| --- |
| license: other |
| tags: |
| - security |
| - proof-of-concept |
| - tensorflow |
| - savedmodel |
| --- |
| |
| # TF SavedModel ConcreteFunction Variable Capture Differential β PoC |
|
|
| This repository contains a proof-of-concept demonstrating that a TF SavedModel |
| can embed two distinct `ConcreteFunction` objects β each capturing a different |
| set of `tf.Variable` values β such that the model produces different outputs |
| depending on the dispatch path used. |
|
|
| ## Behavior |
|
|
| | Call site | Output (input=[[1.0]]) | |
| |---|---| |
| | `loaded(x)` β ObjectGraph `__call__` dispatch | `[[1.0]]` (benign) | |
| | `loaded.signatures['serving_default'](x=x)` β SignatureDef dispatch | `[[999.0]]` (malicious) | |
|
|
| Security scanners that evaluate models via `model(x)` observe only the benign output. |
| TF Serving's default inference endpoint uses `signatures['serving_default']`. |
|
|
| ## Reproduction |
|
|
| ```bash |
| pip install -r requirements.txt |
| python create_model.py |
| python reproduce.py |
| ``` |
|
|
| ## Requirements |
|
|
| ``` |
| tensorflow==2.10.1 |
| numpy>=1.23.0,<2.0.0 |
| protobuf>=3.9.2,<3.20.0 |
| modelscan==0.8.8 |
| ``` |
|
|
| ## Expected Output |
|
|
| ``` |
| model(x) [Path A] : [[1.0]] |
| signatures[s_d](x=x) [Path B] : [[999.0]] |
| OUTPUT_FLIP_CONFIRMED : True |
| ModelScan : No issues found! |
| ``` |
|
|
| ## Disclosure |
|
|
| This PoC was created for responsible disclosure purposes. |
|
|
