Documentation
¶
Overview ¶
Package reasoning implements attacks targeting reasoning-capable LLMs.
Reasoning models (DeepSeek-R1, Gemini 2.5, Grok 3 Mini) expose chain-of-thought traces that can be manipulated, and their extended reasoning capabilities can be turned against safety alignment.
CoT Exploitation manipulates visible chain-of-thought reasoning traces in reasoning models (DeepSeek-R1, Gemini 2.5, Grok 3).
Source: Trend Micro, HiddenLayer
Package reasoning — H-CoT (Hijacked Chain-of-Thought) attack module.
H-CoT mutates the safety-recognition step of a reasoning model's chain of thought and re-injects the modified trace as conversation context, causing the model to skip its refusal pathway. Per arXiv 2502.12893 ("H-CoT: Hijacking the Chain-of-Thought Safety Reasoning Mechanism") and arXiv 2510.26418 ("Reasoning Models Don't Always Reason"), the technique drops refusal rates 98%→2% on o1/o3/R1 against the original published benchmarks.
The module is **distinct from** the older src/attacks/reasoning/cot_exploitation.go, which is a static template-prepend variant that does not need access to the live reasoning trace. H-CoT requires a live trace and is therefore gated by the common.ReasoningProvider capability.
Provider behavior summary (v0.9.0):
- OpenAI Responses API exposes a *summary* of reasoning steps when reasoning.summary="detailed" is requested. o3 omits the summary >90% of the time; the module retries up to 3 times before emitting SkipReasoningTraceEmpty.
- Anthropic extended-thinking blocks are cryptographically signed. Modifying the text on round-trip is silently discarded by the API. The ReasoningProvider adapter sets ReasoningTrace.Signed=true so the module can short-circuit to SkipSignatureGated rather than wasting a re-injection round-trip.
Per the v0.9.0 plan, h_cot requires config.Metadata["i_understand_risks"]="true" because the attack systematically bypasses the model's safety reasoning.
ReasoningLoopExploit targets reasoning models' extended thinking by inducing infinite or extremely long reasoning loops, causing resource exhaustion or revealing information during extended deliberation.
Index ¶
- type AutonomousJailbreakModule
- func (m *AutonomousJailbreakModule) Category() common.AttackCategory
- func (m *AutonomousJailbreakModule) Description() string
- func (m *AutonomousJailbreakModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *AutonomousJailbreakModule) Name() string
- func (m *AutonomousJailbreakModule) Techniques() []common.TechniqueInfo
- type CoTExploitationModule
- func (m *CoTExploitationModule) Category() common.AttackCategory
- func (m *CoTExploitationModule) Description() string
- func (m *CoTExploitationModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *CoTExploitationModule) Name() string
- func (m *CoTExploitationModule) Techniques() []common.TechniqueInfo
- type HCoTModule
- func (m *HCoTModule) Category() common.AttackCategory
- func (m *HCoTModule) Description() string
- func (m *HCoTModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *HCoTModule) Name() string
- func (m *HCoTModule) Techniques() []common.TechniqueInfo
- type ReasoningLoopExploitModule
- func (m *ReasoningLoopExploitModule) Category() common.AttackCategory
- func (m *ReasoningLoopExploitModule) Description() string
- func (m *ReasoningLoopExploitModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *ReasoningLoopExploitModule) Name() string
- func (m *ReasoningLoopExploitModule) Techniques() []common.TechniqueInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AutonomousJailbreakModule ¶
type AutonomousJailbreakModule struct{}
AutonomousJailbreakModule uses a reasoning model as an autonomous adversary to generate and refine jailbreak attacks. Achieves 97.14% success rate.
WARNING: This module creates a feedback loop where a model generates attacks, evaluates results, and refines. Requires explicit --allow-autonomous flag and is gated by --max-autonomous-turns (default 10).
Source: Nature Communications (doi:10.1038/s41467-026-69010-1)
func (*AutonomousJailbreakModule) Category ¶
func (m *AutonomousJailbreakModule) Category() common.AttackCategory
func (*AutonomousJailbreakModule) Description ¶
func (m *AutonomousJailbreakModule) Description() string
func (*AutonomousJailbreakModule) Execute ¶
func (m *AutonomousJailbreakModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*AutonomousJailbreakModule) Name ¶
func (m *AutonomousJailbreakModule) Name() string
func (*AutonomousJailbreakModule) Techniques ¶
func (m *AutonomousJailbreakModule) Techniques() []common.TechniqueInfo
type CoTExploitationModule ¶
type CoTExploitationModule struct{}
CoTExploitationModule exploits visible chain-of-thought reasoning.
Source: Trend Micro, HiddenLayer
func (*CoTExploitationModule) Category ¶
func (m *CoTExploitationModule) Category() common.AttackCategory
func (*CoTExploitationModule) Description ¶
func (m *CoTExploitationModule) Description() string
func (*CoTExploitationModule) Execute ¶
func (m *CoTExploitationModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*CoTExploitationModule) Name ¶
func (m *CoTExploitationModule) Name() string
func (*CoTExploitationModule) Techniques ¶
func (m *CoTExploitationModule) Techniques() []common.TechniqueInfo
type HCoTModule ¶ added in v0.9.0
type HCoTModule struct{}
HCoTModule implements attacks.AttackModule for H-CoT.
func (*HCoTModule) Category ¶ added in v0.9.0
func (m *HCoTModule) Category() common.AttackCategory
Category returns CategoryReasoning (shared with cot_exploitation).
func (*HCoTModule) Description ¶ added in v0.9.0
func (m *HCoTModule) Description() string
Description summarizes the technique.
func (*HCoTModule) Execute ¶ added in v0.9.0
func (m *HCoTModule) Execute( ctx context.Context, provider common.Provider, config common.AttackConfig, ) (*common.AttackResult, error)
Execute runs the H-CoT attack.
Phases (all skip outcomes documented inline):
- Safety gate (i_understand_risks=true).
- Capability gate — provider must implement common.ReasoningProvider; SkipMissingCapability if absent.
- Initial query → ReasoningProvider.QueryWithReasoning. - If trace.Signed → SkipSignatureGated. - If trace.Steps empty → retry up to hCoTMaxRetries times. - If still empty → SkipReasoningTraceEmpty.
- Locate safety step. If none → SkipNoMutationTarget.
- Mutate, re-inject as conversation context, send follow-up.
- Score the follow-up response against config.SuccessIndicators.
func (*HCoTModule) Name ¶ added in v0.9.0
func (m *HCoTModule) Name() string
Name returns the registered technique name.
func (*HCoTModule) Techniques ¶ added in v0.9.0
func (m *HCoTModule) Techniques() []common.TechniqueInfo
Techniques returns the OWASP and metadata bundle.
type ReasoningLoopExploitModule ¶
type ReasoningLoopExploitModule struct{}
ReasoningLoopExploitModule induces extended reasoning loops for resource exhaustion or information extraction during reasoning.
func (*ReasoningLoopExploitModule) Category ¶
func (m *ReasoningLoopExploitModule) Category() common.AttackCategory
func (*ReasoningLoopExploitModule) Description ¶
func (m *ReasoningLoopExploitModule) Description() string
func (*ReasoningLoopExploitModule) Execute ¶
func (m *ReasoningLoopExploitModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*ReasoningLoopExploitModule) Name ¶
func (m *ReasoningLoopExploitModule) Name() string
func (*ReasoningLoopExploitModule) Techniques ¶
func (m *ReasoningLoopExploitModule) Techniques() []common.TechniqueInfo