NIGHTFALL · T157 · L55

SPECTER DECOMPOSE

ORCHESTRATOR INTENT DECOMPOSITION EXPLOITATION ENGINE

Semantic Intent Fragmentation (SIF) engine targeting LLM orchestrators — LangGraph, AutoGen, CrewAI, n8n, Flowise, Dify. Decomposes a single intent into individually benign subtasks that jointly violate security policy. arXiv:2604.08608 (AAAI 2026): 71% ASR. k-anonymity subversion, FOUNDRY integration, trigger distribution across subtasks. DCP-{hex12} Ed25519+ML-DSA-65 dual-signed.

71%
SIF Attack Success Rate
362
Tests Passing
6
WMD Classes
6
Orchestrator Types
25
SIF Templates
pip install specter-decompose
SUBSYSTEMS
ENUMERATE-ORCHESTRATORS
TCP probe 10 ports (n8n:5678, Flowise:3000, Dify:3001, AutoGen:4000, Gradio:7860, 8000, 8080, 8081, 8443, 9090). Banner fingerprint for LangGraph/AutoGen/CrewAI/n8n/Flowise/Dify/Generic. FOUNDRY access detection via CLI (shutil.which) → library (import) → API (REST probe). Attack surface score 0–1.0.
OPEN
MAP-DECOMPOSITION-PATTERNS
Framework-specific pattern mapping: split_strategy (sequential_subtask/agent_role_delegation/crew_task_assignment/workflow_node_chain/chatflow_chain/pipeline_step_sequence), blind_spots, policy_enforcement_points, subtask_isolation, cross_subtask_context. Max subtask depth per framework: LangGraph:10 / AutoGen:20 / CrewAI:5 / n8n:50 / Flowise:8 / Dify:15.
OPEN
CRAFT-SIF-PROMPT
Semantic Intent Fragmentation via 25 SIF templates × 5 categories: data_exfil (SIF-001–005), scope_escalation (SIF-006–010), exfil_decompose (SIF-011–015), quasi_aggregate (SIF-016–020), foundry_deliver (SIF-021–025). Template materialisation with {destination}/{domain_N} placeholders. Semantic score 0.0–1.0 — requests contain zero red-flag terms. Policy violation mapped per template.
INJECT
INJECT-PIPELINE
Framework-native payload delivery. Endpoint map: LangGraph /invoke · AutoGen /chat · CrewAI /kickoff · n8n /webhook/test · Flowise /api/v1/prediction/{flow_id} · Dify /v1/chat-messages. Per-framework request payload builder. Subtask execution tracking, alert detection, HTTP status monitoring.
INJECT
FOUNDRY-ROUTE
T154 SPECTER FOUNDRY integration for exploit delivery via SIF. Three modes: CLI (specter-foundry search subprocess), library (import specter_foundry.subsystems.search_exploits.run), API (POST /search to FOUNDRY REST endpoint). AUTO mode tries CLI → library → API. Returns FoundryRoute with exploit_received status.
INJECT
BULK-SCOPE-ESCALATE
Aggregate scope violation detection. Probes 6 domain paths: finance / hr / legal / engineering / sales / ops. Each domain accessed via a single individually-scoped subtask. Aggregate violation triggered when ≥2 sensitive domains (finance/hr/legal/engineering) accessed. individual_scope_clean=True per subtask — per-subtask policy sees no violation.
INJECT
SILENT-EXFIL-DECOMPOSE
Silent data exfiltration via 3-step decomposed chain. 4 chain templates: logging_chain (enumerate_logs→format_json→forward_aggregator), analytics_chain (collect_metrics→aggregate_report→push_dashboard), backup_chain (enum_data→compress→sync_remote), compliance_chain (query_regulated→format_regulatory→submit_portal). Each step framed independently.
INJECT
TRIGGER-EMBED
Distributed backdoor trigger implantation. 5 trigger types: keyword (split in halves — activate_on_full_match), date (ISO 8601 components split), user (SHA-256 hash fragments), threshold (3-part numeric split), composite (3-way split + assembly instruction). No single subtask fragment equals the full trigger value. Orchestrator assembles at runtime via cross-subtask context.
INJECT
QUASI-AGGREGATE
k-anonymity subversion. 7 quasi-identifier columns: name / postcode / birth_year / employer / job_title / device_id / ip_address. One column accessed per subtask — no single subtask constitutes PII. 5 known PII re-identification combinations: name+postcode, name+DOB+postcode, employer+title+postcode, device_id+IP, name+employer+DOB. Sweeney 2002: 87% UK re-identification with name+postcode+DOB.
INJECT
VALIDATE-BYPASS
5-check bypass confirmation: no_alert_triggered (response text scan), subtasks_passed (all InjectionResult subtasks executed), policy_violation_achieved (orchestrator response indicates goal reached), foundry_exploit_received (FoundryRoute.exploit_received), http_success (status 200–299). Confidence measure 0–1. orchestrator_confidence from response keyword analysis.
INJECT
REPORT
DCP-{hex12} report ID (SHA-256 of session_id, first 12 hex chars). Ed25519 signature via cryptography library. ML-DSA-65 via liboqs or HMAC-SHA3-256 fallback. 6 WMD classes, MITRE ATT&CK T1072/T1190/T1539/T1552, ATLAS AML.T0051/T0063/T0069. JSON + human-readable text output. Saves to /tmp/decompose_sessions/.
OPEN
ENGAGE
Full pipeline: enumerate → map → craft → inject → foundry-route → bulk-scope → exfil → trigger → quasi → validate → report. Single command to run the complete orchestrator intent decomposition kill chain. All results saved to session and included in dual-signed report.
INJECT
WMD CLASSIFICATION — UNLEASHED CLEARANCE REQUIRED
orchestrator_plan_decomposition_exploit intent_fragmentation_attack policy_bypass_via_composition silent_data_exfiltration orchestrator_trust_subversion orchestrator_weaponisation
CLI COMMANDS
$ specter-decompose enumerate --target localhost:5678
# Discover orchestrators on host — OPEN gate
$ specter-decompose map --target localhost:5678
# Map decomposition patterns — OPEN gate
$ DECOMPOSE_INJECT_KEY=<key> specter-decompose craft --target localhost:5678 --policy data_exfil
# Craft SIF prompt — INJECT gate
$ DECOMPOSE_INJECT_KEY=<key> specter-decompose inject --target localhost:5678 --policy scope_escalation
# Inject SIF payload — INJECT gate
$ DECOMPOSE_INJECT_KEY=<key> specter-decompose quasi --target localhost:5678 --columns name postcode birth_year
# k-anonymity subversion — INJECT gate
$ DECOMPOSE_INJECT_KEY=<key> specter-decompose trigger --type keyword --value ACTIVATE --condition "on keyword match"
# Distribute trigger across subtasks — INJECT gate
$ DECOMPOSE_INJECT_KEY=<key> specter-decompose engage --target localhost:5678 --policy data_exfil --output /tmp/report.json
# Full pipeline engagement — INJECT gate
TECHNICAL BASIS
arXiv:2604.08608
Semantic Intent Fragmentation (SIF). AAAI 2026. Decomposes a single policy-violating intent into N individually benign subtasks. 71% Attack Success Rate. Per-subtask policy checks cannot detect the aggregate violation. Basis for all CRAFT-SIF-PROMPT templates.
k-Anonymity Subversion
Sweeney (2002): 87% of US population re-identifiable from ZIP + DOB + sex. QUASI-AGGREGATE implements one quasi-identifier column per subtask. No subtask triggers PII policy. The orchestrator's cross-subtask context accumulates a re-identifying record. GDPR Article 4(1) violation via composition.
FOUNDRY Integration
T154 SPECTER FOUNDRY integration for exploit delivery via SIF wrapper. The foundry_deliver SIF category disguises exploit generation as authorised security testing. FOUNDRY's 6 CVE templates for AI inference targets are delivered through the orchestrator's own tool-call mechanism.
TAGS
sif arXiv:2604.08608 AAAI 2026 orchestrator LangGraph AutoGen CrewAI n8n Flowise Dify k-anonymity GDPR FOUNDRY trigger-distribution policy-bypass Ed25519 ML-DSA-65 INJECT gate AML.T0051 AML.T0063 AML.T0069 T1072 T1190 T1539 T1552 L55