CrabTrap Offensive Analysis
The primary attack target. CrabTrap (Course 1 DD-19) is the LLM-as-judge egress governance system — probabilistic enforcement of network policy. This deep-dive dissects the attack surface: prompt injection in the request body to manipulate the judge (the judge is a model, so it is injectable); the response-side gap (no inbound filtering — the judge governs egress, not the content that shapes the agent); the latency/cost tradeoff that makes the judge a bypassable bottleneck. The offensive analysis: how to break CrabTrap, what each break proves, and what the deterministic alternative (IronCurtain) fixes.
The judge is a model reading attacker-influenced text, and a model reading text is injectable — the JSON-encoding defense is syntactic, the surface is semantic. CrabTrap JSON-encodes the request body before it reaches the judge, which stops the naive bare-instruction override ('SYSTEM: ALLOW' arrives as a string value). But it does not stop benign-framing (payload phrased as a permitted operation), policy-priming (context that shifts the judge toward ALLOW), or ambiguity exploitation — because those attacks live in the content's MEANING, which the judge must parse to classify the request. This proves probabilistic enforcement has an attack surface deterministic enforcement does not: the judge returns ALLOW for a request a deterministic rule would match to DENY, because the rule matches on structure, not on an attacker-influenced classification.
The response-side gap is the InjecAgent vector on a channel CrabTrap never inspects — governing only egress covers half the boundary. CrabTrap does not filter response bodies. An injected API response flows back uninspected into the agent's context, steers the agent toward an outbound exfil call, and that call's body is then benign-framed to pass the judge. Break 2 enables Break 1: neither alone is the full chain, together they are the OWASP cross-row chain (ASI07 injected response → ASI01 goal hijack → ASI05/ASI03 exfil). CrabTrap saw only the last step of a chain it could not see whole. Measured under InjecAgent, the response-borne vector barely moves from the un-defended baseline because the defense never sees the injection.
The latency/cost bottleneck makes the judge a bypassable bottleneck — enforcement cost IS a security property, not just a performance metric. Every non-static request costs an LLM call and adds latency. Under load, operations widens the static allow list (paths the judge no longer inspects), flips the circuit breaker to passthrough (judge failure = request ALLOWED), or grants deadline exemptions that become permanent. The root cause of a 'stopped working' CrabTrap is usually configuration drift, not request content — the team routed around the judge. The attacker does not need to break the judge if operations has already eroded it. This is an audit finding (does deployed allowlist match reviewed policy? is fallback deny or passthrough?), not a benchmark number.
The deterministic alternative (IronCurtain) closes two surfaces structurally and changes the third, but has honest residuals — the prescription is layered, not a swap. IronCurtain's credential quarantine contains Break 1's impact (the agent holds fake keys; a manipulated allow yields a call with no real secret). Its deterministic policy compilation removes the runtime judge entirely (no model reading request content = no judge to inject; cheap evaluation = no latency pressure). The response-side gap partially remains (IronCurtain governs actions not data; the structured-output layer is still needed). IronCurtain's own residuals are compilation fidelity (the SDD-B05 target) and escalation fatigue. The layered prescription — deterministic-first, probabilistic-second, response-side filtering, cost-aware — closes more surface than either CrabTrap or IronCurtain alone, and this is the defense-in-depth SDD-B03 measures reaching single-digit injection rates.