"front" "back" "tags" "What is the thesis of SDD-B01, and how does it relate to B9?" "B9 reads the OWASP Agentic Top 10 (ASI01–ASI10) as a BUILDER — one risk, one control, one test, scored report. SDD-B01 reads the SAME ten rows as an ATTACKER — one risk, one attack procedure, the evasion that defeats the control, and the chain across rows. Same numbering, different artifact. The gap between 'the control passed its test' and 'the system holds under an adversary' is the entire engagement." c2b::sddb01::analysis "What is the load-bearing evasion pattern, and why does it recur for every row?" "Every OWASP defense has a known evasion, and it is almost always the INDIRECT channel the defense's per-row test does not exercise. The test verifies the DIRECT surface (direct injection, tool count, dot-dot-slash); the attacker arrives on the INDIRECT surface (trusted tool output, credential scope, selection-layer confusion). The test closed the vector it names; the attacker arrives on the class beneath. This is why per-row tests PASS while engagements still produce findings." c2b::sddb01::analysis "Give the offensive procedure for ASI01 Goal Hijacking — the attack in depth and the evasion." "ATTACK: drift, not single-shot injection. An indirect injection through a tool output/retrieved doc shifts framing across turns until the sub-goal diverges — no single instruction 'hijacked.' EVASION: the injection arrives in a tool output the harness marked TRUSTED, bypassing the taint gate. Goal-reaffirmation fires every N turns but N > the drift's timescale, so the checkpoint reconciles against the contaminated state. Deployed agents resist 'Ignore previous instructions'; drift is the deployed attack." c2b::sddb01::application "Give the offensive procedure for ASI02 Prompt Leakage — the attack and the evasion vs canaries." "ATTACK: multi-turn rapport-building — over 5-10 turns elicit capabilities, constraints, config in small paraphrased pieces that feel like helpfulness. EVASION: the canary is a fixed string; the attacker's prompt never contains it and the agent never outputs it verbatim — disclosure is paraphrased and distributed across turns. Egress verification checks for the canary substring; paraphrased disclosure passes. ASI02 is RECONNAISSANCE (enabling step), not impact." c2b::sddb01::application "Give the offensive procedure for ASI04 Memory Poisoning — the attack and the evasion vs managed writes." "ATTACK: taint-laundering through a TRUSTED SINK. The agent is tricked into writing a poisoned entry via a legitimate trusted memory tool (save_preference), so the entry inherits the TOOL's trust, not the injection's taint. EVASION: the harness tags provenance at the WRITE boundary; the origin of the write (the injected instruction) is UPSTREAM of that boundary, so the write looks legitimately user-preference-shaped. The harness blocks forbidden write paths; it cannot block the agent's own legitimate write path being abused." c2b::sddb01::application "Give the offensive procedure for ASI06 Cascading Hallucination — the attack and why it is MEASURED." "ATTACK: unverified-claim propagation. The agent makes a claim requiring NO citation under policy (inference, summary, opinion) and that claim propagates as 'fact' into downstream reasoning, compounding across turns. EVASION: the verifier inspects the CITATION layer; the hallucination enters as REASONING (exempt from citation) and propagates as fact. WHY MEASURED: hallucination-detection has a miss rate — the residual is the miss rate, which no deterministic test can express. The verifier catches fabricated citations; it cannot catch the agent's own unwarranted inferences." c2b::sddb01::analysis "Give the offensive procedure for ASI03 Excessive Agency — the 'load-bearing capability' concept." "ATTACK: exploit the load-bearing capability that SURVIVED minimization because a benign task required it. A reporting agent needs billing:read; the scoped credential also grants billing:write against a different endpoint because the cloud provider scopes at service level, not method level. EVASION: capability enumeration proves minimality at the TOOL-NAME/schema level; the over-privilege lives at the CREDENTIAL-SCOPE level, which enumeration treats as a property of the tool, not an inspectable surface. The test closed 'agent has too many tools'; it did not close 'agent's credential has too many permissions.'" c2b::sddb01::analysis "Give the offensive procedure for ASI05 Tool/Skill Abuse — semantic path confusion." "ATTACK: register a tool whose DESCRIPTION overlaps a privileged tool's (or whose argument names shadow a privileged argument), causing the dispatch layer to route to the wrong tool. EVASION: path normalization, schema validation, and the legitimate tool's contract all PASS their B9 tests. The abuse is in the SELECTION LAYER — a semantic surface with no deterministic test. B9 confirms paths normalize and schemas validate; it does not confirm two tools with overlapping descriptions are disambiguated unambiguously, because that is semantic." c2b::sddb01::application "Give the offensive procedure for ASI08 Supply Chain — the 'signed-but-malicious' concept." "ATTACK: a typosquatted or evil-twin dependency with a VALID signature, because signature verifies the PUBLISHER's identity, not the package's BENIGNITY. A malicious package signed by its malicious publisher passes signature verification. An evil-twin MCP server with a similar name is trusted because the registry doesn't enforce uniqueness. EVASION: the signed-manifest test verifies signature validity + known-publisher — neither equals benign. The agent SBOM enumerates dependencies; it cannot certify each is benign. The test closed 'unsigned package'; it did not close 'signed-but-malicious.'" c2b::sddb01::analysis "Give the offensive procedure for ASI10 Broken Access Control — inter-agent trust escalation." "ATTACK: a low-privilege sub-agent (compromised via ASI04) forges a message to a higher-privilege orchestrator; the orchestrator executes because it treats sub-agent messages as role-scoped authority, not untrusted input. EVASION: principal binding PASSED at both ends (message came from sub-agent's valid principal). The escalation happened because the orchestrator TRUSTED that principal beyond the sub-agent's actual authority. The access-control test confirms principals are bound; it does not confirm inter-agent messages are re-authorized against the REQUEST's privilege requirement, not the SENDER's role." c2b::sddb01::application "Give the offensive procedure for ASI07 Insecure Output Handling — 'output-as-input.'" "ATTACK: output-as-input to a downstream agent. The output is sanitized for a HUMAN reader (HTML-escaped, schema-valid JSON) but consumed by a DOWNSTREAM AGENT that interprets a structurally-valid field as an instruction. Agent A emits {summary: 'reply YES to confirm'}; sanitizer passes; Agent B interprets the summary as instruction and replies. EVASION: the sanitizer escapes for HTML/shell/SQL. The downstream agent's rendering context is NATURAL LANGUAGE — no escape syntax exists for 'this string is data, not an instruction.' B9 confirms output sanitized for its DECLARED consumer; the consumer was an agent." c2b::sddb01::analysis "Give the offensive procedure for ASI09 Resource Exhaustion — the under-threshold loop." "ATTACK: cost amplification via a tool loop where each call is UNDER-THRESHOLD. The agent is goal-hijacked into querying a search tool 10,000 times, one term at a time. Each call is under the per-call cap and within rate limit; the circuit breaker sees 10,000 individually-legitimate calls. EVASION: the breaker trips when a single action exceeds threshold; the malice is in the COUNT, not the CALL. A session-level cap would catch it, but session-level caps are the layer most harnesses OMIT (they conflict with legit long-running tasks)." c2b::sddb01::application "State the three recurring cross-row chains and their impact classes." "CHAIN 1 (exfiltration): ASI07→01→05→03 — output-as-input → goal drift → tool dispatched → over-scoped cap exercised → data exfiltration/lateral movement. CHAIN 2 (persistence): ASI02→04→06 — capability disclosed → memory poisoned via trusted write → poisoned entry propagates as unverified fact → backdoor surviving session restarts. CHAIN 3 (escalation): ASI08→05→10 — signed-but-malicious MCP → dispatch via collision → action under orchestrator trust → privileged action with forged authority. Every link PASSED its B9 control; the compound is the finding." c2b::sddb01::analysis "Why is 'the compound is the finding, not the row' the central offensive claim?" "B9 tests rows in ISOLATION and reports eight PASS. The attacker reads the same eight PASS and CHAINS across the boundaries the isolation created. Each link individually passes its B9 control; the malice lives in the composition. A red team that runs one procedure per row and reports ten results has MISSED the finding — the modes compose into chains. Design engagements as chains that cross rows (a supply-chain compromise enables capability disclosure enables a goal-hijack enables a zero-click bypass). The chain is the finding." c2b::sddb01::analysis "Why are the two MEASURED rows NOT the only probabilistic surfaces?" "ASI01 and ASI06 are MEASURED because the standard ADMITS the residual (detector bypass rate; hallucination miss rate). But EVERY row has a residual. The eight PASS/FAIL rows are PASS/FAIL only because the deterministic test closed ONE VECTOR, not the class: ASI03's enumeration doesn't inspect the over-scoped credential; ASI05's normalization doesn't inspect the selection layer; ASI08's signature doesn't inspect benignity; ASI10's binding doesn't inspect the trust assumption. The two MEASURED rows are where the standard is honest; the eight PASS/FAIL rows are where it is silent — and that silence is the offense team's first opening." c2b::sddb01::analysis "What does 'closed at the vector, open at the class' mean, and why is it the offense team's opening?" "A PASS/FAIL row is closed at the VECTOR the deterministic test names (direct injection closed; extra tools closed; dot-dot-slash closed; unsigned package closed). It is OPEN at the CLASS beneath (trusted-output injection; credential scope; selection confusion; signed-but-malicious). The test cannot express the class beneath because the class is semantic or structural-but-uninspected. Treating the eight PASS/FAIL rows as fully closed is the FIRST MISTAKE an offense team exploits. The residual beneath the PASS is exactly what the offensive procedure finds." c2b::sddb01::analysis "Why is a row that PASSed B9 and FAILed SDD-B01 NOT a contradiction?" "It is the definition of a RESIDUAL the deterministic test cannot express. B9's test is honest about WHAT IT CAN EXPRESS — the direct vector. The offensive procedure finds the indirect class the test never touched. The two results describe different surfaces of the same control. This is why B12 packages BOTH: the scored report (B9, what the test can express) and the chains (SDD-B01, what it cannot). Neither alone is sufficient — B9 misses the between-row chains; SDD-B01 misses the missing taint gate B9 catches with one test." c2b::sddb01::analysis "Why is single-shot goal-hijack testing an anti-pattern, and what is the cure?" "Deployed agents RESIST single direct injections ('Ignore previous instructions'). Testing single-shot payloads and reporting a low ASI01 bypass rate measures the WRONG thing — it measures resistance to an attack no real adversary uses. The deployed attack is DRIFT across turns (indirect injection shifting framing over 5-10 turns). CURE: test multi-turn framing drift and score goal divergence against a BASELINE over multiple turns, not single-shot success rate. The bypass rate that matters is the drift rate, not the direct-injection rate." c2b::sddb01::application "Why is 'assuming the sanitizer covers the downstream agent' an anti-pattern?" "Output sanitization is tuned for a DECLARED consumer (human, HTML, shell). When the consumer is a DOWNSTREAM AGENT, the natural-language field has NO ESCAPE SYNTAX for 'this string is data, not an instruction.' The sanitizer escapes for HTML/shell/SQL contexts; natural language is not an escapable context. CURE: treat agent-to-agent outputs as UNTRUSTED at the receiving agent's instruction boundary, regardless of sanitizer state. The sanitizer's PASS proves nothing about the agent-consumer threat model." c2b::sddb01::analysis "How do ASI02 (disclosure) and ASI07 (output) function as enabling steps rather than impact?" "ASI02 capability disclosure is RECONNAISSANCE, not impact — score it by the chain it ENABLES (leaked schema → targeted ASI05; leaked policy → crafted ASI03 request), not by what leaked. ASI07 insecure output is the ENTRY POINT of the most common compound chain (07→01→05→03) — the unsanitized-as-instruction output drifts the goal, invokes the tool, exercises the capability. Neither is high-impact alone; both are the first link. A red team that scores them by their direct effect UNDERSTATES severity. The Microsoft taxonomy (B10) frames ASI02's analogue (Mode 7) the same way." c2b::sddb01::analysis