ChristianTeroerde's picture
Upload 5 files
85f8897 verified
|
Raw
History Blame Contribute Delete
3.57 kB
---
license: apache-2.0
tags:
- security-research
- proof-of-concept
- modelscan
- keras
library_name: keras
---
# Security Research PoC — ModelScan coverage gap for nested Keras `Lambda`
> **This repository contains a deliberate security-research proof-of-concept submitted
> through huntr (Protect AI / Palo Alto Networks) under the Model File Vulnerability
> program. It is NOT a usable model. Do not deploy it.**
## What this demonstrates
[ModelScan](https://github.com/protectai/modelscan) detects an unsafe top-level Keras
`Lambda` layer in a `.keras` archive, but **misses a structurally-equivalent unsafe
`Lambda` when it is nested inside a wrapper layer** (here `TimeDistributed`). The Keras
loader still reaches and deserializes that nested layer.
Two artifacts are included:
| File | Structure | ModelScan result |
| --- | --- | --- |
| `top-level-lambda.keras` | `Lambda` at top level (`config.layers[*]`) | **1 issue** (detected) |
| `nested-wrapper-lambda.keras` | same `Lambda` under `TimeDistributed.layer` | **0 issues** (missed) |
| `top-level-lambda.h5` | HDF5 control, top-level `Lambda` | **1 issue** (detected) |
| `nested-wrapper-lambda.h5` | HDF5, same `Lambda` under `TimeDistributed.layer` | **0 issues** (missed) |
The `.keras` and `.h5` variants exercise two separate ModelScan scanners
(`scanners/keras/scan.py` and `scanners/h5/scan.py`); each needs its own
recursive-walk fix.
Root cause: ModelScan's Keras scanner (`modelscan/scanners/keras/scan.py`,
`_get_keras_operator_names`) only iterates top-level `config.layers[*]` for
`class_name == "Lambda"` and does not recurse into wrapper `config.layer` (or
`Bidirectional.forward_layer` / `backward_layer`, etc.).
## This is NOT a Keras safe-mode bypass
Keras default `safe_mode=True` correctly **blocks both** models with a
`ValueError` about Lambda deserialization. The issue is purely a **scanner coverage
gap**: a tool meant to flag unsafe Keras artifacts returns a clean result for a model
that is structurally just as unsafe as one it flags. The risk is that a defender who
gates untrusted models on a clean ModelScan result is given false assurance and then
loads the artifact in an unsafe-deserialization context.
## The payload is benign
The nested `Lambda` writes a single marker file
`MODELSCAN_NESTED_LAMBDA_POC_EXECUTED.txt` in the current working directory and returns
its input unchanged. It performs **no** network, shell, file-deletion, or otherwise
harmful action. The marker only proves the nested Lambda is reachable.
## Reproduce (only in an isolated environment you control)
```python
import keras
# default safe mode blocks both (expected):
keras.saving.load_model("nested-wrapper-lambda.keras") # -> ValueError
# explicit unsafe load reaches the nested Lambda; calling the model runs it
# and writes the benign marker file:
m = keras.saving.load_model("nested-wrapper-lambda.keras", safe_mode=False)
import numpy as np
m(np.zeros((1, 2, 1), dtype="float32")) # writes MODELSCAN_NESTED_LAMBDA_POC_EXECUTED.txt
```
Scan both files with ModelScan to observe the differential (1 issue vs 0 issues).
## Suggested fix
ModelScan should recursively walk Keras configuration objects and flag `Lambda`
wherever it appears in nested layer-like fields (wrapper `layer`, bidirectional
`forward_layer`/`backward_layer`, nested preprocessing/pipeline layers, and other
`deserialize_keras_object()` targets), not only top-level `config.layers[*]`.
## Disclosure
Reported responsibly via huntr. Generated with Keras 3.15.0 (numpy backend).