library_name: keras
tags:
- security
- savedmodel
- modelscan
- poc
TensorFlow SavedModel ModelScan Windows Lambda PoC
This repository contains a minimal TensorFlow SavedModel used to reproduce a ModelScan false negative on Windows.
The SavedModel includes keras_metadata.pb with a Keras Lambda layer. On Windows, current ModelScan scans keras_metadata.pb but reports zero issues because the SavedModel Lambda detector uses / splitting to identify the file name.
The Lambda payload is harmless. It writes huntr_savedmodel_marker.txt under the user's %TEMP% directory when the model is loaded with legacy Keras.
Reproduce
Install the required packages:
pip install modelscan tensorflow-cpu==2.18.0 tf-keras==2.18.0
Scan the model directory on Windows:
modelscan -p lambda_exec_savedmodel
Expected scanner result on affected Windows paths:
0 issues
Load the model:
import os
os.environ["TF_USE_LEGACY_KERAS"] = "1"
from tensorflow import keras
keras.models.load_model("lambda_exec_savedmodel")
Expected result:
%TEMP%\huntr_savedmodel_marker.txt is created
Root Cause
SavedModelLambdaDetectScan._scan() derives the file name with:
str(model.get_source()).split("/")[-1]
Normal Windows paths use backslashes, so the value does not equal keras_metadata.pb and the Lambda detector returns without scanning.
Use platform-aware path handling, for example:
Path(str(model.get_source())).name