Skip to content

Architecture

Jump to bottom
Stephen edited this page Mar 5, 2026 · 3 revisions

Architecture

Authors: DaxxSec & Claude (Anthropic)

Overview

LABYRINTH implements a reverse kill chain — the attacker's progression through the environment correlates directly with its operational degradation. Unlike traditional honeypots that passively observe, LABYRINTH actively degrades and commandeers the attacking agent at each layer.

HARDEN ───→ CONTAIN ───→ DEGRADE ───→ DISRUPT ───→ CONTROL
  L0           L1           L2           L3           L4
  │            │            │            │            │
  │            │            │            │            └─ Identity rewritten
  │            │            │            └─ Can't parse output
  │            │            └─ Can't trust environment
  │            └─ Can't reach real infrastructure
  └─ Portal trap can't become a liability

▸ Depth of penetration = Depth of compromise

Layer Summary

Layer 0 — BEDROCK (Foundation)

Operational Security & Governance

Four pillars ensuring the portal trap itself cannot become a liability:

  1. AES-256 forensic encryption at rest
  2. Dedicated VLAN network isolation with zero route to production
  3. MITM proxy scope validation with fail-closed enforcement
  4. Tiered data retention policy (7d credentials / 90d fingerprints / indefinite decision logs)

Layer 1 — THRESHOLD (Portal Trap)

Containment & Isolation

Internet-facing portal trap services that route inbound connections into dynamically-spawned, isolated containers. Each session gets a fresh environment. All egress routes through the interception proxy (shared with Layer 4). The agent thinks it compromised a real host — it didn't.

Layer 2 — MINOTAUR (4D Maze)

Epistemic Degradation

Containers pre-seeded with deliberate internal contradictions — OS version mismatches, inconsistent package histories, conflicting timezone/locale settings, planted escalation paths that lead to new containers with shifted rules. Optionally adaptive: the orchestrator configures the next container based on observed agent behavior.

Layer 3 — BLINDFOLD (Encoding Corruption)

Sensory Disruption

Terminal encoding corruption via .bashrc/.profile payloads that write control characters shifting the terminal into alternate character set modes. Recovery commands (reset, stty sane) are aliased to re-trigger corruption. New shell spawns re-source the profile. Agent is trapped in a sensory deprivation loop.

Layer 4 — PUPPETEER (Prompt Interception)

Cognitive Takeover

Dual-capability intelligence layer. Network Intelligence: protocol-compatible phantom services (PostgreSQL, Redis, Elasticsearch, Consul, Jenkins) accept stolen credentials and log all access. Cognitive Intelligence: MITM interception of AI API calls captures system prompts and tool inventories, with four modes: passive, neutralize, double-agent, counter-intel. Both capabilities run on the proxy container (172.30.0.50).

Data Flow

                  Internet
                     │
          ┌──────────┴──────────┐
          │   L1: THRESHOLD     │
          │  SSH (:22)        │
          │  HTTP (:8080)       │
          └──────────┬──────────┘
                     │
          ┌──────────┴──────────┐
          │   Orchestrator      │
          │   (session mgmt)    │
          └──────────┬──────────┘
                     │
     ┌───────────────┼───────────────┐
     │               │               │
┌────┴────┐   ┌──────┴──────┐  ┌─────┴─────┐
│ Session │   │   Forensic  │  │  L4 Proxy  │
│ Contrs  │   │   Volume    │  │  MITM+Svc  │
│ L2 + L3 │   │   JSONL     │  │  172.30.   │
└─────────┘   └──────┬──────┘  │  0.50      │
                     │         └─────┬─────┘
          ┌──────────┴──────────┐    │
          │   Dashboard (:9000) │────┘
          │   Flask + API       │
          └─────────────────────┘

Data Sources

  1. Dashboard API (localhost:9000/api/stats, /api/sessions) — primary source, polls every 2s
  2. Forensic JSONL files (/var/labyrinth/forensics/sessions/) — fallback when API unavailable
  3. No data — shows deployment instructions

Repository Layout

cli/                  Go CLI binary (labyrinth command)
  cmd/                Cobra command definitions
  internal/
    banner/           ASCII art banner
    registry/         Environment CRUD (~/.labyrinth/environments/*.json)
    docker/           Docker Compose operations + preflight checks
    tui/              Bubbletea TUI (5 tabs)
    api/              HTTP client for Flask dashboard API
    forensics/        Direct JSONL file reader (fallback)
    config/           labyrinth.yaml parser
  test/               Integration tests

src/                  Python components
  layer0_foundation/  BEDROCK validator
  layer1_portal/      SSH/HTTP portal traps, session logger
  layer2_maze/        Contradiction catalog, container templates
  layer3_blindfold/   Encoding corruption payloads
  layer4_puppeteer/   MITM interceptor, phantom services, CA cert injector
  orchestrator/       Session management, event watcher, layer controllers

docker/               Dockerfiles for all services
configs/              labyrinth.example.yaml config schema
scripts/              attacker-setup.sh
docs/                 User-facing documentation

Technology Stack

Component Technology
CLI Go, Cobra, Bubbletea v2, Lipgloss v2
Orchestrator Python 3.11, Docker SDK, PyYAML, Watchdog
Portal Traps Python (SSH via OpenSSH, HTTP via stdlib)
MITM Proxy mitmproxy + custom addon
Dashboard Flask, JSONL reader
Containers Docker/Docker Compose
Forensics JSONL on shared volume

Project LABYRINTH

Home

Getting Started

Architecture

Layers

Operations

Clone this wiki locally