IronCurtain Offensive Analysis
SDD-B05 · Course 2B — Securing & Attacking Harnesses and LLMs
45 minutes · The defense to beat
IronCurtain (Course 1 DD-20) is the strongest defense in the roster — deterministic enforcement at runtime, credential quarantine, a V8 isolate sandbox. If it has no runtime judge, where is the surface? At build time (a probabilistic LLM compiles the deterministic rules), at the isolate boundary, and at the escalation channel. Each break proves why no single layer suffices.
Deep-Dives · SDD-B05
The strongest defense, attacked
SDD-B04 attacked CrabTrap (probabilistic judge) and prescribed the deterministic-first fix: IronCurtain. This deep-dive is where that fix is itself attacked.
| IronCurtain closes (from SDD-B04) | IronCurtain's own residuals (this deep-dive) |
| The injectable judge — no runtime LLM, no judge to inject | Compilation fidelity — a probabilistic LLM compiles the deterministic rules |
| The latency/cost pressure — if/then is cheap, no allowlist pressure | The V8 isolate boundary — the quarantine holds only as long as it does |
| The credential-exfil path — agent holds fake keys | Escalation fatigue — the human is the probabilistic component |
B05.1 — The attack surface map
Where the probabilistic component went
The LLM was not eliminated — it was relocated
constitution.md (plain English)
│
▼ BUILD TIME — the compilation pipeline (SURFACE 1)
Annotate (LLM) → Compile (LLM) → Resolve Lists (LLM)
→ Generate Scenarios (LLM) → Verify & Repair (LLM)
│
▼
compiled-policy.json (deterministic rules)
│
▼ RUNTIME — deterministic enforcement (NO surface)
pure if/then JSON rule eval · ZERO LLM · cannot be injected
│
├─ ALLOW / DENY (rule match)
└─ ESCALATE → HUMAN (SURFACE 3: edge cases)
The runtime has no surface. The surfaces are everything around it: the build-time compilation, the V8 isolate (SURFACE 2), and the escalation channel.
Three surfaces, three structural causes
| Surface | Structural cause | What it proves |
| Compilation fidelity | A probabilistic LLM compiles the deterministic rules | Relocating the LLM concentrates it, doesn't eliminate it |
| V8 isolate boundary | The quarantine depends on the JS-level sandbox holding | The strongest primitive is one memory-corruption bug from defeat |
| Escalation fatigue | Edge cases escalate to a human; humans can be fatigued | A deterministic system inherits the human's vulnerabilities |
Note what is not on the list: the runtime engine. Pure if/then has no semantic surface. You cannot inject an if-statement.
B05.2 — The three breaks
Each constructed, each measured
Break 1 — Compilation fidelity
Three vectors steer the build-time LLM toward a permissive rule:
Constitution ambiguity — "may post to internal channels for routine updates" — steer the resolution toward permissive
Scenario coverage gap — scenario set doesn't exercise the attacker's action; verify-and-repair never tests it
Resolved-list poisoning — @trusted-endpoints includes attacker domain; @sensitive-ops omits the target
Verify-and-repair is a second LLM checking the first. Two probabilistic systems agreeing is not a deterministic guarantee. A permissive interpretation, validated against a scenario set that doesn't exercise it, passes.
Measurement: compilation-fidelity drift rate — % of fuzzed constitutions producing a permissive rule. The build-time analogue of the InjecAgent delta.
Break 2 — The V8 isolate boundary
The credential quarantine is the strongest primitive in the course — but it holds only as long as the isolate does. The agent holds fake keys; the real keys live in the proxy's host process. The isolation is the only thing between them.
An isolate escape (a V8 or isolated-vm CVE — type confusion, bounds error, JIT bug, GC edge case) lets compromised agent code run in the host process — reaching the real keys, the network stack, the policy config.
The honest framing: this is an escape-path analysis, not a constructed exploit. The course does not teach V8 exploitation. The measurement is a dependency-CVE audit (is the deployed version current? known escape CVEs?), like SDD-B04's configuration-drift audit.
Break 3 — Escalation fatigue
The attacker generates edge cases — tool calls ambiguous under the compiled policy, forcing escalation. Three fatigue patterns raise the approval rate:
| Pattern | What happens |
| Volume fatigue | Many escalations in a short window; human defaults to ALLOW to clear the backlog |
| Contextual fatigue | Escalations similar to prior-approved calls; approved by analogy, missing the difference |
| Timing fatigue | Escalations during launch/incident/off-hours; scrutiny down, approval up |
This is the deterministic analogue of CrabTrap's latency/cost pressure. A defense expensive to honor (in human attention) is a defense the human defeats. Measurement: fatigue simulator, approval-rate delta rested vs fatigued (e.g. 4% → 31%).
B05.3 — Defense-in-depth: no single layer suffices
B2's thesis, made concrete
The layered prescription
- Human review gate — review compiled-policy.json before deploy; diff vs last-reviewed. Catches the residual verify-and-repair agreed with. No runtime LLM added.
- Sandbox defense-in-depth — isolate (inner) → seccomp/capability (middle) → egress controls (outer). An escape defeats 3 layers, not 1. Quarantine preserved at the outer layer.
- Escalation rate-limiting — cap/hour + smart batching + two-person rule for high-impact allows. Fatigue → bounded residual.
- Probabilistic second layer — an LLM-as-judge for escalated cases ONLY, after the deterministic layer. Judge injectability becomes a residual, not the primary surface.
Each layer addresses a residual the others leave. No single layer is load-bearing; each is a backstop. This is what SDD-B03 measures reaching single-digit injection rates.
Why this is B2's thesis
SDD-B03 measured it: layered defenses reach single-digit injection rates where single defenses sit near the baseline. SDD-B04 demonstrated it: CrabTrap has residuals; the deterministic-first prescription points at IronCurtain.
This deep-dive completes the argument: even IronCurtain, the strongest single defense, has residuals. Compilation fidelity, the isolate boundary, escalation fatigue — not bugs, structural properties of any single-layer defense.
The only complete answer is layers. The only honest engagement deliverable is the layered prescription. No single layer suffices — not even IronCurtain.
Lab & what's next
Lab (07): build a compilation-fidelity fuzz harness (N fuzzed constitutions → drift rate), construct an escalation-fatigue simulator (approval-rate delta rested vs fatigued), audit the V8-isolate dependency for escape CVEs, assemble the four-layer prescription. No GPU; Python 3.10+, type hints, runs offline.
Next — SDD-B06: RedAgent: Black-Box Jailbreaking. We leave the harness layer and attack the model directly. RedAgent (2026) finds most black-box LLMs jailbreak within 5 queries using context-specific attacks. The 5-query chain, why context-specific beats generic, and the dual-use disclosure dilemma in its sharpest form. No single layer suffices — B2's thesis, now at the model.