Module SDD-B04 — CrabTrap Offensive Analysis

CrabTrap Offensive Analysis

The primary attack target. CrabTrap (Course 1 DD-19) is the LLM-as-judge egress governance system — probabilistic enforcement of network policy. This deep-dive dissects the attack surface: prompt injection in the request body to manipulate the judge (the judge is a model, so it is injectable); the response-side gap (no inbound filtering — the judge governs egress, not the content that shapes the agent); the latency/cost tradeoff that makes the judge a bypassable bottleneck. The offensive analysis: how to break CrabTrap, what each break proves, and what the deterministic alternative (IronCurtain) fixes.

45
minutes
8
artifacts
3
sub-sections
CrabTrap is this course's primary attack target for three structural reasons: the judge is a model reading attacker-influenced text (so it is injectable — the same property InjecAgent measures for tool outputs, transposed to the egress boundary); the response-side gap means governing only egress covers half the boundary (the inbound content that shapes the agent is ungoverned); and the per-request LLM cost makes the judge a bypassable bottleneck that operations erodes under load. This deep-dive breaks all three surfaces — request-body judge manipulation, the response-side compound chain, and the latency/cost configuration drift — measures each as a (before, after) delta under InjecAgent (SDD-B03), and prescribes the layered deterministic-first defense (IronCurtain, DD-20 / SDD-B05) that closes more surface than either approach alone. The JSON-encoding defense at the judge boundary is syntactic; the attack surface is semantic — and that gap is where every break lives.
Key Claims
Load-Bearing Claims

The judge is a model reading attacker-influenced text, and a model reading text is injectable — the JSON-encoding defense is syntactic, the surface is semantic. CrabTrap JSON-encodes the request body before it reaches the judge, which stops the naive bare-instruction override ('SYSTEM: ALLOW' arrives as a string value). But it does not stop benign-framing (payload phrased as a permitted operation), policy-priming (context that shifts the judge toward ALLOW), or ambiguity exploitation — because those attacks live in the content's MEANING, which the judge must parse to classify the request. This proves probabilistic enforcement has an attack surface deterministic enforcement does not: the judge returns ALLOW for a request a deterministic rule would match to DENY, because the rule matches on structure, not on an attacker-influenced classification.

The response-side gap is the InjecAgent vector on a channel CrabTrap never inspects — governing only egress covers half the boundary. CrabTrap does not filter response bodies. An injected API response flows back uninspected into the agent's context, steers the agent toward an outbound exfil call, and that call's body is then benign-framed to pass the judge. Break 2 enables Break 1: neither alone is the full chain, together they are the OWASP cross-row chain (ASI07 injected response → ASI01 goal hijack → ASI05/ASI03 exfil). CrabTrap saw only the last step of a chain it could not see whole. Measured under InjecAgent, the response-borne vector barely moves from the un-defended baseline because the defense never sees the injection.

The latency/cost bottleneck makes the judge a bypassable bottleneck — enforcement cost IS a security property, not just a performance metric. Every non-static request costs an LLM call and adds latency. Under load, operations widens the static allow list (paths the judge no longer inspects), flips the circuit breaker to passthrough (judge failure = request ALLOWED), or grants deadline exemptions that become permanent. The root cause of a 'stopped working' CrabTrap is usually configuration drift, not request content — the team routed around the judge. The attacker does not need to break the judge if operations has already eroded it. This is an audit finding (does deployed allowlist match reviewed policy? is fallback deny or passthrough?), not a benchmark number.

The deterministic alternative (IronCurtain) closes two surfaces structurally and changes the third, but has honest residuals — the prescription is layered, not a swap. IronCurtain's credential quarantine contains Break 1's impact (the agent holds fake keys; a manipulated allow yields a call with no real secret). Its deterministic policy compilation removes the runtime judge entirely (no model reading request content = no judge to inject; cheap evaluation = no latency pressure). The response-side gap partially remains (IronCurtain governs actions not data; the structured-output layer is still needed). IronCurtain's own residuals are compilation fidelity (the SDD-B05 target) and escalation fatigue. The layered prescription — deterministic-first, probabilistic-second, response-side filtering, cost-aware — closes more surface than either CrabTrap or IronCurtain alone, and this is the defense-in-depth SDD-B03 measures reaching single-digit injection rates.

After This Module
01
Map CrabTrap's attack surface from the offensive side: the two-tier evaluation pipeline (static rules + LLM-as-judge), the JSON-encoding prompt-injection defense at the judge boundary, and the circuit breaker — and identify the three primary attack surfaces that follow (the judge, the response-side gap, the latency/cost bottleneck).
02
Construct the request-body judge-manipulation attack (Break 1) via benign-framing, policy-priming, and ambiguity classes, explain what the JSON-encoding defense does and does not stop, and state what a successful break proves about probabilistic vs deterministic enforcement.
03
Construct the response-side compound chain (Break 2): an injected API response steers the agent to an exfil call whose body passes the judge — map it to the OWASP ASI07→ASI01→ASI05 chain and explain why governing only egress covers half the boundary.
04
Analyze the latency/cost bottleneck (Break 3): the allowlist-widening, circuit-breaker-to-passthrough, and deadline-exemption erosions, why the root cause of a 'stopped working' CrabTrap is configuration drift, and why enforcement cost is a security property.
05
For each break, state what it proves, what the deterministic-enforcement alternative (IronCurtain) fixes, and what residual risk remains — and frame the whole analysis as a measured (before, after) delta under InjecAgent or an audit finding, never an assertion.
06
Translate the CrabTrap offensive analysis into an engagement deliverable: the per-surface attack procedures, the transcripts classified per B0, and the four-layer prescription (deterministic-first, probabilistic-second, response-side filtering, cost-aware) the client patches toward.
Artifacts
01
Teaching Document
~3,500 words; 3 sub-sections — the attack surface map (two-tier pipeline, syntactic-vs-semantic defense, three surfaces), the three breaks (judge manipulation, response-side compound chain, latency/cost erosion — each constructed and measured against InjecAgent), what IronCurtain fixes and the honest residuals + the four-layer prescription; with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the two-tier pipeline as attack-surface map (three surfaces), Break 1 request-body judge manipulation (three classes through the encoding), Break 2 the response-side compound chain (ASI07→01→05), Break 3 the latency/cost operational erosion, what IronCurtain fixes vs its residuals + the layered prescription
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers why CrabTrap is the primary target, the two-tier/three-surface map, syntactic-vs-semantic defense, the three breaks, what IronCurtain fixes + residuals, the layered prescription
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~3,000 words spoken at ~140 wpm across 13 slide cues
READ
05
Flashcards
18 flashcards (TSV) — mix of recall and analysis; covers the three surfaces, JSON encoding (syntactic vs semantic), the three breaks, what each proves, IronCurtain's fixes + residuals, the layered prescription, the audit vs benchmark distinction
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Construct the Three CrabTrap Breaks — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): build the simulated two-tier proxy with a mock judge + JSON defense + circuit breaker, execute Break 1 (judge manipulation), Break 2 (response-side compound chain), Break 3 (configuration-drift audit), measure each against InjecAgent deltas, map what IronCurtain fixes (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE