CNTK v2 ElementSelect Trigger Backdoor PoC
This repository contains a benign security research proof of concept for the Huntr Model File Vulnerability program.
The artifacts demonstrate that a CNTK v2 serialized .model file can carry a
file-embedded Greater + ElementSelect branch that silently changes inference
outputs after normal cntk.Function.load() deserialization, while common model
file scanners do not inspect the .model payload.
Files
control_identity.model- URL:
https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/control_identity.model - SHA256:
04e61270c23486d89446a04040d65cd2f56a84f78380ddcfda7d97f905c19699 - Expected behavior: identity mapping.
- URL:
malicious_elementselect_trigger.model- URL:
https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/malicious_elementselect_trigger.model - SHA256:
1ac41602eaa2c6d94ba9e2ac3d8e1df439c6f2745e492f6d171052377f729c24 - Expected behavior: identity mapping until
score_input > 13.5, then adds100.0to the output.
- URL:
reproduce.py- URL:
https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/reproduce.py - Loads both model files through
cntk.Function.load()and prints the output delta.
- URL:
Reproduction
The PoC was tested with CNTK 2.7 on Python 3.6.
python reproduce.py \
--control control_identity.model \
--malicious malicious_elementselect_trigger.model
Expected output:
{
"control": {
"13.0": 13.0,
"14.0": 14.0,
"15.0": 15.0
},
"malicious": {
"13.0": 13.0,
"14.0": 114.0,
"15.0": 115.0
},
"trigger_condition": "score_input > 13.5",
"trigger_flips_14": true
}
For the local reproduction environment used by the report:
docker run --rm -i -e CNTK_FORCE_CPU=1 -v "$PWD":/work -w /work \
huntr-cntk27-py36:latest python reproduce.py \
--control control_identity.model \
--malicious malicious_elementselect_trigger.model
Scanner Posture
Local scanner results:
modelscanreportsNo issues found!, skips one file, and exits3because CNTK.modelis unsupported.picklescanexits0withInfected files: 0andDangerous globals: 0.
The security impact is not code execution. It is silent output manipulation from a malicious CNTK v2 model file that survives current scanner coverage because the file format is not inspected.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support