IronCurtain Offensive Analysis

SDD-B05 · Course 2B — Securing & Attacking Harnesses and LLMs

45 minutes · The defense to beat

IronCurtain (Course 1 DD-20) is the strongest defense in the roster — deterministic enforcement at runtime, credential quarantine, a V8 isolate sandbox. If it has no runtime judge, where is the surface? At build time (a probabilistic LLM compiles the deterministic rules), at the isolate boundary, and at the escalation channel. Each break proves why no single layer suffices.

Deep-Dives · SDD-B05

The strongest defense, attacked

SDD-B04 attacked CrabTrap (probabilistic judge) and prescribed the deterministic-first fix: IronCurtain. This deep-dive is where that fix is itself attacked.
IronCurtain closes (from SDD-B04)IronCurtain's own residuals (this deep-dive)
The injectable judge — no runtime LLM, no judge to injectCompilation fidelity — a probabilistic LLM compiles the deterministic rules
The latency/cost pressure — if/then is cheap, no allowlist pressureThe V8 isolate boundary — the quarantine holds only as long as it does
The credential-exfil path — agent holds fake keysEscalation fatigue — the human is the probabilistic component

B05.1 — The attack surface map

Where the probabilistic component went

The LLM was not eliminated — it was relocated

constitution.md  (plain English)
       │
       ▼   BUILD TIME — the compilation pipeline (SURFACE 1)
  Annotate (LLM) → Compile (LLM) → Resolve Lists (LLM)
       → Generate Scenarios (LLM) → Verify & Repair (LLM)
       │
       ▼
  compiled-policy.json  (deterministic rules)
       │
       ▼   RUNTIME — deterministic enforcement (NO surface)
  pure if/then JSON rule eval · ZERO LLM · cannot be injected
       │
       ├─ ALLOW / DENY  (rule match)
       └─ ESCALATE → HUMAN  (SURFACE 3: edge cases)
The runtime has no surface. The surfaces are everything around it: the build-time compilation, the V8 isolate (SURFACE 2), and the escalation channel.

Three surfaces, three structural causes

SurfaceStructural causeWhat it proves
Compilation fidelityA probabilistic LLM compiles the deterministic rulesRelocating the LLM concentrates it, doesn't eliminate it
V8 isolate boundaryThe quarantine depends on the JS-level sandbox holdingThe strongest primitive is one memory-corruption bug from defeat
Escalation fatigueEdge cases escalate to a human; humans can be fatiguedA deterministic system inherits the human's vulnerabilities
Note what is not on the list: the runtime engine. Pure if/then has no semantic surface. You cannot inject an if-statement.

B05.2 — The three breaks

Each constructed, each measured

Break 1 — Compilation fidelity

Three vectors steer the build-time LLM toward a permissive rule:

Constitution ambiguity — "may post to internal channels for routine updates" — steer the resolution toward permissive
Scenario coverage gap — scenario set doesn't exercise the attacker's action; verify-and-repair never tests it
Resolved-list poisoning — @trusted-endpoints includes attacker domain; @sensitive-ops omits the target
Verify-and-repair is a second LLM checking the first. Two probabilistic systems agreeing is not a deterministic guarantee. A permissive interpretation, validated against a scenario set that doesn't exercise it, passes.

Measurement: compilation-fidelity drift rate — % of fuzzed constitutions producing a permissive rule. The build-time analogue of the InjecAgent delta.

Break 2 — The V8 isolate boundary

The credential quarantine is the strongest primitive in the course — but it holds only as long as the isolate does. The agent holds fake keys; the real keys live in the proxy's host process. The isolation is the only thing between them.

An isolate escape (a V8 or isolated-vm CVE — type confusion, bounds error, JIT bug, GC edge case) lets compromised agent code run in the host process — reaching the real keys, the network stack, the policy config.

The honest framing: this is an escape-path analysis, not a constructed exploit. The course does not teach V8 exploitation. The measurement is a dependency-CVE audit (is the deployed version current? known escape CVEs?), like SDD-B04's configuration-drift audit.

Break 3 — Escalation fatigue

The attacker generates edge cases — tool calls ambiguous under the compiled policy, forcing escalation. Three fatigue patterns raise the approval rate:

PatternWhat happens
Volume fatigueMany escalations in a short window; human defaults to ALLOW to clear the backlog
Contextual fatigueEscalations similar to prior-approved calls; approved by analogy, missing the difference
Timing fatigueEscalations during launch/incident/off-hours; scrutiny down, approval up
This is the deterministic analogue of CrabTrap's latency/cost pressure. A defense expensive to honor (in human attention) is a defense the human defeats. Measurement: fatigue simulator, approval-rate delta rested vs fatigued (e.g. 4% → 31%).

B05.3 — Defense-in-depth: no single layer suffices

B2's thesis, made concrete

The layered prescription

  1. Human review gate — review compiled-policy.json before deploy; diff vs last-reviewed. Catches the residual verify-and-repair agreed with. No runtime LLM added.
  2. Sandbox defense-in-depth — isolate (inner) → seccomp/capability (middle) → egress controls (outer). An escape defeats 3 layers, not 1. Quarantine preserved at the outer layer.
  3. Escalation rate-limiting — cap/hour + smart batching + two-person rule for high-impact allows. Fatigue → bounded residual.
  4. Probabilistic second layer — an LLM-as-judge for escalated cases ONLY, after the deterministic layer. Judge injectability becomes a residual, not the primary surface.
Each layer addresses a residual the others leave. No single layer is load-bearing; each is a backstop. This is what SDD-B03 measures reaching single-digit injection rates.

Why this is B2's thesis

SDD-B03 measured it: layered defenses reach single-digit injection rates where single defenses sit near the baseline. SDD-B04 demonstrated it: CrabTrap has residuals; the deterministic-first prescription points at IronCurtain.
This deep-dive completes the argument: even IronCurtain, the strongest single defense, has residuals. Compilation fidelity, the isolate boundary, escalation fatigue — not bugs, structural properties of any single-layer defense.
The only complete answer is layers. The only honest engagement deliverable is the layered prescription. No single layer suffices — not even IronCurtain.

Lab & what's next

Lab (07): build a compilation-fidelity fuzz harness (N fuzzed constitutions → drift rate), construct an escalation-fatigue simulator (approval-rate delta rested vs fatigued), audit the V8-isolate dependency for escape CVEs, assemble the four-layer prescription. No GPU; Python 3.10+, type hints, runs offline.

Next — SDD-B06: RedAgent: Black-Box Jailbreaking. We leave the harness layer and attack the model directly. RedAgent (2026) finds most black-box LLMs jailbreak within 5 queries using context-specific attacks. The 5-query chain, why context-specific beats generic, and the dual-use disclosure dilemma in its sharpest form. No single layer suffices — B2's thesis, now at the model.