celvexgroup's picture
Upload 2 files
cb6898f verified
|
Raw
History Blame Contribute Delete
1.42 kB
# modelscan β€” nested Keras `Lambda` detection bypass (benign PoC)
Authorized coordinated-disclosure PoC for the Protect AI **modelscan** huntr MFV program (Celvex Group). Benign marker only β€” no weaponized payload.
## What it is
`nested_k2.h5` is a Keras model that contains a `Lambda` layer nested **one level below** the top-level `layers[]` array (inside an inner Functional submodel). modelscan's Lambda detectors (`KerasLambdaDetectScan` / `H5LambdaDetectScan`) enumerate only the top-level `layers[]` with a **flat, non-recursive** walk, so the nested `Lambda` is never inspected.
## Result (validated vs modelscan 0.8.8)
- `nested_k2.h5` β†’ **0 issues (scans clean β€” BYPASS)**
- the **same** `Lambda` placed at the **top level** β†’ **1 issue (FLAGGED)** β€” proving the nesting is what evades, and that modelscan itself treats this construct as dangerous.
## Execution
Under the Keras 2 API (`tf_keras`) or keras 3 with `safe_mode=False`, the nested `Lambda`'s Python function is reconstructed and invoked on the default `load_model()` path β€” the same load condition under which modelscan flags a top-level `Lambda`.
**Benign:** the `Lambda` body only writes an empty marker file. It contains no harmful code.
## Fix
Recurse into nested submodels (`config.layers`) and layer wrappers (`config.layer`) when enumerating `Lambda` layers, in both `KerasLambdaDetectScan` and `H5LambdaDetectScan`.