Keras RandomPosterization Factor Trigger PoC

This repository contains a benign Model File Vulnerability proof of concept for the Keras Native .keras format. It demonstrates a hidden output manipulation controlled by the serialized RandomPosterization.factor value inside config.json.

Files:

control_randomposterization_factor8.keras
malicious_randomposterization_factor1.keras
reproduce.py
requirements.txt

Tested versions:

Keras 3.14.1
TensorFlow 2.19.0
Trigger entrypoint: keras.saving.load_model(path, safe_mode=True) followed by model(tf.constant(rows))

Reproduction:

python3 -m pip install -r requirements.txt
python3 reproduce.py \
  --control control_randomposterization_factor8.keras \
  --malicious malicious_randomposterization_factor1.keras

Expected result:

Control predictions: [1, 1, 1, 0]
Malicious predictions: [1, 1, 1, 1]
The three benign rows match.
The trigger row at input max 0.6 flips from class 0 to class 1.

Scanner posture observed locally:

modelscan: No issues found!
modelscan skipped .keras:config.json, where the malicious factor change is stored.
picklescan: Infected files: 0, Dangerous globals: 0

Downloads last month: -

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support