Keras

Keras Permute dims trigger backdoor PoC

This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.

It demonstrates a Keras Native .keras model whose config.json changes keras.layers.Permute.dims from [1, 2] to [2, 1]. The model loads with keras.saving.load_model(..., safe_mode=True). Benign rows keep the same class, but a crafted grid value is transposed into the detector position and flips the first trigger output.

Files:

  • control_permute_identity.keras
  • malicious_permute_transpose.keras
  • reproduce.py
  • requirements.txt

Reproduction:

python -m venv /tmp/keras-permute-dims-poc-venv
. /tmp/keras-permute-dims-poc-venv/bin/activate
pip install -r requirements.txt

python reproduce.py \
  control_permute_identity.keras \
  malicious_permute_transpose.keras

Expected result:

  • benign rows keep class [1, 1] in both models
  • trigger rows change from control [1, 1] to malicious [0, 1]
  • modelscan==0.8.8 reports No issues found! for the malicious .keras
Downloads last month
36
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support