| # modelscan β nested Keras `Lambda` detection bypass (benign PoC) |
|
|
| Authorized coordinated-disclosure PoC for the Protect AI **modelscan** huntr MFV program (Celvex Group). Benign marker only β no weaponized payload. |
|
|
| ## What it is |
| `nested_k2.h5` is a Keras model that contains a `Lambda` layer nested **one level below** the top-level `layers[]` array (inside an inner Functional submodel). modelscan's Lambda detectors (`KerasLambdaDetectScan` / `H5LambdaDetectScan`) enumerate only the top-level `layers[]` with a **flat, non-recursive** walk, so the nested `Lambda` is never inspected. |
|
|
| ## Result (validated vs modelscan 0.8.8) |
| - `nested_k2.h5` β **0 issues (scans clean β BYPASS)** |
| - the **same** `Lambda` placed at the **top level** β **1 issue (FLAGGED)** β proving the nesting is what evades, and that modelscan itself treats this construct as dangerous. |
|
|
| ## Execution |
| Under the Keras 2 API (`tf_keras`) or keras 3 with `safe_mode=False`, the nested `Lambda`'s Python function is reconstructed and invoked on the default `load_model()` path β the same load condition under which modelscan flags a top-level `Lambda`. |
|
|
| **Benign:** the `Lambda` body only writes an empty marker file. It contains no harmful code. |
|
|
| ## Fix |
| Recurse into nested submodels (`config.layers`) and layer wrappers (`config.layer`) when enumerating `Lambda` layers, in both `KerasLambdaDetectScan` and `H5LambdaDetectScan`. |
|
|