Function Library Poisoning Exposes New Risk for LLM-Powered Autonomous Vehicles

Global: Function Library Poisoning Exposes New Risk for LLM-Powered Autonomous VehiclesResearchers have unveiled a novel poisoning technique, dubbed FuncPoison, that targets the shared function library used by large‑language‑model (LLM) driven multi‑agent autonomous driving systems, according to a preprint posted on arXiv. The study highlights how compromising this library can alter vehicle behavior without modifying core perception or control code.

Function Libraries in LLM‑Driven Driving Systems

In contemporary autonomous platforms, multiple specialized agents rely on a common repository of software tools—referred to as the function library—to interpret sensor inputs, execute reasoning routines, and generate motion plans. This modular approach enables rapid integration of new capabilities but also creates a single point of reference that all agents query during operation.

Exploited Weaknesses

The authors identify two systemic weaknesses: first, agents select functions based on natural‑language prompts, making them susceptible to misleading instructions; second, the activation of functions follows a standardized command syntax that attackers can mimic, allowing malicious entries to be indistinguishable from legitimate tools.

Mechanics of the FuncPoison Attack

FuncPoison operates by injecting counterfeit tools into the library and pairing them with deceptive textual cues. When an agent receives a prompt that matches the malicious description, it invokes the compromised tool, producing erroneous outputs such as inaccurate road‑condition assessments. Because agents share information, the initial error propagates, causing coordinated misbehavior across the system.

Experimental Findings

The paper reports experiments on two representative multi‑agent autonomous driving frameworks. Results show a measurable decline in trajectory accuracy—up to a 42% increase in positional error—and the ability to target specific agents while leaving others unaffected. Moreover, the attack evaded several baseline defenses, including signature‑based detection and prompt‑validation filters.

Security Implications

These findings suggest that the function library, often treated as a benign utility collection, constitutes a critical attack surface in LLM‑augmented vehicles. Compromise of this component could undermine safety assurances and erode public confidence in autonomous technology.

Potential Countermeasures

The authors recommend tighter provenance verification for library entries, sandboxed execution environments, and anomaly‑detection mechanisms that monitor inter‑agent communication for inconsistent outputs. Implementing such safeguards may reduce the feasibility of poisoning attacks without impeding the flexibility of multi‑agent designs.This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.