Course 2B · Module B13 · Pillar 4 · 50 min

Representation-Level Attacks
The Model as Attack Surface

The seventh surface — the one no B-module covers. Activation steering, weight poisoning, checkpoint manipulation, and the dual-use of interpretability tooling. The C3 FT17 bridge: the same technique read two ways.

4attack classes
4defense-in-depth layers
7the surface (of seven)
3lab acts (steer, poison, detect)

01The thesis — RI-202

C3 FT17 shows you how to steer model representations for alignment control. This module shows you why those same techniques are attack vectors when applied by an adversary. The model's internal representations are the new attack surface — and the supply chain that delivers the weights is the new perimeter.

Six of the seven attack surfaces from B1 are covered by B2–B8. The seventh — the model itself, as an artifact with internal representations and weights — is the one no B-module covers, because the controls are not runtime. The taint gate does not inspect weights. The sandbox does not inspect weights. The observability layer logs behavior, not activations. Every runtime control assumes the model is a trusted base. This module examines what happens when that assumption fails.

02Key claims

The gap — RI-202

The model is the seventh surface, and it is the single most significant gap in Course 2B. Every runtime control B2–B8 builds assumes the model is a trusted base. The model-layer controls are not runtime — they are supply-chain (provenance, integrity), pre-deployment (evaluation), and runtime monitoring.

The C3 FT17 / B13 bridge

The same forward hook that adds a refusal direction (alignment, defense) can subtract it (abliteration, offense). The technique is identical; the sign of the scalar is the only difference. You cannot defend a surface you do not understand.

The .safetensors distinction

.safetensors prevents code execution on load. It does NOT prevent weight-level backdoors. The two safety properties — code-execution safety and weight-benignity — are independent. A .safetensors file with a BadNets-style trojan is safe to load and dangerous to use.

The dual-use of interpretability

The SAE that identifies the refusal feature also tells an adversary which direction to subtract to suppress it. The tool does not distinguish between a researcher and an adversary. The defensive posture is not to suppress the ecosystem but to incorporate it into the threat model.

03The four attack classes

Class 1 — Activation steering
CAA via forward hook to suppress refusal (abliteration). Runtime, activations. Identical to C3 FT17; the sign of the scalar differs. ATLAS: Execution TA0005.
Class 2 — Weight poisoning
BadNets, trojans, sleeper agents. Backdoor in the weights survives fine-tuning. No runtime control detects it. ATLAS: Persistence TA0006.
Class 3 — Checkpoint manipulation
Tampered .safetensors / .gguf. Format prevents code execution, NOT weight backdoors. ATLAS: Persistence + Supply Chain.
Class 4 — Supply-chain trust
Evil-twin fine-tunes, malicious LoRA adapters. Signature verifies uploader identity, NOT weight benignity. ATLAS: Initial Access TA0003.

All four bypass B2–B8 — none inspect the model layer.

04The defense-in-depth stack

No single layer catches everything. Four layers, each catching a different attack class. Layer 1 is the foundation — without provenance, the other layers have nothing to verify against.

Layer 1 — Provenance
Record who trained it, on what data, with what post-training. The AI BOM (B11.2). Catches Class 4 (supply-chain trust).
Layer 2 — Integrity
Verify checkpoint hash over weight tensors. Catches Class 3 (tampering in transit/at rest).
Layer 3 — Pre-deployment eval
Trigger-phrase probing + weight-distribution analysis + behavioral eval. Catches Class 2 (weight poisoning).
Layer 4 — Runtime monitoring
B8 observability watches for backdoor-trigger patterns. Catches Class 1 (activation steering) + Class 2 (triggered backdoors in prod).

05After this module, you can

06Artifacts

07Read with