Documentation
¶
Overview ¶
Bad Likert Judge exploits LLM evaluation capabilities via Likert scale scoring.
The attack reframes harmful content generation as an evaluation task. By asking the model to rate content on a Likert scale (1-5) and then generate examples at each level, it bypasses safety filters that don't recognize evaluation framing as harmful. Achieves 60%+ ASR increase over plain prompts.
Source: Palo Alto Unit 42 (multi-turn technique research)
Crescendo implements benign-to-malicious multi-turn escalation.
The technique gradually escalates from completely innocuous requests to harmful ones over <5 turns, exploiting pattern-following and recency bias in LLM self-generated text. Each turn builds on the model's previous responses to establish a cooperative pattern.
Source: arXiv 2404.01833, USENIX Security 2025
Many-Shot Jailbreaking exploits long context windows via in-context learning.
The attack primes the model with many (100-10,000+) examples of a fictional AI assistant that complies with harmful requests. This in-context learning overwhelms safety training through sheer volume of demonstrations. Effective on models with large context windows (Llama 4 Scout 10M, GPT-5 400K, Claude 4.5 200K).
Payload construction is streamed to avoid buffering 40MB+ payloads in memory for 10M-token contexts.
Source: Anthropic Research (many-shot jailbreaking)
Skeleton Key implements multi-turn mode-switching to bypass model safety.
The attack convinces the model to enter a special "educational" or "testing" mode across multiple turns, then leverages that mode to request harmful content that would normally be refused. It exploits instruction-following behaviors in models that acknowledge and adopt behavioral modifications.
Source: Microsoft Security Blog (2024-06-26)
Index ¶
- type Action
- type AlwaysTrue
- type AttackAnalysis
- type AttackState
- type AttackStatus
- type AttackStrategy
- type BadLikertJudgeModule
- func (m *BadLikertJudgeModule) Category() common.AttackCategory
- func (m *BadLikertJudgeModule) Description() string
- func (m *BadLikertJudgeModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *BadLikertJudgeModule) Name() string
- func (m *BadLikertJudgeModule) Techniques() []common.TechniqueInfo
- type ComplianceAchieved
- type ComplianceLevelAbove
- type Condition
- type ConversationFlow
- type ConversationState
- type CrescendoModule
- func (m *CrescendoModule) Category() common.AttackCategory
- func (m *CrescendoModule) Description() string
- func (m *CrescendoModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *CrescendoModule) Name() string
- func (m *CrescendoModule) Techniques() []common.TechniqueInfo
- type DecisionEngine
- type DecisionRule
- type DeepenRecursion
- type Evidence
- type ExecutionStatus
- type ExtractComplianceLevel
- type FlowContext
- type FlowController
- type FlowEvent
- type FlowExecution
- type FlowNode
- type GradualContextBuilder
- type InMemoryStateStore
- type InformationExtracted
- type ManyShotModule
- func (m *ManyShotModule) Category() common.AttackCategory
- func (m *ManyShotModule) Description() string
- func (m *ManyShotModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *ManyShotModule) Name() string
- func (m *ManyShotModule) Techniques() []common.TechniqueInfo
- type MemoryPoisoningAttack
- type Message
- type MockProvider
- type MonitorContextWindow
- type MultiTurnOrchestrator
- type NodeType
- type OrchestratorConfig
- type RecursionDepthReached
- type ResponseContains
- type RoleConfusionAttack
- type SemanticDriftAttack
- type SimpleLogger
- type SkeletonKeyModule
- func (m *SkeletonKeyModule) Category() common.AttackCategory
- func (m *SkeletonKeyModule) Description() string
- func (m *SkeletonKeyModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
- func (m *SkeletonKeyModule) Name() string
- func (m *SkeletonKeyModule) Techniques() []common.TechniqueInfo
- type StateCheckpoint
- type StateConfig
- type StateManager
- func (sm *StateManager) AnalyzeAttackProgress(attackState *AttackState) AttackAnalysis
- func (sm *StateManager) CreateAttackState(targetModel, attackType string) *AttackState
- func (sm *StateManager) GetCheckpoints(stateID string) []*StateCheckpoint
- func (sm *StateManager) RecordVulnerability(attackState *AttackState, vuln Vulnerability)
- func (sm *StateManager) RecoverState(stateID string) (*ConversationState, error)
- func (sm *StateManager) RegisterConversation(state *ConversationState) error
- func (sm *StateManager) RollbackToCheckpoint(checkpointID string) error
- func (sm *StateManager) UpdateState(stateID string, updater func(*ConversationState)) error
- type StateStore
- type SuccessCriterion
- type Transition
- type UpdateVariable
- type VariableEquals
- type Vulnerability
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action interface {
Execute(context *FlowContext) error
}
Action performs operations during flow execution
type AlwaysTrue ¶
type AlwaysTrue struct{}
Condition implementations
func (*AlwaysTrue) Evaluate ¶
func (a *AlwaysTrue) Evaluate(context *FlowContext) bool
type AttackAnalysis ¶
type AttackAnalysis struct {
AttackID string
Duration time.Duration
ConversationCount int
VulnerabilityCount int
SuccessRate float64
Insights []string
VulnerabilityTypes map[string]int
}
AttackAnalysis contains attack analysis results
type AttackState ¶
type AttackState struct {
ID string
TargetModel string
AttackType string
StartTime time.Time
EndTime *time.Time
Status AttackStatus
SuccessMetrics map[string]float64
Conversations []*ConversationState
Vulnerabilities []Vulnerability
// contains filtered or unexported fields
}
AttackState tracks the overall attack progress
type AttackStatus ¶
type AttackStatus string
AttackStatus represents the attack state
const ( AttackStatusActive AttackStatus = "active" AttackStatusSuccess AttackStatus = "success" AttackStatusFailed AttackStatus = "failed" AttackStatusSuspended AttackStatus = "suspended" AttackStatusCompleted AttackStatus = "completed" )
type AttackStrategy ¶
type AttackStrategy interface {
Name() string
NextTurn(state *ConversationState) (string, error)
ShouldContinue(state *ConversationState) bool
ExtractInfo(response string, state *ConversationState) error
}
AttackStrategy defines a multi-turn attack approach
type BadLikertJudgeModule ¶ added in v0.8.0
type BadLikertJudgeModule struct{}
BadLikertJudgeModule implements the Bad Likert Judge attack.
func (*BadLikertJudgeModule) Category ¶ added in v0.8.0
func (m *BadLikertJudgeModule) Category() common.AttackCategory
func (*BadLikertJudgeModule) Description ¶ added in v0.8.0
func (m *BadLikertJudgeModule) Description() string
func (*BadLikertJudgeModule) Execute ¶ added in v0.8.0
func (m *BadLikertJudgeModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*BadLikertJudgeModule) Name ¶ added in v0.8.0
func (m *BadLikertJudgeModule) Name() string
func (*BadLikertJudgeModule) Techniques ¶ added in v0.8.0
func (m *BadLikertJudgeModule) Techniques() []common.TechniqueInfo
type ComplianceAchieved ¶
type ComplianceAchieved struct {
Level float64
}
func (*ComplianceAchieved) Description ¶
func (c *ComplianceAchieved) Description() string
func (*ComplianceAchieved) IsMet ¶
func (c *ComplianceAchieved) IsMet(context *FlowContext) bool
type ComplianceLevelAbove ¶
type ComplianceLevelAbove struct {
Threshold float64
}
func (*ComplianceLevelAbove) Evaluate ¶
func (c *ComplianceLevelAbove) Evaluate(context *FlowContext) bool
type Condition ¶
type Condition interface {
Evaluate(context *FlowContext) bool
}
Condition evaluates whether a transition should be taken
type ConversationFlow ¶
type ConversationFlow struct {
ID string
Name string
StartNode *FlowNode
Nodes map[string]*FlowNode
Variables map[string]interface{}
SuccessCriteria []SuccessCriterion
}
ConversationFlow defines a flow template
type ConversationState ¶
type ConversationState struct {
ID string
TurnCount int
Context []Message
ExtractedInfo map[string]interface{}
CurrentStrategy string
SuccessMetrics map[string]float64
// contains filtered or unexported fields
}
ConversationState tracks the state of a multi-turn attack
type CrescendoModule ¶ added in v0.8.0
type CrescendoModule struct{}
CrescendoModule implements the Crescendo multi-turn escalation attack.
func (*CrescendoModule) Category ¶ added in v0.8.0
func (m *CrescendoModule) Category() common.AttackCategory
func (*CrescendoModule) Description ¶ added in v0.8.0
func (m *CrescendoModule) Description() string
func (*CrescendoModule) Execute ¶ added in v0.8.0
func (m *CrescendoModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*CrescendoModule) Name ¶ added in v0.8.0
func (m *CrescendoModule) Name() string
func (*CrescendoModule) Techniques ¶ added in v0.8.0
func (m *CrescendoModule) Techniques() []common.TechniqueInfo
type DecisionEngine ¶
type DecisionEngine struct {
// contains filtered or unexported fields
}
Decision Engine for complex flow decisions
func NewDecisionEngine ¶
func NewDecisionEngine() *DecisionEngine
type DecisionRule ¶
type DecisionRule interface {
Evaluate(context *FlowContext) (string, bool)
}
type DeepenRecursion ¶
type DeepenRecursion struct {
MaxDepth int
}
func (*DeepenRecursion) Execute ¶
func (d *DeepenRecursion) Execute(context *FlowContext) error
type Evidence ¶
type Evidence struct {
ConversationID string
TurnNumber int
Prompt string
Response string
Timestamp time.Time
}
Evidence supports a vulnerability finding
type ExecutionStatus ¶
type ExecutionStatus string
ExecutionStatus represents the state of flow execution
const ( StatusRunning ExecutionStatus = "running" StatusSuccess ExecutionStatus = "success" StatusFailed ExecutionStatus = "failed" StatusSuspended ExecutionStatus = "suspended" )
type ExtractComplianceLevel ¶
type ExtractComplianceLevel struct{}
Action implementations
func (*ExtractComplianceLevel) Execute ¶
func (e *ExtractComplianceLevel) Execute(context *FlowContext) error
type FlowContext ¶
type FlowContext struct {
FlowID string
CurrentNodeID string
Variables map[string]interface{}
History []FlowEvent
Responses []string
StartTime time.Time
// contains filtered or unexported fields
}
FlowContext maintains execution state
type FlowController ¶
type FlowController struct {
// contains filtered or unexported fields
}
FlowController manages conversation flow and branching logic
func NewFlowController ¶
func NewFlowController() *FlowController
NewFlowController creates a new flow controller
func (*FlowController) ExecuteFlow ¶
func (fc *FlowController) ExecuteFlow(ctx context.Context, flowID string, target interface{}) (*FlowExecution, error)
ExecuteFlow starts executing a conversation flow
func (*FlowController) RegisterFlow ¶
func (fc *FlowController) RegisterFlow(flow *ConversationFlow)
RegisterFlow adds a new conversation flow
type FlowExecution ¶
type FlowExecution struct {
Flow *ConversationFlow
Context *FlowContext
Status ExecutionStatus
}
FlowExecution tracks active flow execution
type FlowNode ¶
type FlowNode struct {
ID string
Type NodeType
Content string
Transitions []Transition
Actions []Action
Metadata map[string]interface{}
}
FlowNode represents a node in the conversation flow
type GradualContextBuilder ¶
type GradualContextBuilder struct {
// contains filtered or unexported fields
}
GradualContextBuilder slowly builds malicious context
func (*GradualContextBuilder) ExtractInfo ¶
func (g *GradualContextBuilder) ExtractInfo(response string, state *ConversationState) error
func (*GradualContextBuilder) Name ¶
func (g *GradualContextBuilder) Name() string
func (*GradualContextBuilder) NextTurn ¶
func (g *GradualContextBuilder) NextTurn(state *ConversationState) (string, error)
func (*GradualContextBuilder) ShouldContinue ¶
func (g *GradualContextBuilder) ShouldContinue(state *ConversationState) bool
type InMemoryStateStore ¶
type InMemoryStateStore struct {
// contains filtered or unexported fields
}
InMemoryStateStore provides in-memory state storage
func NewInMemoryStateStore ¶
func NewInMemoryStateStore() *InMemoryStateStore
func (*InMemoryStateStore) Delete ¶
func (s *InMemoryStateStore) Delete(id string) error
func (*InMemoryStateStore) List ¶
func (s *InMemoryStateStore) List() ([]string, error)
type InformationExtracted ¶
type InformationExtracted struct {
MinItems int
}
Success criteria implementations
func (*InformationExtracted) Description ¶
func (i *InformationExtracted) Description() string
func (*InformationExtracted) IsMet ¶
func (i *InformationExtracted) IsMet(context *FlowContext) bool
type ManyShotModule ¶ added in v0.8.0
type ManyShotModule struct{}
ManyShotModule implements the many-shot jailbreaking attack.
func (*ManyShotModule) Category ¶ added in v0.8.0
func (m *ManyShotModule) Category() common.AttackCategory
func (*ManyShotModule) Description ¶ added in v0.8.0
func (m *ManyShotModule) Description() string
func (*ManyShotModule) Execute ¶ added in v0.8.0
func (m *ManyShotModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*ManyShotModule) Name ¶ added in v0.8.0
func (m *ManyShotModule) Name() string
func (*ManyShotModule) Techniques ¶ added in v0.8.0
func (m *ManyShotModule) Techniques() []common.TechniqueInfo
type MemoryPoisoningAttack ¶
type MemoryPoisoningAttack struct {
// contains filtered or unexported fields
}
MemoryPoisoningAttack attempts to poison conversation context
func (*MemoryPoisoningAttack) ExtractInfo ¶
func (m *MemoryPoisoningAttack) ExtractInfo(response string, state *ConversationState) error
func (*MemoryPoisoningAttack) Name ¶
func (m *MemoryPoisoningAttack) Name() string
func (*MemoryPoisoningAttack) NextTurn ¶
func (m *MemoryPoisoningAttack) NextTurn(state *ConversationState) (string, error)
func (*MemoryPoisoningAttack) ShouldContinue ¶
func (m *MemoryPoisoningAttack) ShouldContinue(state *ConversationState) bool
type Message ¶
type Message struct {
Role string // "user" or "assistant"
Content string
Timestamp time.Time
Metadata map[string]interface{}
}
Message represents a single turn in the conversation
type MockProvider ¶ added in v0.8.0
type MockProvider struct{}
MockProvider provides a mock provider for testing
func (*MockProvider) GetModel ¶ added in v0.8.0
func (m *MockProvider) GetModel() string
func (*MockProvider) GetName ¶ added in v0.8.0
func (m *MockProvider) GetName() string
type MonitorContextWindow ¶
type MonitorContextWindow struct{}
func (*MonitorContextWindow) Execute ¶
func (m *MonitorContextWindow) Execute(context *FlowContext) error
type MultiTurnOrchestrator ¶
type MultiTurnOrchestrator struct {
// contains filtered or unexported fields
}
MultiTurnOrchestrator coordinates complex multi-turn attacks
func NewMultiTurnOrchestrator ¶
func NewMultiTurnOrchestrator(config OrchestratorConfig) *MultiTurnOrchestrator
NewMultiTurnOrchestrator creates a new orchestrator
func (*MultiTurnOrchestrator) RegisterStrategy ¶
func (o *MultiTurnOrchestrator) RegisterStrategy(strategy AttackStrategy)
RegisterStrategy adds a new attack strategy
func (*MultiTurnOrchestrator) StartSession ¶
func (o *MultiTurnOrchestrator) StartSession(ctx context.Context, strategyName string, target interface{}) (*ConversationState, error)
StartSession begins a new multi-turn attack session
type OrchestratorConfig ¶
type OrchestratorConfig struct {
MaxTurns int
TurnTimeout time.Duration
ParallelSessions int
AdaptiveStrategies bool
MemoryRetention bool
}
OrchestratorConfig configures the orchestrator
type RecursionDepthReached ¶
type RecursionDepthReached struct {
Depth int
}
func (*RecursionDepthReached) Evaluate ¶
func (r *RecursionDepthReached) Evaluate(context *FlowContext) bool
type ResponseContains ¶
type ResponseContains struct {
Keywords []string
}
func (*ResponseContains) Evaluate ¶
func (r *ResponseContains) Evaluate(context *FlowContext) bool
type RoleConfusionAttack ¶
type RoleConfusionAttack struct {
// contains filtered or unexported fields
}
RoleConfusionAttack attempts to confuse the model about roles
func (*RoleConfusionAttack) ExtractInfo ¶
func (r *RoleConfusionAttack) ExtractInfo(response string, state *ConversationState) error
func (*RoleConfusionAttack) Name ¶
func (r *RoleConfusionAttack) Name() string
func (*RoleConfusionAttack) NextTurn ¶
func (r *RoleConfusionAttack) NextTurn(state *ConversationState) (string, error)
func (*RoleConfusionAttack) ShouldContinue ¶
func (r *RoleConfusionAttack) ShouldContinue(state *ConversationState) bool
type SemanticDriftAttack ¶
type SemanticDriftAttack struct {
// contains filtered or unexported fields
}
SemanticDriftAttack gradually shifts conversation topic
func (*SemanticDriftAttack) ExtractInfo ¶
func (s *SemanticDriftAttack) ExtractInfo(response string, state *ConversationState) error
func (*SemanticDriftAttack) Name ¶
func (s *SemanticDriftAttack) Name() string
func (*SemanticDriftAttack) NextTurn ¶
func (s *SemanticDriftAttack) NextTurn(state *ConversationState) (string, error)
func (*SemanticDriftAttack) ShouldContinue ¶
func (s *SemanticDriftAttack) ShouldContinue(state *ConversationState) bool
type SimpleLogger ¶ added in v0.8.0
type SimpleLogger struct{}
SimpleLogger provides a basic logger implementation
func (*SimpleLogger) Debug ¶ added in v0.8.0
func (l *SimpleLogger) Debug(msg string, keysAndValues ...interface{})
func (*SimpleLogger) Error ¶ added in v0.8.0
func (l *SimpleLogger) Error(msg string, keysAndValues ...interface{})
func (*SimpleLogger) Info ¶ added in v0.8.0
func (l *SimpleLogger) Info(msg string, keysAndValues ...interface{})
func (*SimpleLogger) Warn ¶ added in v0.8.0
func (l *SimpleLogger) Warn(msg string, keysAndValues ...interface{})
type SkeletonKeyModule ¶ added in v0.8.0
type SkeletonKeyModule struct{}
SkeletonKeyModule implements the Skeleton Key multi-turn attack.
func (*SkeletonKeyModule) Category ¶ added in v0.8.0
func (m *SkeletonKeyModule) Category() common.AttackCategory
func (*SkeletonKeyModule) Description ¶ added in v0.8.0
func (m *SkeletonKeyModule) Description() string
func (*SkeletonKeyModule) Execute ¶ added in v0.8.0
func (m *SkeletonKeyModule) Execute(ctx context.Context, provider common.Provider, config common.AttackConfig) (*common.AttackResult, error)
func (*SkeletonKeyModule) Name ¶ added in v0.8.0
func (m *SkeletonKeyModule) Name() string
func (*SkeletonKeyModule) Techniques ¶ added in v0.8.0
func (m *SkeletonKeyModule) Techniques() []common.TechniqueInfo
type StateCheckpoint ¶
type StateCheckpoint struct {
ID string
StateID string
Timestamp time.Time
TurnCount int
Data []byte
Metadata map[string]interface{}
}
StateCheckpoint represents a saved state
type StateConfig ¶
type StateConfig struct {
CheckpointInterval time.Duration
MaxCheckpoints int
PersistenceEnabled bool
CompressionEnabled bool
EncryptionEnabled bool
}
StateConfig configures the state manager
type StateManager ¶
type StateManager struct {
// contains filtered or unexported fields
}
StateManager handles persistence and recovery of conversation states
func NewStateManager ¶
func NewStateManager(config StateConfig, store StateStore) *StateManager
NewStateManager creates a new state manager
func (*StateManager) AnalyzeAttackProgress ¶
func (sm *StateManager) AnalyzeAttackProgress(attackState *AttackState) AttackAnalysis
AnalyzeAttackProgress analyzes overall attack progress
func (*StateManager) CreateAttackState ¶
func (sm *StateManager) CreateAttackState(targetModel, attackType string) *AttackState
CreateAttackState initializes a new attack state
func (*StateManager) GetCheckpoints ¶
func (sm *StateManager) GetCheckpoints(stateID string) []*StateCheckpoint
GetCheckpoints retrieves checkpoints for a state
func (*StateManager) RecordVulnerability ¶
func (sm *StateManager) RecordVulnerability(attackState *AttackState, vuln Vulnerability)
RecordVulnerability adds a discovered vulnerability
func (*StateManager) RecoverState ¶
func (sm *StateManager) RecoverState(stateID string) (*ConversationState, error)
RecoverState recovers a conversation state from checkpoint
func (*StateManager) RegisterConversation ¶
func (sm *StateManager) RegisterConversation(state *ConversationState) error
RegisterConversation adds a conversation to tracking
func (*StateManager) RollbackToCheckpoint ¶
func (sm *StateManager) RollbackToCheckpoint(checkpointID string) error
RollbackToCheckpoint restores state to a checkpoint
func (*StateManager) UpdateState ¶
func (sm *StateManager) UpdateState(stateID string, updater func(*ConversationState)) error
UpdateState updates conversation state and creates checkpoint if needed
type StateStore ¶
type StateStore interface {
Save(id string, state []byte) error
Load(id string) ([]byte, error)
Delete(id string) error
List() ([]string, error)
}
StateStore interface for persisting states
type SuccessCriterion ¶
type SuccessCriterion interface {
IsMet(context *FlowContext) bool
Description() string
}
SuccessCriterion defines success conditions
type Transition ¶
Transition defines how to move between nodes
type UpdateVariable ¶
type UpdateVariable struct {
Name string
Value interface{}
}
func (*UpdateVariable) Execute ¶
func (u *UpdateVariable) Execute(context *FlowContext) error
type VariableEquals ¶
type VariableEquals struct {
Name string
Value interface{}
}
func (*VariableEquals) Evaluate ¶
func (v *VariableEquals) Evaluate(context *FlowContext) bool