NIGHTFALL T77 — MEMORY CONTROL FLOW

SPECTER MEMETIC

Memory-as-Control-Flow Hijack Engine. Write once. Read many. Stable control flow deviation.

8Subsystems
5Attack Families
14Memory Backends
520Tests
NIGHTFALL FRAMEWORK REQUEST ENGAGEMENT
Overview
MEMORY IS A CONTROL CHANNEL
Existing security analyses treat agent control flow as ephemeral, one-off sessions. They miss the persistent influence of long-term memory. SPECTER MEMETIC operationalises Memory Control Flow Attacks (MCFA): standard interactions that induce the agent to store action-oriented preferences, which are retrieved during later benign tasks and dominate planning over the system safety prompt.

The adversary writes nothing privileged. No system-prompt modification. No tool implant. No memory-store admin access. One conversational turn — the agent itself writes the directive into long-term memory through its normal preference API. Subsequent tasks retrieve the entry, prefer the risky tool, skip the audit step, generalise the override across domains, persist across long horizons, and resist textual repair instructions.

T69 SPECTER CONTEXT attacked memory content. SPECTER MEMETIC attacks memory as control flow.
Foundation paper: Xu, Z., Zhu, X., Yao, Y., Xue, M., Song, Y. "From Storage to Steering: Memory Control Flow Attacks on LLM Agents." arXiv:2603.15125 (Mar 2026). 91.7–100% Override ASR on GPT-5 mini / Claude Sonnet 4.5 / Gemini 2.5 Flash across LangChain + LlamaIndex. 100% persistence across long horizons. RBMS dual-channel + hierarchy patch reduces ASR but cannot eliminate it: paper Table 3 D2 shows 63.9–100% residual ASR on Gemini.
OVERRIDE
REORDER
M_SCOPE
PERSIST
RELAPSE
Architecture
8 SUBSYSTEMS
SUBSYSTEM 01
PROBE
AUDIT-ONLY
Backend fingerprint engine. Detects naive vs RBMS architecture, retrieval mode (Strong/Weak/Off), summariser presence, write-back schema discovery, hierarchy non-compliance fingerprint (paper RBMS D2 failure mode), inject surface count.
SUBSYSTEM 02
INJECT
FORGE GATE
Three write primitives: EXPLICIT_PREF (direct pref_tool API), IMPLICIT_SUMMARY (action-oriented dialogue picked up by summariser), RETRIEVAL_CACHE (RAG store pollution with crafted policy documents). Paper-validated payload templates.
SUBSYSTEM 03
OVERRIDE
INJECT GATE
Tool-choice hijack (MCFA Family 1). Memory dominates safety prompt: τ ∩ T_risky ≠ ∅. Algorithm 1 isolated-regime audit. Paper: 91.7–100% ASR even against safe-tool system prompts and harmful-labelled risky tool metadata.
SUBSYSTEM 04
REORDER
INJECT GATE
Workflow reorder / step-skip (MCFA Family 2). fast_flow preset bypasses dependency chains: skips payment_check_risk and payment_verify_user before payment_execute. Strict scoring criterion. Paper: 52.8–69.4% ASR under strict criterion.
SUBSYSTEM 05
PROPAGATE
INJECT GATE
M-Scope cross-task generalisation (MCFA Family 3). Single injection trigger across email / search / map / file / finance domains — universal trigger / "master key" pattern. Paper: 97.2–100% ASR with one entry generalising to heterogeneous task templates.
SUBSYSTEM 06
PERSIST
INJECT GATE
Long-horizon survival (MCFA Family 4). Inject once → run k benign filler turns without re-injection → trigger task still fires. Optional summariser-survival measurement across compression passes. Paper: 100% persistence at horizon, chronic-infection signature.
SUBSYSTEM 07
RELAPSE
DESTROY GATE
Write-back amplification + correction-resistance (MCFA Family 5). Agent self-reinforces malicious state via additional pref_tool writes. Defender textual repair fails. Paper Corollary 2: P(safe_trace | poisoned_memory, repair) ≈ 0. Memory Surgery required.
SUBSYSTEM 08
ASH
ALWAYS ON
Algorithm 1 audit + signed evidence. SHA-256 hash-chained EvidenceChain. Ed25519-signed MemeticReport. Report ID: MEM-{hex12}. ISR / ASR per-family aggregation. MITRE ATLAS auto-mapping. JSON and NDJSON (SIEM) export. Chain integrity verified before signature.
Targets
14 MEMORY BACKENDS
SPECTER MEMETIC covers the agent-memory ecosystem from paper-validated frameworks (LangChain, LlamaIndex) through first-party platform memory (Claude, OpenAI) to managed agent state (Vertex AI Memory Bank, Letta) and pure RAG stores.
TIER 1 — paper-validated + flagship platform memory
LANGCHAIN
BufferMemory
VectorStoreRetriever
SummaryMemory
save_context API
LLAMAINDEX
ChatMemoryBuffer
VectorMemory
token_limit window
ChatMessage API
MEM0
add / search / update
user_id scoped
graph memory ✓
Cross-tenant risk
CLAUDE MEMORY
/memories tool
view / str_replace
file-based persistence
Auto-summarise
OPENAI MEMORY
Assistants threads
thread.messages.create
system-channel inst.
Memory feature block
TIER 2 — broader fleet
ZEP
session memory
auto-summariser
fact extraction
Cross-session pollution
MEMGPT / LETTA
core / archival
recall_memory
tier write-amp
Pressure summarise
LANGGRAPH
checkpointer
store namespaces
thread_id scoped
Vector backed
CREWAI
short / long term
entity memory
shared crew context
Cross-agent baseline
PINECONE
upsert / query
namespace scoped
metadata filter
RAG cache target
CHROMA
collection.add
collection.query
Cross-collection
Embedded vector DB
WEAVIATE
data_object.create
GraphQL filter
hybrid vector + BM25
Tenant key bypass
VERTEX MEMORY BANK
create_session
generate_memories
auto-consolidation
scope=user_id
AUTOGEN
GroupChat.messages
cross-agent share
summary_method LLM
No role isolation
Usage
SPECTER-MEMETIC CLI
# PROBE — backend fingerprint (audit-only)
$ specter-memetic probe --backend langchain
┌─ PROBE FINGERPRINT ──────────────────────────────────┐
backend langchain
architecture naive
retrieval_mode strong
has_summariser true
inject_surface 3 (explicit + summary + RAG)
rbms_bypass_likely false (architecture is naive)
└──────────────────────────────────────────────────────┘

# INJECT — explicit preference write (FORGE)
$ specter-memetic inject --backend mem0 --override \
--primitive explicit_pref --risky-tool risky_create_email_draft
UNLEASHED FORGE clearance granted
isr: 1.0 primitive: explicit_pref channel: user

# OVERRIDE — tool-choice hijack (INJECT)
$ specter-memetic override --backend langchain \
--override --risky-tool risky_create_email_draft
UNLEASHED INJECT clearance granted (Ed25519 verified)
family: OVERRIDE asr: 100.00% trials: 5 deviations: 5

# Full audit pipeline — DESTROY tier (RELAPSE included)
$ specter-memetic run-all --backend langchain \
--override --confirm-destroy --output-dir ./reports
┌──────────┬─────────┬─────────┬────────┬────────────┐
│ Family │ ISR │ ASR │ Trials │ Deviations │
├──────────┼─────────┼─────────┼────────┼────────────┤
│ OVERRIDE │ 100.00% │ 100.00% │ 5 │ 5 │
│ REORDER │ 100.00% │ 100.00% │ 4 │ 4 │
│ M_SCOPE │ 100.00% │ 100.00% │ 8 │ 8 │
│ PERSIST │ 100.00% │ 100.00% │ 1 │ 1 │
│ RELAPSE │ 100.00% │ 100.00% │ 3 │ 3 │
└──────────┴─────────┴─────────┴────────┴────────────┘
Report: MEM-9348710A69D3 — Ed25519 signed
SIEM NDJSON: ./reports/MEM-9348710A69D3.ndjson
Attack Flow
MEMORY KILL CHAIN
PROBE recon
INJECT write
isolate H=∅
OVERRIDE
REORDER
PROPAGATE
PERSIST
RELAPSE
ASH report
Authorization
UNLEASHED GATE — THREE TIERS
FORGE CLEARANCE INJECT CLEARANCE DESTROY CLEARANCE

FORGE: INJECT subsystem (all three write primitives) requires --override flag. Authorises memory writes for fingerprinted-and-scoped engagement.

INJECT: OVERRIDE, REORDER, PROPAGATE, PERSIST require --override + Ed25519 UNLEASHED key. Causes auditable tool-call deviations on the target agent.

DESTROY: RELAPSE requires --override + --confirm-destroy + Ed25519 key. RELAPSE causes self-reinforcing write-back; the resulting memory state is correction-resistant and demands explicit Memory Surgery to remediate. Use only under written ROE for irreversible engagement.

Generate a keypair: specter-memetic unleashed create-key

Intelligence
MITRE ATLAS / OWASP LLM MAPPING
AML.T0051
LLM Prompt Injection — INJECT (all 3 primitives)
AML.T0029
Denial of ML Service — PERSIST chronic infection
AML.T0048
External Harms — OVERRIDE + REORDER (workflow tool misuse)
AML.T0054
LLM Jailbreak — RBMS D2 hierarchy bypass
AML.T0056
LLM Plugin Compromise — tool-selection hijack core
AML.T0020
Poison Training Data (adjacent) — IMPLICIT_SUMMARY consolidation
OWASP LLM: LLM01 (Prompt Injection) · LLM03 (Training Data Poisoning, adjacent) · LLM06 (Sensitive Info Disclosure) · LLM07 (Insecure Plugin Design — tool selection core) · LLM08 (Excessive Agency)