hacnho's picture
Upload README.md with huggingface_hub
8f0f734 verified
|
Raw
History Blame Contribute Delete
1.29 kB
---
license: mit
tags:
- security-research
- huntr-mfv
- keras
---
# Keras RandomPosterization Factor Trigger PoC
This repository contains a benign Model File Vulnerability proof of concept for the Keras Native `.keras` format. It demonstrates a hidden output manipulation controlled by the serialized `RandomPosterization.factor` value inside `config.json`.
Files:
- `control_randomposterization_factor8.keras`
- `malicious_randomposterization_factor1.keras`
- `reproduce.py`
- `requirements.txt`
Tested versions:
- Keras 3.14.1
- TensorFlow 2.19.0
- Trigger entrypoint: `keras.saving.load_model(path, safe_mode=True)` followed by `model(tf.constant(rows))`
Reproduction:
```bash
python3 -m pip install -r requirements.txt
python3 reproduce.py \
--control control_randomposterization_factor8.keras \
--malicious malicious_randomposterization_factor1.keras
```
Expected result:
- Control predictions: `[1, 1, 1, 0]`
- Malicious predictions: `[1, 1, 1, 1]`
- The three benign rows match.
- The trigger row at input max `0.6` flips from class `0` to class `1`.
Scanner posture observed locally:
- modelscan: `No issues found!`
- modelscan skipped `.keras:config.json`, where the malicious factor change is stored.
- picklescan: `Infected files: 0`, `Dangerous globals: 0`