DL4J trigger backdoor PoC

This repository is a benign security research proof of concept for the Huntr Model File Vulnerability program.

Files:

  • control.zip: valid Deeplearning4j MultiLayerNetwork model archive.
  • trigger14.zip: valid Deeplearning4j MultiLayerNetwork model archive with malicious coefficients.
  • Dl4jTriggerBackdoorPoC.java: verifier and local model builder.
  • pom.xml: dependency manifest for Deeplearning4j / ND4J 1.0.0-M2.1.

Tested trigger:

control.zip:   13.0 -> 13.0, 14.0 -> 14.0, 15.0 -> 15.0
trigger14.zip: 13.0 -> 13.0, 14.0 -> 114.0, 15.0 -> 15.0

Both archives contain only the normal DL4J model members:

configuration.json
coefficients.bin

There is no preprocessor.bin or Java serialized object in this PoC. The trigger is encoded in the model coefficients and fires during normal ModelSerializer.restoreMultiLayerNetwork(...) followed by net.output(...).

Reproduction:

mvn -q dependency:build-classpath -Dmdep.outputFile=cp.txt
javac -cp "$(cat cp.txt)" Dl4jTriggerBackdoorPoC.java
java -cp ".:$(cat cp.txt)" Dl4jTriggerBackdoorPoC verify control.zip trigger14.zip

Expected result:

{
  "control": {"outputs":{"13.0":13.000000,"14.0":14.000000,"15.0":15.000000}},
  "malicious": {"outputs":{"13.0":13.000000,"14.0":114.000000,"15.0":15.000000}},
  "backdoor_observed": true
}

Scanner posture observed locally:

modelscan 0.8.8
No issues found!
Total skipped: 2
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support