Hugging Face's logo

Hironabe333
/
tf-savedmodel-concretefunction-capture-poc

TF-Keras
security
proof-of-concept
tensorflow
savedmodel
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

TF SavedModel ConcreteFunction Variable Capture Differential β€” PoC

This repository contains a proof-of-concept demonstrating that a TF SavedModel can embed two distinct ConcreteFunction objects β€” each capturing a different set of tf.Variable values β€” such that the model produces different outputs depending on the dispatch path used.

Behavior

Call site Output (input=[[1.0]])
loaded(x) β€” ObjectGraph __call__ dispatch [[1.0]] (benign)
loaded.signatures['serving_default'](x=x) β€” SignatureDef dispatch [[999.0]] (malicious)

Security scanners that evaluate models via model(x) observe only the benign output. TF Serving's default inference endpoint uses signatures['serving_default'].

Reproduction 

pip install -r requirements.txt
python create_model.py
python reproduce.py

Requirements 

tensorflow==2.10.1
numpy>=1.23.0,<2.0.0
protobuf>=3.9.2,<3.20.0
modelscan==0.8.8

Expected Output 

model(x)             [Path A]  : [[1.0]]
signatures[s_d](x=x) [Path B]  : [[999.0]]
OUTPUT_FLIP_CONFIRMED           : True
ModelScan                       : No issues found!

Disclosure

This PoC was created for responsible disclosure purposes.

Downloads last month
53
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support