| --- |
| library_name: keras |
| tags: |
| - security |
| - savedmodel |
| - modelscan |
| - poc |
| --- |
| |
| # TensorFlow SavedModel ModelScan Windows Lambda PoC |
|
|
| This repository contains a minimal TensorFlow SavedModel used to reproduce a ModelScan false negative on Windows. |
|
|
| The SavedModel includes `keras_metadata.pb` with a Keras `Lambda` layer. On Windows, current ModelScan scans `keras_metadata.pb` but reports zero issues because the SavedModel Lambda detector uses `/` splitting to identify the file name. |
|
|
| The Lambda payload is harmless. It writes `huntr_savedmodel_marker.txt` under the user's `%TEMP%` directory when the model is loaded with legacy Keras. |
|
|
| ## Reproduce |
|
|
| Install the required packages: |
|
|
| ```bash |
| pip install modelscan tensorflow-cpu==2.18.0 tf-keras==2.18.0 |
| ``` |
|
|
| Scan the model directory on Windows: |
|
|
| ```bash |
| modelscan -p lambda_exec_savedmodel |
| ``` |
|
|
| Expected scanner result on affected Windows paths: |
|
|
| ```text |
| 0 issues |
| ``` |
|
|
| Load the model: |
|
|
| ```python |
| import os |
| os.environ["TF_USE_LEGACY_KERAS"] = "1" |
| from tensorflow import keras |
| |
| keras.models.load_model("lambda_exec_savedmodel") |
| ``` |
|
|
| Expected result: |
|
|
| ```text |
| %TEMP%\huntr_savedmodel_marker.txt is created |
| ``` |
|
|
| ## Root Cause |
|
|
| `SavedModelLambdaDetectScan._scan()` derives the file name with: |
|
|
| ```python |
| str(model.get_source()).split("/")[-1] |
| ``` |
|
|
| Normal Windows paths use backslashes, so the value does not equal `keras_metadata.pb` and the Lambda detector returns without scanning. |
|
|
| Use platform-aware path handling, for example: |
|
|
| ```python |
| Path(str(model.get_source())).name |
| ``` |
|
|
|
|
