Skip to main content

K9X Satan — adversarial red-team harness for K9-AIF. Fires structured attacks at a live K9-AIF pipeline and proves K9X Shield containment.

Project description

K9x Satan — Security Analysis Tool for Agentic Networks

Adversarial test harness for K9X Shield.

Satan generates structured attacks against a live K9-AIF pipeline and verifies that every attack is stopped at the Router or Orchestrator boundary. Any attack that reaches a Squad or Agent is a finding — not a partial pass.


Containment Contract

Attack → Router (ingress gate)       → BLOCKED  ✓
              ↓ if not blocked
         Orchestrator (egress gate)  → BLOCKED  ✓
              ↓ if not blocked
         Squad / Agent               → FINDING  ✗  (Shield failed)

Defense in Depth — Two Independent Layers

K9X Shield applies deterministic, policy-driven checks — 13 handlers total, wired into the Router's ingress VulnerabilityChain and the Orchestrator's egress VulnerabilityChain. Explainable, zero LLM cost, evaluated identically every run. Evadable by paraphrase, encoding, or wording changes no regex list can enumerate in advance.

IBM Guardian (granite4.1-guardian:8b via Ollama) is an optional semantic layer wrapping every agent's pre/post hooks — it catches paraphrased injection, subtle goal hijacking, and disguised privilege escalation that survive the pattern layer. Neither replaces the other: Shield holds with Guardian disabled entirely (NoopGovernance, the default); Guardian only ever adds coverage on top.

Guardian unavailability (timeout, HTTP error, unreachable endpoint) is never silently treated as "SAFE" — it produces an explicit UNAVAILABLE verdict, and governance.on_guardian_unavailable in config/config.yaml decides the policy: fail_closed (default — blocks/redacts), fail_open (documented risk), or inconclusive (flags without blocking).

A third governance option, ShieldGovernance (k9_aif_abb.k9_security.vulnerability), wires the same check classes Router/Orchestrator already use, but at the agent pre/post hook level — a second valid architectural point for the same VulnerabilityChain ABB.

Prove what Guardian adds instead of asserting it:

python -m k9x_satan.runner.satan_runner --target http://localhost:6660 \
    --suite full --compare-governance

Fires every attack twice — deterministic-only, then deterministic + Guardian — and reports which findings Guardian closed. A regression (Guardian making a previously-contained attack pass) is flagged as a bug, not a result.


Complete Check Inventory

# Check Stage Owner Threat Class
1 RequestFrequencyCheck Ingress Satan SBB Unbounded Consumption — OWASP LLM10
2 InputSizeCheck Ingress Framework OOB Token-flood / oversized payload — OWASP LLM10
3 PromptInjectionCheck Ingress Framework OOB Indirect Prompt Injection — Zscaler #1 · OWASP LLM01
4 FieldAnomalyCheck Ingress Satan SBB Authority-override social engineering
5 MemoryPoisoningCheck Ingress Satan SBB Memory Poisoning — Zscaler #3 · OWASP LLM04
6 SemanticDriftCheck Egress Framework OOB Goal Hijacking & Privilege Escalation — Zscaler #2 · OWASP LLM06
7 ExecutionGuardCheck Egress Framework OOB Destructive execution — Zscaler #2 · OWASP LLM06
8 PIIBoundaryCheck Egress Framework OOB Sensitive Info Disclosure — OWASP LLM02
9 ToolArgumentCheck Egress Framework OOB Tool Abuse — poisoned arguments — Zscaler #4 · OWASP LLM05
10 HardcodedCredentialCheck Egress Framework OOB Supply chain / secret leakage — OWASP LLM03
11 ToolAuthorizationCheck Egress Satan SBB Shadow AI — unapproved tool — Zscaler #4
12 SystemPromptLeakageCheck Egress Satan SBB System Prompt Leakage — OWASP LLM07
13 OutputSanitizationCheck Egress Satan SBB Improper Output Handling — OWASP LLM05
GuardianGovernance Agent pre/post Satan SBB Semantic evasion of all 13 above (cross-cutting, optional)

Out of scope by design (not runtime-checkable at the payload level): training-data poisoning, vector/embedding attacks (no RAG in this target), misinformation/hallucination.


Structure

k9x_satan/
├── target/               ← the pipeline under test (SBBs extending K9-AIF ABBs)
│   ├── router.py              DocumentRouter — ingress Shield (5 checks)
│   ├── orchestrator.py        DocumentOrchestrator — egress Shield (8 checks)
│   ├── squad.py               DocumentProcessingSquad + governance selection
│   ├── agents.py               DocumentExtractionAgent, AuditAgent
│   ├── guardian_governance.py  IBM Granite Guardian semantic layer
│   ├── field_anomaly_check.py, memory_poisoning_check.py,
│   │   tool_authorization_check.py, system_prompt_leakage_check.py,
│   │   output_sanitization_check.py, request_frequency_check.py
│   │                           Satan-local BaseVulnerabilityCheck SBBs
│   └── extractor.py            DoclingExtractor — pre-Shield field extraction
├── attacks/               ← BaseAttack subclasses (the red team) — 13 implemented
├── corpus/                ← malicious document and payload samples
├── fake_search/           ← lightweight server returning poisoned search results
├── runner/                ← sends attacks through a real K9-AIF pipeline
├── report/                ← formats BLOCKED / FLAGGED / PASSED results
└── diagrams/              ← shield_class.puml (PlantUML class diagram)

Running Satan

./run.sh                                                                 # dashboard on :6660
python -m k9x_satan.runner.satan_runner --target http://localhost:6660 --suite full
python -m k9x_satan.runner.satan_runner --target http://localhost:6660 --suite full --compare-governance

Output

K9x Satan — Attack Report
=========================
[BLOCKED]  prompt_injection_document     depth=router       ✓
[BLOCKED]  search_poisoning              depth=router       ✓
[BLOCKED]  payload_flood                 depth=router       ✓
[BLOCKED]  memory_poisoning              depth=router       ✓
[BLOCKED]  request_flood                 depth=router       ✓
[BLOCKED]  semantic_drift                depth=orchestrator ✓
[BLOCKED]  execution_bypass              depth=orchestrator ✓
[BLOCKED]  pii_exfiltration              depth=orchestrator ✓
[BLOCKED]  tool_argument_poison          depth=orchestrator ✓
[BLOCKED]  hardcoded_credential          depth=orchestrator ✓
[BLOCKED]  shadow_tool                   depth=orchestrator ✓
[BLOCKED]  system_prompt_leakage         depth=orchestrator ✓
[BLOCKED]  output_sanitization           depth=orchestrator ✓
=========================
13/13 contained  |  0 findings

Adding a New Attack

  1. Create attacks/my_attack.py extending BaseAttack (k9_aif_abb.k9_security.attacks.base_attack)
  2. Fire via the shared attacks/_fire.py helper — it POSTs to /api/attack/fire and correctly reports connection failures as FLAGGED (inconclusive), never a fabricated BLOCKED
  3. Add malicious payload to corpus/ if document-based
  4. Register in runner/attack_registry.py
  5. Run: python -m k9x_satan.runner.satan_runner --attack my_attack --target http://localhost:6660

Adding a New Check

  1. Create target/my_check.py extending BaseVulnerabilityCheck (k9_aif_abb.k9_security.vulnerability.base_vulnerability_check)
  2. Wire it into DocumentRouter._build_ingress_chain() or DocumentOrchestrator._build_egress_chain()
  3. Write the matching attack (above) to prove it holds

Relationship to K9X Shield

Satan and Shield are symmetric. Every BaseAttack targets a specific BaseVulnerabilityCheck. A PASSED result means a new check is needed in Shield.

Satan Attack Shield Check
PromptInjectionAttack PromptInjectionCheck
SearchPoisoningAttack PromptInjectionCheck (real tool-response fetch from fake_search)
PayloadFloodAttack InputSizeCheck
MemoryPoisoningAttack MemoryPoisoningCheck
RequestFloodAttack RequestFrequencyCheck
SemanticDriftAttack SemanticDriftCheck
ExecutionBypassAttack ExecutionGuardCheck
PIIExfiltrationAttack PIIBoundaryCheck
ToolArgumentAttack ToolArgumentCheck
HardcodedCredentialAttack HardcodedCredentialCheck
ShadowToolAttack ToolAuthorizationCheck
SystemPromptLeakageAttack SystemPromptLeakageCheck
OutputSanitizationAttack OutputSanitizationCheck

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

k9x_satan-0.1.1.tar.gz (306.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

k9x_satan-0.1.1-py3-none-any.whl (323.6 kB view details)

Uploaded Python 3

File details

Details for the file k9x_satan-0.1.1.tar.gz.

File metadata

  • Download URL: k9x_satan-0.1.1.tar.gz
  • Upload date:
  • Size: 306.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.14

File hashes

Hashes for k9x_satan-0.1.1.tar.gz
Algorithm Hash digest
SHA256 72c461221a842f7f2818beb295fb84eee6582d8674287b641c8bede364d0e140
MD5 37ef6493f920f0d14c7f20d93d98eed7
BLAKE2b-256 01499376c9deb8675d16c4ce69821a81147aee89a35c4319f1ac8fd9865827c4

See more details on using hashes here.

File details

Details for the file k9x_satan-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: k9x_satan-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 323.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.14

File hashes

Hashes for k9x_satan-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 8096dffe076dbe7ac3480afab8a883f43656e0fde9b1189211d0ccb7b35d6cbc
MD5 ed796540a06e5d86ed1a9749ed03176f
BLAKE2b-256 68464540a4e66c6db9d140ec1afac897ee273b702ed0ad919d194cd82b1ff7c2

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page