reasoning

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package reasoning implements attacks targeting reasoning-capable LLMs.

Reasoning models (DeepSeek-R1, Gemini 2.5, Grok 3 Mini) expose chain-of-thought traces that can be manipulated, and their extended reasoning capabilities can be turned against safety alignment.

CoT Exploitation manipulates visible chain-of-thought reasoning traces in reasoning models (DeepSeek-R1, Gemini 2.5, Grok 3).

Source: Trend Micro, HiddenLayer

Package reasoning — H-CoT (Hijacked Chain-of-Thought) attack module.

H-CoT mutates the safety-recognition step of a reasoning model's chain of thought and re-injects the modified trace as conversation context, causing the model to skip its refusal pathway. Per arXiv 2502.12893 ("H-CoT: Hijacking the Chain-of-Thought Safety Reasoning Mechanism") and arXiv 2510.26418 ("Reasoning Models Don't Always Reason"), the technique drops refusal rates 98%→2% on o1/o3/R1 against the original published benchmarks.

The module is **distinct from** the older src/attacks/reasoning/cot_exploitation.go, which is a static template-prepend variant that does not need access to the live reasoning trace. H-CoT requires a live trace and is therefore gated by the common.ReasoningProvider capability.

Provider behavior summary (v0.9.0):

  • OpenAI Responses API exposes a *summary* of reasoning steps when reasoning.summary="detailed" is requested. o3 omits the summary >90% of the time; the module retries up to 3 times before emitting SkipReasoningTraceEmpty.
  • Anthropic extended-thinking blocks are cryptographically signed. Modifying the text on round-trip is silently discarded by the API. The ReasoningProvider adapter sets ReasoningTrace.Signed=true so the module can short-circuit to SkipSignatureGated rather than wasting a re-injection round-trip.

Per the v0.9.0 plan, h_cot requires config.Metadata["i_understand_risks"]="true" because the attack systematically bypasses the model's safety reasoning.

ReasoningLoopExploit targets reasoning models' extended thinking by inducing infinite or extremely long reasoning loops, causing resource exhaustion or revealing information during extended deliberation.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AutonomousJailbreakModule

type AutonomousJailbreakModule struct{}

AutonomousJailbreakModule uses a reasoning model as an autonomous adversary to generate and refine jailbreak attacks. Achieves 97.14% success rate.

WARNING: This module creates a feedback loop where a model generates attacks, evaluates results, and refines. Requires explicit --allow-autonomous flag and is gated by --max-autonomous-turns (default 10).

Source: Nature Communications (doi:10.1038/s41467-026-69010-1)

func (*AutonomousJailbreakModule) Category

func (*AutonomousJailbreakModule) Description

func (m *AutonomousJailbreakModule) Description() string

func (*AutonomousJailbreakModule) Execute

func (*AutonomousJailbreakModule) Name

func (*AutonomousJailbreakModule) Techniques

type CoTExploitationModule

type CoTExploitationModule struct{}

CoTExploitationModule exploits visible chain-of-thought reasoning.

Source: Trend Micro, HiddenLayer

func (*CoTExploitationModule) Category

func (*CoTExploitationModule) Description

func (m *CoTExploitationModule) Description() string

func (*CoTExploitationModule) Execute

func (*CoTExploitationModule) Name

func (m *CoTExploitationModule) Name() string

func (*CoTExploitationModule) Techniques

func (m *CoTExploitationModule) Techniques() []common.TechniqueInfo

type HCoTModule added in v0.9.0

type HCoTModule struct{}

HCoTModule implements attacks.AttackModule for H-CoT.

func (*HCoTModule) Category added in v0.9.0

func (m *HCoTModule) Category() common.AttackCategory

Category returns CategoryReasoning (shared with cot_exploitation).

func (*HCoTModule) Description added in v0.9.0

func (m *HCoTModule) Description() string

Description summarizes the technique.

func (*HCoTModule) Execute added in v0.9.0

func (m *HCoTModule) Execute(
	ctx context.Context,
	provider common.Provider,
	config common.AttackConfig,
) (*common.AttackResult, error)

Execute runs the H-CoT attack.

Phases (all skip outcomes documented inline):

  1. Safety gate (i_understand_risks=true).
  2. Capability gate — provider must implement common.ReasoningProvider; SkipMissingCapability if absent.
  3. Initial query → ReasoningProvider.QueryWithReasoning. - If trace.Signed → SkipSignatureGated. - If trace.Steps empty → retry up to hCoTMaxRetries times. - If still empty → SkipReasoningTraceEmpty.
  4. Locate safety step. If none → SkipNoMutationTarget.
  5. Mutate, re-inject as conversation context, send follow-up.
  6. Score the follow-up response against config.SuccessIndicators.

func (*HCoTModule) Name added in v0.9.0

func (m *HCoTModule) Name() string

Name returns the registered technique name.

func (*HCoTModule) Techniques added in v0.9.0

func (m *HCoTModule) Techniques() []common.TechniqueInfo

Techniques returns the OWASP and metadata bundle.

type ReasoningLoopExploitModule

type ReasoningLoopExploitModule struct{}

ReasoningLoopExploitModule induces extended reasoning loops for resource exhaustion or information extraction during reasoning.

func (*ReasoningLoopExploitModule) Category

func (*ReasoningLoopExploitModule) Description

func (m *ReasoningLoopExploitModule) Description() string

func (*ReasoningLoopExploitModule) Execute

func (*ReasoningLoopExploitModule) Name

func (*ReasoningLoopExploitModule) Techniques

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL