient.cli_args.list_policy_probes and not _config.transient.cli_args.list_detectors and not _config.transient.cli_args.list_generators and not _config.transient.cli_args.list_buffs and not _config.transient.cli_args.list_config and not _config.transient.cli_args.plugin_info and not _config.run.interactive:  # type: ignore
         hint(
             "The current/default config is optimised for speed rather than thoroughness. Try e.g. --config full for a stronger test, or specify some probes.",
             logging=logging,
@@ -160,12 +161,14 @@ def end_run():
     logging.info(msg)
 
 
-def print_plugins(prefix: str, color):
+def print_plugins(prefix: str, color, filter=None):
     from colorama import Style
 
     from garak._plugins import enumerate_plugins
 
-    plugin_names = enumerate_plugins(category=prefix)
+    if filter is None:
+        filter = {}
+    plugin_names = enumerate_plugins(category=prefix, filter=filter)
     plugin_names = [(p.replace(f"{prefix}.", ""), a) for p, a in plugin_names]
     module_names = set([(m.split(".")[0], True) for m, a in plugin_names])
     plugin_names += module_names
@@ -182,7 +185,13 @@ def print_plugins(prefix: str, color):
 def print_probes():
     from colorama import Fore
 
-    print_plugins("probes", Fore.LIGHTYELLOW_EX)
+    print_plugins("probes", Fore.LIGHTYELLOW_EX, filter={"policy_probe": False})
+
+
+def print_policy_probes():
+    from colorama import Fore
+
+    print_plugins("probes", Fore.LIGHTYELLOW_EX, filter={"policy_probe": True})
 
 
 def print_detectors():
@@ -234,14 +243,14 @@ def probewise_run(generator, probe_names, evaluator, buffs):
     import garak.harnesses.probewise
 
     probewise_h = garak.harnesses.probewise.ProbewiseHarness()
-    probewise_h.run(generator, probe_names, evaluator, buffs)
+    return list(probewise_h.run(generator, probe_names, evaluator, buffs))
 
 
 def pxd_run(generator, probe_names, detector_names, evaluator, buffs):
     import garak.harnesses.pxd
 
     pxd_h = garak.harnesses.pxd.PxD()
-    pxd_h.run(
+    return pxd_h.run(
         generator,
         probe_names,
         detector_names,
@@ -273,3 +282,60 @@ def write_report_digest(report_filename, digest_filename):
     digest = report_digest.compile_digest(report_filename)
     with open(digest_filename, "w", encoding="utf-8") as f:
         f.write(digest)
+
+
+POLICY_MSG_PREFIX = "run_policy_scan"
+
+
+def _policy_scan_msg(text):
+    print(f"🏛️  {text}")
+    logging.info(f"{POLICY_MSG_PREFIX}: {text}")
+
+
+def run_policy_scan(generator, _config):
+
+    from garak._config import distribute_generations_config
+    from garak._plugins import enumerate_plugins
+    import garak.evaluators
+    import garak.policy
+
+    main_reportfile = _config.transient.reportfile
+    policy_report_filename = re.sub(
+        r"\.jsonl$", ".policy.jsonl", _config.transient.report_filename
+    )
+    _policy_scan_msg(f"policy report in {policy_report_filename}")
+    _config.transient.reportfile = open(
+        policy_report_filename, "w", buffering=1, encoding="utf-8"
+    )
+
+    logging.info(f"{POLICY_MSG_PREFIX}: start policy scan")
+    # this is a probewise run of all policy probes
+    policy_probe_names = [
+        name
+        for name, status in enumerate_plugins(
+            "probes", filter={"active": True, "policy_probe": True}
+        )
+    ]
+    _policy_scan_msg("using policy probes " + ", ".join(policy_probe_names))
+
+    evaluator = garak.evaluators.ThresholdEvaluator(garak._config.run.eval_threshold)
+    distribute_generations_config(policy_probe_names, _config)
+    buffs = []
+    result = probewise_run(generator, policy_probe_names, evaluator, buffs)
+
+    policy = garak.policy.Policy()
+    policy.parse_eval_result(result, threshold=garak._config.policy.threshold)
+    policy.propagate_up()
+
+    policy_entry = {"entry_type": "policy", "policy": policy.points}
+    _config.transient.reportfile.write(json.dumps(policy_entry) + "\n")
+
+    _config.transient.reportfile.close()
+    _config.transient.reportfile = main_reportfile
+
+    # write policy record to both main report log and policy report log
+    _config.transient.reportfile.write(json.dumps(policy_entry) + "\n")
+
+    _policy_scan_msg("end policy scan")
+
+    return policy

garak/data/misp_descriptions.tsv

@@ -137,4 +137,5 @@ risk-cards:lmrc:threats	Threats	Threats
 risk-cards:lmrc:unproven_claims	Unproven Claims	Unproven Claims
 risk-cards:lmrc:violation_of_privacy	Violation Of Privacy	Violation Of Privacy
 risk-cards:lmrc:weapon_instructions	Weapon Instructions	Weapon Instructions
-risk-cards:lmrc:wrong_tone	Wrong Tone	Wrong Tone
+risk-cards:lmrc:wrong_tone	Wrong Tone	Wrong Tone
+policy	Policy test	Policy test: this is not an exploit