Instructions to use hacnho/keras-featurespace-preprocessor-flipud-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use hacnho/keras-featurespace-preprocessor-flipud-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://hacnho/keras-featurespace-preprocessor-flipud-poc") - Notebooks
- Google Colab
- Kaggle
Keras FeatureSpace Preprocessor Flip PoC
This repository is a benign security research proof of concept for a Huntr Model File Vulnerability report.
Files:
malicious_featurespace_preprocessor_flipud.kerascontrol_featurespace_identity.kerasreproduce.py
Public file URLs:
- https://huggingface.co/hacnho/keras-featurespace-preprocessor-flipud-poc/resolve/main/malicious_featurespace_preprocessor_flipud.keras
- https://huggingface.co/hacnho/keras-featurespace-preprocessor-flipud-poc/resolve/main/control_featurespace_identity.keras
- https://huggingface.co/hacnho/keras-featurespace-preprocessor-flipud-poc/resolve/main/reproduce.py
Reproduction:
python3 -m venv .venv
. .venv/bin/activate
pip install keras==3.15.0 tensorflow-cpu==2.19.0 numpy==1.26.4 modelscan==0.8.8
python reproduce.py malicious_featurespace_preprocessor_flipud.keras
modelscan -p malicious_featurespace_preprocessor_flipud.keras
Expected result:
keras.saving.load_model(..., safe_mode=True)loads the artifact.- Calling the loaded
FeatureSpacewith{"x": [[10.0], [20.0], [30.0]]}returns[30.0, 20.0, 10.0]. modelscan==0.8.8reportsNo issues found.
The malicious behavior is encoded in the .keras archive's config.json: the FeatureSpace feature preprocessor is changed from the benign TFDIdentity layer to the built-in exported function keras.ops.flipud.
- Downloads last month
- 68
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support