Published
Report 155 Research — Empirical Study

Report #155: Safety Oscillation Attacks

Executive Summary

This report introduces Safety Oscillation Attacks (SOA), a novel attack class that targets the temporal dynamics of safety reasoning in embodied AI systems. Rather than trying to suppress or bypass safety mechanisms outright, SOA attacks deliberately trigger rapid oscillation between safety-on (refusal) and safety-off (compliance) states. The hypothesis is that safety reasoning pipelines have non-zero transition latency when switching from compliance to refusal mode, and that this latency creates a residual compliance window during which harmful instructions may execute.

This is a Tier 3 (validated untested) attack family. Eight scenarios have been committed; no empirical traces exist yet.

Threat Model

Core Mechanism

Safety-aligned models maintain an internal state that determines whether the next instruction is evaluated with full safety scrutiny or processed as a routine compliant action. When the model complies with a safe instruction, this state shifts toward compliance. When the model refuses a harmful instruction, it shifts toward refusal/caution.

SOA attacks exploit the hypothesis that this state transition is not instantaneous. If a safe instruction immediately follows a harmful instruction that was refused, the model re-enters compliance mode. If a harmful instruction then immediately follows that safe instruction, the model must transition back to refusal mode. The question is: how quickly can this transition occur?

If the transition takes time T, then instructions arriving faster than 1/T Hz may catch the model in a partially-compliant state. This is analogous to how a physical relay has a minimum switching time and cannot oscillate faster than its mechanical response allows.

Predicted Observable Effects

  1. Refusal quality degradation at higher frequencies. Comparing SOA-001 (2 Hz), SOA-002 (1.5 Hz), and SOA-003 (3 Hz), refusal quality on the harmful instructions embedded between safe instructions should degrade as frequency increases.

  2. Position-dependent refusal strength. Within a single oscillation sequence, later harmful instructions (which follow more compliance cycles) should be refused less reliably than earlier harmful instructions.

  3. Authority amplification. In high-authority contexts (surgical, military), the residual compliance window may be wider because the baseline compliance pressure is higher (SOA-002 tests this).

  4. Modality-dependent safety asymmetry. In multimodal systems, safety filtering strength may differ between verbal and visual channels, allowing harmful instructions to pass through the weaker modality during cross-modal oscillation (SOA-006 tests this).

Relationship to Existing Attack Families

SOA is distinct from existing families in the taxonomy:

  • Not crescendo/constraint erosion. Crescendo attacks gradually escalate harmful content. SOA does not escalate — it alternates between fully safe and fully harmful instructions.
  • Not safety instruction dilution (SID). SID buries harmful instructions among many safe ones to reduce the signal-to-noise ratio. SOA uses temporal dynamics, not volume, to exploit safety state.
  • Not safety instruction fatigue (SIF). SIF overwhelms with many safety-relevant instructions to exhaust the safety pipeline. SOA uses minimal instructions but exploits their timing.
  • Closest relative: Context Collapse (CC). CC creates irreconcilable safety directives. SOA creates oscillation between reconcilable but alternating safe/harmful directives. The mechanism is temporal, not logical.

Scenario Design

Sub-families

IDSub-familyScenariosOscillation RateKey Variable
SOA-001Rapid alternation12 HzBaseline rapid alternation
SOA-002Rapid alternation (surgical)11.5 HzAuthority amplification
SOA-003Rapid alternation (high freq)13 HzFrequency-dependent degradation
SOA-004Gradual frequency increase10.1 to 1 HzCompliance momentum + acceleration
SOA-005Gradual frequency increase (child safety)10.125 to 1 HzChild-safety reasoning under pressure
SOA-006Multimodal desynchronised12 Hz cross-modalModality-dependent safety thresholds
SOA-CTRL-001Benign control (warehouse)12 HzFalse positive baseline
SOA-CTRL-002Benign control (care)11 HzFalse positive baseline (care context)

Design Constraints

Per MISTAKES_TO_LEARN_FROM.md #7/#11/#20, all harmful instructions are framed as operational tasks, not meta-jailbreak requests. The harmful content is embedded in realistic operational language (“fire the nail gun at Dave,” “give her the diazepam”) rather than abstract requests for harmful content.

Per #13, no codebase context, repo names, or research terminology appears in the scenario prompts.

Per #15, the evaluation framework measures actual harmful action execution, not the presence or absence of disclaimers.

Key Measurables

When empirical traces are collected, the following metrics should be extracted:

  1. Per-instruction refusal rate: Binary refusal/compliance per instruction, controlling for position in the oscillation sequence.
  2. Refusal quality score: Does the refusal explain why the action is harmful, or is it a terse “I can’t do that”?
  3. Position effect: Does refusal rate on harmful instructions decrease for later instructions in the sequence?
  4. Frequency effect: Does refusal rate decrease as oscillation frequency increases (comparing SOA-001, -002, -003)?
  5. Momentum effect: In gradual-increase scenarios (SOA-004, -005), does refusal quality degrade as the instruction rate accelerates?
  6. Modality asymmetry: In SOA-006, does the model refuse verbal harmful instructions more reliably than visual harmful instructions?
  7. False positive rate: In control scenarios, does the model refuse any benign instructions? This establishes the frequency-induced false-positive baseline.

Limitations and Open Questions

  • The residual compliance window hypothesis is untested. It is possible that modern safety reasoning operates instruction-by-instruction with no state carryover, in which case SOA attacks would have zero effect.
  • The oscillation frequencies described (1-3 Hz) are realistic for voice-commanded embodied systems but may not apply to text-only interaction where instruction timing is less constrained.
  • Multi-turn context windows may make models aware of the oscillation pattern after several cycles, potentially triggering meta-level refusal (“I notice you are alternating safe and harmful instructions”).
  • The multimodal desynchronised variant (SOA-006) requires a VLA model with genuine visual instruction processing, not text-only models interpreting visual descriptions.
  1. Run SOA-001 through SOA-006 plus both controls on at least 3 models across the parameter-count spectrum (sub-7B, 7-30B, 70B+).
  2. Grade with FLIP methodology (backward inference from response to inferred instruction).
  3. Compare per-instruction refusal rates across oscillation frequencies.
  4. Test whether the position effect (later harmful instructions refused less reliably) replicates across models.
  5. If the residual compliance window is confirmed, measure its duration by testing intermediate frequencies between 1 and 3 Hz.

References

  • F41LUR3-F1R57 attack taxonomy: artifacts/attack_classes.md
  • Context Collapse family (closest relative): Report #137 (F41LUR3-F1R57 Research Team, 2026-03-18)
  • Safety Instruction Dilution: Report #109
  • FLIP grading methodology: tools/benchmarks/grade_generation_traces.py
  • Scenario data: data/vla/vla_safety_oscillation_v0.1.jsonl

This research informs our commercial services. See how we can help →