Module SDD-B05 — IronCurtain Offensive Analysis

IronCurtain Offensive Analysis

The defense to beat. IronCurtain (Course 1 DD-20) is the deterministic governance + credential quarantine system — the strongest single defense in the roster. This deep-dive dissects its attack surface: the compilation-fidelity attack (the deterministic policy is compiled by a probabilistic LLM, so the build-time compilation is the weak link — a miscompilation enforced consistently); the V8 isolate escape (the sandbox is a V8 isolate with escape CVE history, and the credential quarantine holds only as long as it does); the escalation-fatigue attack (flood the human-in-the-loop with approval requests until they rubber-stamp — the deterministic system still needs a human for edge cases). The offensive analysis of the strongest defense: how to break IronCurtain, what each break proves, and the residual risks that motivate defense-in-depth.

45
minutes
8
artifacts
3
sub-sections
SDD-B04 attacked CrabTrap and prescribed the deterministic-first fix: IronCurtain. This deep-dive is where that fix is itself attacked. The honest question — if IronCurtain has no runtime judge, where is the surface? — has three answers. The deterministic policy is compiled by a probabilistic LLM (the LLM was not eliminated; it was relocated to build time, and a miscompilation is enforced consistently). The sandbox is a V8 isolate (which has had escape CVEs, and the credential quarantine holds only as long as it does). And the deterministic system still needs a human for edge cases (who can be fatigued into rubber-stamping — the deterministic analogue of CrabTrap's latency/cost pressure). Each break is measured — compilation-fidelity drift rate, escalation-fatigue delta, isolate CVE audit — and each proves that no single layer suffices. This is B2's thesis completed: even IronCurtain, the strongest single defense, has structural residuals. The only complete answer is layers.
Key Claims
Load-Bearing Claims

The LLM was not eliminated; it was relocated — and the compilation step is the load-bearing attack surface. IronCurtain's thesis is that LLMs are stochastic and policy must be deterministic, so it removes the LLM from runtime (pure if/then, zero LLM, no judge to inject). But the compilation pipeline (Annotate, Compile, Resolve Lists, Generate Scenarios, Verify & Repair) is ALL LLM calls at build time. A probabilistic system is producing the rules a deterministic system enforces. If the build-time LLM miscompiles — via constitution ambiguity, scenario coverage gaps, or resolved-list poisoning — the wrong rule is baked into the deterministic runtime and enforced CONSISTENTLY. Where CrabTrap's judge might refuse an exfil on a given request, IronCurtain's miscompiled rule permits it every time. Verify-and-repair mitigates but does not eliminate: it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a compilation-fidelity drift rate (the % of fuzzed constitutions producing a permissive rule).

The credential quarantine holds only as long as the V8 isolate does — and the isolate is one memory-corruption bug from defeat. IronCurtain Code Mode runs agent TypeScript in a V8 isolate (isolated-vm) with per-call fuel and memory limits. The agent holds FAKE keys; the REAL keys live in the proxy's host process. The isolation between them is the only thing preventing a compromised agent from reaching the real credentials. V8 and isolated-vm have a history of sandbox-escape CVEs (type confusion, bounds errors, JIT bugs, GC edge cases). An isolate escape is the path from 'compromised agent' to 'real credentials' — and it defeats the strongest primitive in the course. This is an escape-path analysis (the course does not teach V8 exploitation), measured as a dependency-CVE audit: is the deployed version current? Are there known escape CVEs? The prescription treats the isolate as one layer among several, not the load-bearing boundary.

Escalation fatigue is the deterministic analogue of CrabTrap's latency/cost pressure — a human fatigued into rubber-stamping is as steerable as a judge. IronCurtain escalates edge cases (ambiguous tool calls) to a human (terminal mux, Signal). The human is the probabilistic component the deterministic design cannot eliminate. An attacker generates ambiguous tool calls to flood the escalation channel; under volume fatigue, contextual fatigue (approve-by-analogy, missing the difference), and timing fatigue, the human's allow decisions degrade into rubber-stamping. This is the same structural property as SDD-B04 Break 3: a defense expensive to honor (in human attention) is a defense the human defeats. Measured via a fatigue simulator (approval-rate delta rested vs fatigued, e.g. 4%→31%). Rate-limiting, batching, and the two-person rule bound the residual but do not eliminate it.

The prescription is layered, not a swap — and this is B2's thesis completed: no single layer suffices, not even IronCurtain. SDD-B03 measured that layered defenses reach single-digit injection rates. SDD-B04 demonstrated CrabTrap has residuals and prescribed the deterministic-first fix. SDD-B05 completes the argument: even IronCurtain, the strongest single defense, has structural residuals (compilation fidelity, isolate boundary, escalation fatigue) that are properties of any single-layer defense, not implementation bugs. The four-layer prescription keeps the deterministic runtime (strongest single layer) and layers around it: (1) human review gate for the compilation residual; (2) sandbox defense-in-depth (isolate→seccomp/capability→egress) for the isolate residual; (3) escalation rate-limiting for the fatigue residual; (4) a probabilistic second layer (LLM-as-judge for escalated cases ONLY, positioned AFTER deterministic) for ambiguous cases. Each layer addresses a residual the others leave. No single layer is load-bearing; each is a backstop.

After This Module
01
Map IronCurtain's attack surface from the offensive side: the offline compilation pipeline (a probabilistic LLM compiling the deterministic rules), the V8 isolate (the sandbox the credential quarantine depends on), and the escalate-to-human mechanism — and identify the three primary attack surfaces and what each proves about the deterministic thesis.
02
Construct the compilation-fidelity attack (Break 1) via constitution ambiguity, scenario coverage gaps, and resolved-list poisoning; explain what verify-and-repair does and does not stop (it is a second LLM checking the first); and state what a successful break proves (relocating the LLM concentrates it).
03
Explain the V8 isolate boundary (Break 2) as a real but escape-prone sandbox: the historical isolated-vm/V8 CVEs, the per-call fuel and memory limits as partial defense, and what an isolate escape would mean for the credential quarantine — and frame it as an escape-path analysis measured by a dependency-CVE audit.
04
Analyze the escalation-fatigue attack (Break 3): volume, contextual, and timing fatigue patterns; why it is the deterministic analogue of CrabTrap's latency/cost pressure; and what rate-limiting, batching, and the two-person rule partially control.
05
For each break, state what it proves, what residual risk remains after IronCurtain's mitigation, and why no single layer suffices — framing the whole analysis as the motivation for defense-in-depth (B2's thesis).
06
Translate the IronCurtain offensive analysis into an engagement deliverable: the compilation-fidelity fuzz harness (drift rate), the escalation-fatigue simulator (approval-rate delta), the isolate CVE audit, and the four-layer prescription the client patches toward.
Artifacts
01
Teaching Document
~3,500 words; 3 sub-sections — the attack surface map (compilation pipeline, V8 isolate, escalation channel; the LLM was relocated not eliminated), the three breaks (compilation fidelity with drift rate, V8 isolate escape-path analysis, escalation fatigue with simulator delta), defense-in-depth (the four-layer prescription + B2's thesis completed); with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — IronCurtain architecture as attack-surface map (3 surfaces), Break 1 compilation fidelity (3 vectors through verify-and-repair), Break 2 V8 isolate boundary and the quarantine's structural dependence, Break 3 escalation fatigue (3 patterns, the latency/cost analogue), the four-layer defense-in-depth prescription
READ
03
Slide Deck
13 slides — reveal.js, dark theme, design-system teal; covers why IronCurtain is the defense to beat, the LLM relocated not eliminated, three surfaces, the three breaks, the layered prescription, B2's thesis completed
READ
04
Teaching Script
Verbatim teaching transcript with [SLIDE N] cues, ~3,000 words spoken at ~140 wpm across 13 slide cues
READ
05
Flashcards
18 flashcards (TSV) — mix of recall and analysis; covers the three surfaces, compilation fidelity (3 vectors, verify-and-repair limits), V8 isolate escape-path analysis, escalation fatigue (3 patterns), the four-layer prescription, B2's thesis, why the probabilistic second layer doesn't reintroduce CrabTrap's vulnerability
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Attack IronCurtain's Three Surfaces — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): build the simulated compilation pipeline with fidelity-gap model, fuzz harness for drift rate, escalation-fatigue simulator with rested/fatigued delta, V8-isolate CVE audit, four-layer prescription assembly (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE