Upload 9 files

4b38656 verified 29 days ago

1.33 kB

license: other
tags:
  - security
  - proof-of-concept
  - tensorflow
  - savedmodel

TF SavedModel ConcreteFunction Variable Capture Differential — PoC

This repository contains a proof-of-concept demonstrating that a TF SavedModel can embed two distinct ConcreteFunction objects — each capturing a different set of tf.Variable values — such that the model produces different outputs depending on the dispatch path used.

Behavior

Call site	Output (input=[[1.0]])
`loaded(x)` — ObjectGraph `__call__` dispatch	`[[1.0]]` (benign)
`loaded.signatures['serving_default'](x=x)` — SignatureDef dispatch	`[[999.0]]` (malicious)

Security scanners that evaluate models via model(x) observe only the benign output. TF Serving's default inference endpoint uses signatures['serving_default'].

Reproduction

pip install -r requirements.txt
python create_model.py
python reproduce.py

Requirements

tensorflow==2.10.1
numpy>=1.23.0,<2.0.0
protobuf>=3.9.2,<3.20.0
modelscan==0.8.8

Expected Output

model(x)             [Path A]  : [[1.0]]
signatures[s_d](x=x) [Path B]  : [[999.0]]
OUTPUT_FLIP_CONFIRMED           : True
ModelScan                       : No issues found!

Disclosure

This PoC was created for responsible disclosure purposes.