# Teaching Script — SDD-B05: IronCurtain Offensive Analysis

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: SDD-B05 — IronCurtain Offensive Analysis
**Duration**: ~30 minutes (spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

This is the defense to beat. IronCurtain, from Course 1 DD-20, is the strongest defense in the roster. Deterministic enforcement at runtime — zero LLM, no judge to inject. Credential quarantine — the agent holds fake keys, real keys live in the proxy. A V8 isolate sandbox. A full runtime wrap. SDD-B04 attacked CrabTrap and prescribed the deterministic-first fix: IronCurtain. This deep-dive is where that fix is itself attacked.

The honest question: if IronCurtain has no runtime judge, where is the surface? Three answers. The deterministic policy is compiled by a probabilistic LLM — the LLM was not eliminated, it was relocated. The sandbox is a V8 isolate, which has had escape CVEs. And the deterministic system still needs a human for edge cases, and a human can be fatigued. Each break proves why no single layer suffices.

[SLIDE 2 — The strongest defense, attacked]

IronCurtain closes the two surfaces SDD-B04 broke. The injectable judge — gone, there is no runtime LLM. The latency and cost pressure — gone, if-then evaluation is cheap. The credential-exfil path through the judge — closed, the agent holds fake keys.

But IronCurtain has its own honest residuals. Compilation fidelity — a probabilistic LLM compiles the deterministic rules, and a miscompilation is enforced consistently. The V8 isolate boundary — the quarantine holds only as long as the isolate does. Escalation fatigue — the human is the probabilistic component the deterministic design cannot eliminate. No single residual is a defeat. But the residuals are real, and they are the motivation for the thesis that runs through B2: no single layer suffices.

[SLIDE 3 — B05.1 The attack surface map]

Sub-section one. The attack surface map.

[SLIDE 4 — The LLM was not eliminated]

The deterministic thesis, restated for offense. IronCurtain's thesis is that LLMs are stochastic and security policy must be deterministic. So it removes the LLM from runtime. But the compilation step that produces the deterministic rules is itself an LLM, running at build time. The pipeline: Annotate classifies tool arguments, Compile translates English to if-then, Resolve Lists turns categorical references into concrete values, Generate Scenarios creates test cases, and Verify and Repair runs an LLM judge that can repair failures up to two rounds.

The LLM was not eliminated; it was relocated. If the build-time LLM misinterprets the constitution during compilation, the wrong rule gets baked into the deterministic runtime. And the wrong rule is enforced consistently. You get predictable enforcement of potentially-wrong rules. The runtime enforcement engine has no surface — pure if-then cannot be injected. The surfaces are everything around it.

[SLIDE 5 — Three surfaces, three structural causes]

Three surfaces fall out. Compilation fidelity: a probabilistic LLM compiles the deterministic rules. What it proves — relocating the LLM from runtime to build time does not eliminate the probabilistic component, it concentrates it. The V8 isolate boundary: the quarantine depends on the JS-level sandbox holding. What it proves — the strongest primitive in the course is one memory-corruption bug from defeat. Escalation fatigue: edge cases escalate to a human, and humans can be fatigued. What it proves — a deterministic system that needs a human inherits the human's vulnerabilities.

Note what is not on the list: the runtime engine. You cannot inject an if-statement. The runtime is the part of IronCurtain that genuinely has no attack surface.

[SLIDE 6 — B05.2 The three breaks]

Sub-section two. The three breaks.

[SLIDE 7 — Break 1: compilation fidelity]

IronCurtain compiles a constitution to deterministic JSON rules. The attacker's goal is to cause the compilation to produce a rule that permits an action the constitution intends to deny, in a way that passes verify-and-repair. Three vectors. Constitution ambiguity: a clause like "may post to internal channels for routine updates" is ambiguous, and an attacker who can influence the constitution text steers the resolution toward permissive. Scenario coverage gaps: if the scenario set does not include the attacker's intended action, verify-and-repair never tests it. Resolved-list poisoning: an attacker who can influence a resolved list — a list of trusted endpoints that includes an attacker domain — bakes the poisoning into the deterministic policy.

What verify-and-repair does and does not stop. It stops naive miscompilations — a rule that obviously contradicts the constitution is caught. It does not stop a miscompilation the verifying LLM agrees with, because the verifying LLM is the same kind of probabilistic system that produced the miscompilation. Two LLMs agreeing is not a deterministic guarantee. What it proves: relocating the LLM concentrates it. One miscompilation becomes a consistently-enforced wrong rule. The measurement is a fuzz harness over the compilation pipeline — generate N constitution variants, compile each, measure the drift rate, the percentage of fuzzed constitutions that produce a permissive rule.

[SLIDE 8 — Break 2: the V8 isolate boundary]

The credential quarantine is the strongest primitive in the course. The agent holds fake keys. The real keys live in the TLS-terminating proxy that does the hot-swap. The agent cannot reach the proxy directly. The quarantine holds because the agent's execution environment — the V8 isolate — cannot reach the proxy's execution environment — the host process.

V8 and isolated-vm have a history of sandbox-escape CVEs. V8 is a JIT compiler with a garbage collector and a complex type system. Escapes have come from type confusion, bounds-check errors, JIT optimization bugs, garbage-collection edge cases. An isolate escape is a memory-corruption-class vulnerability. Once the agent's code runs in the host process, it can reach the proxy's memory, the network stack, the policy config. The isolation that made the quarantine hold is gone.

The honest framing. This is an escape-path analysis, not a constructed exploit. The course does not teach V8 exploitation — a working isolate escape is a zero-day with a short shelf life. What the analysis establishes is the structural dependence. The quarantine holds only as long as the isolate does. The measurement is a dependency-CVE audit — is the deployed version current, are there known escape CVEs. Like SDD-B04's configuration-drift audit.

[SLIDE 9 — Break 3: escalation fatigue]

The deterministic system still needs a human for edge cases. The auto-approver handles unambiguous cases, but anything genuinely ambiguous escalates. The attacker generates edge cases — tool calls ambiguous under the compiled policy, forcing escalation. Three fatigue patterns. Volume fatigue: many escalations in a short window, the human defaults to allow to clear the backlog. Contextual fatigue: escalations similar to previously-approved calls, the human approves by analogy without noticing the difference. Timing fatigue: escalations during launches, incidents, off-hours, when scrutiny is down.

What it proves. A deterministic system that still needs a human inherits the human's vulnerabilities. This is the deterministic analogue of the latency and cost pressure on CrabTrap. A defense expensive to honor — in human attention — is a defense the human defeats. The measurement is a fatigue simulator: generate a stream of escalating calls, simulate a human approver with a fatigue model, measure the approval-rate delta rested versus fatigued. Four percent rested, thirty-one percent fatigued, for example. Rate-limiting and batching are partial controls, not eliminations.

[SLIDE 10 — B05.3 Defense-in-depth]

Sub-section three. Defense-in-depth. Why no single layer suffices.

[SLIDE 11 — The layered prescription]

The engagement deliverable is not "IronCurtain is broken, abandon it." The deterministic runtime is the strongest single layer. Keep it. The prescription layers around it. Layer one: human review gate. Review the compiled policy before deploy, diff against the last-reviewed version. Catches the residual that verify-and-repair agreed with. No runtime LLM added. Layer two: sandbox defense-in-depth. Isolate inner, seccomp or capability sandbox middle, egress controls outer. An escape defeats three layers, not one. Layer three: escalation rate-limiting. Cap per hour, smart batching, two-person rule for high-impact allows. Fatigue becomes a bounded residual. Layer four: a probabilistic second layer. An LLM-as-judge for escalated cases only, positioned after the deterministic layer. The judge's injectability is now a residual on the escalated subset, not the primary surface.

Each layer addresses a residual the others leave. No single layer is load-bearing. This is what SDD-B03 measures reaching single-digit injection rates.

[SLIDE 12 — Why this is B2's thesis]

B2's central claim is that defense-in-depth is not a best practice — it is a structural necessity, because every layer has a residual. SDD-B03 measured it. SDD-B04 demonstrated it. This deep-dive completes the argument. Even IronCurtain, the strongest single defense, has residuals. Compilation fidelity, the isolate boundary, escalation fatigue — not implementation bugs, structural properties of any single-layer defense. The only complete answer is layers. The only honest engagement deliverable is the layered prescription. No single layer suffices — not even IronCurtain.

[SLIDE 13 — Lab and what's next]

The lab has you build a compilation-fidelity fuzz harness, construct an escalation-fatigue simulator, audit the V8-isolate dependency for escape CVEs, and assemble the four-layer prescription. No GPU; Python 3.10 plus with type hints, runs offline. Next: SDD-B06, RedAgent, black-box jailbreaking. We leave the harness layer and attack the model directly. RedAgent finds most black-box LLMs jailbreak within five queries using context-specific attacks. The five-query chain, why context-specific beats generic, and the dual-use disclosure dilemma in its sharpest form. No single layer suffices — B2's thesis, now at the model.
