Google has outlined the security protections that it has implemented for agentic features in Chrome. This is how Gemini will protect itself and you from threats.
In case you missed it, Google started rolling out AI features in Chrome a few months ago, for users in the U.S.
Google highlights that the main threat that agentic browsers are facing is indirect prompt injection. That's basically a hijacked prompt that tricks the AI. Such attacks can occur when a malicious site is visited, or distributed via third-party content in iframes. It could even spread due to fake reviews generated by users. These indirect prompts could result the AI agent to take unwanted actions, which may include financial transactions, or even leaking sensitive data.
In order to combat this, Google says it is preparing a layered defense with deterministic and probabilistic defenses. It says that this will make it harder for attackers to cause harm, and will also be costlier for threat actors.
The first layer is something called, "User Alignment Critic", which is a separate model that is isolated from Gemini's main model. Google describes it as follows, "the User Alignment Critic runs after the planning is complete, to double-check each proposed action". What that means is, the UAC analyzes whether the actions that the agent planned for the requested task, aligns with the user's goal. If the action is misaligned, the UAC will prevent it from executing. Refer to the flow chart above, that shows the steps involved in the process.
Google says that the Alignment Critic will not access untrustworthy web content, and only has access to the metadata for the proposed action. That's what makes it isolated from the main model. The UAC will provide feedback to the planning model to re-formulate the plan, which in turn will return control to the user in case of repeated failures.
Chrome's Site Isolation and the same-origin policy are a core of the agentic security model. Agents have access across websites, but if it is unrestricted, it could be compromised and interact with arbitrary sites, i.e. bypass Site Isolation. This could lead to data theft or worse. To prevent this, the agentic AI will follow Agent Origin Sets. It restricts agents to only access data from the origins that are related to the current task, or the data that the user shared with the agent.
The content that Gemini is permitted to access are read-only origins, while access to all other origins are prevented. Actionable items such as those that can be clicked, typed, are read-writable origins, as are the content that it can read on a page.
The AI agent will ask the user's permission before it navigates to sensitive sites, such as dealing with banking transactions or medical information. To do this, the AI runs a deterministic check against a list of sensitive sites. The agent will confirm with the user, before letting Chrome to sign in to a site via Google Password Manager. The Mountain View company says that the AI does not have access to the passwords. Finally, the agent will pause and ask the user's permission, for actions such as completing a purchase or payment, sending messages, or consequential actions.
In addition to the above checks, Google is employing several processes to detect threats and respond to them. Chrome's real-time scanning with Safe Browsing and on-device AI are used to protect from traditional scams. And a prompt-injection classifier runs in parallel to the planning model’s inference. It will prevent actions from being taken based on content, if it determines something is targeting the model to do something unaligned with the user’s goal.
Read the full announcement on Google's blog for further details. Google Chrome may take on Perplexity Comet, and ChatGPT Atlas with its agentic browsing capabilities.
What do you think about agentic AIs? Have you used any?
Thank you for being a Ghacks reader. The post Google outlines security protections in Chrome's agentic capabilities appeared first on gHacks Technology News.
0 Commentaires