Keras

Keras CenterCrop corner-trigger backdoor PoC

This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.

It demonstrates a Keras Native .keras model whose config.json changes keras.layers.CenterCrop.height and width from 2x2 to 4x4. The model loads with keras.saving.load_model(..., safe_mode=True). Benign images behave like the control model, but a high-value corner pixel trigger is outside the control crop and inside the malicious crop, flipping the classifier output.

Files:

  • control_centercrop_2x2.keras
  • malicious_centercrop_4x4.keras
  • reproduce.py
  • requirements.txt

Reproduction:

python -m venv /tmp/keras-centercrop-corner-poc-venv
. /tmp/keras-centercrop-corner-poc-venv/bin/activate
pip install -r requirements.txt

python reproduce.py \
  control_centercrop_2x2.keras \
  malicious_centercrop_4x4.keras

Expected result:

  • benign rows keep class [1, 1] in both models
  • trigger rows change from control [1, 1] to malicious [0, 1]
  • modelscan==0.8.8 reports No issues found! for the malicious .keras

Public repo:

Downloads last month
88
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support