« All posts

How homoglyph attacks slip past LLM guardrail filters

Jailbreak prompts written with Cyrillic and Greek look-alike characters easily bypass naive keyword filters. The fix: normalize text before matching, not after.

Two prompts can look pixel-identical yet be byte-for-byte different: swapping a handful of Latin letters in 'ignore all previous instructions' for Cyrillic look-alikes (і, о, а, е, с, р) produces text that's no longer even ASCII. Naive jailbreak filters that match substrings or regex against raw bytes miss this entirely — the plain-ASCII attack gets blocked while its visual clone sails through unmodified.

The fix is to run detection against a normalized copy of the input rather than the raw text: strip zero-width/BOM/bidi characters, apply NFKC normalization to collapse fullwidth and mathematical Unicode variants, then fold Cyrillic/Greek homoglyphs to their Latin equivalents. Crucially, only the normalized copy feeds the rule engine — the original bytes still go to the model untouched. Blind lowercasing should be avoided since it can break case-sensitive secret patterns like AWS keys, and legitimate multilingual text needs dedicated tests to avoid false flags.

This pipeline is implemented in an open-source, OpenAI-compatible security gateway written in Rust (Akav Labs, Apache-2.0), where both the ASCII and Cyrillic versions of a jailbreak trigger the same rule IDs. The author is candid that this is deterministic pattern matching, not a silver bullet — it raises the floor against common tricks but won't stop combining characters or semantic paraphrasing, and argues that false positives, not coverage gaps, are the bigger risk to manage.