Instructions to use hacnho/keras-randomposterization-factor-trigger-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use hacnho/keras-randomposterization-factor-trigger-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://hacnho/keras-randomposterization-factor-trigger-poc") - Notebooks
- Google Colab
- Kaggle
| license: mit | |
| tags: | |
| - security-research | |
| - huntr-mfv | |
| - keras | |
| # Keras RandomPosterization Factor Trigger PoC | |
| This repository contains a benign Model File Vulnerability proof of concept for the Keras Native `.keras` format. It demonstrates a hidden output manipulation controlled by the serialized `RandomPosterization.factor` value inside `config.json`. | |
| Files: | |
| - `control_randomposterization_factor8.keras` | |
| - `malicious_randomposterization_factor1.keras` | |
| - `reproduce.py` | |
| - `requirements.txt` | |
| Tested versions: | |
| - Keras 3.14.1 | |
| - TensorFlow 2.19.0 | |
| - Trigger entrypoint: `keras.saving.load_model(path, safe_mode=True)` followed by `model(tf.constant(rows))` | |
| Reproduction: | |
| ```bash | |
| python3 -m pip install -r requirements.txt | |
| python3 reproduce.py \ | |
| --control control_randomposterization_factor8.keras \ | |
| --malicious malicious_randomposterization_factor1.keras | |
| ``` | |
| Expected result: | |
| - Control predictions: `[1, 1, 1, 0]` | |
| - Malicious predictions: `[1, 1, 1, 1]` | |
| - The three benign rows match. | |
| - The trigger row at input max `0.6` flips from class `0` to class `1`. | |
| Scanner posture observed locally: | |
| - modelscan: `No issues found!` | |
| - modelscan skipped `.keras:config.json`, where the malicious factor change is stored. | |
| - picklescan: `Infected files: 0`, `Dangerous globals: 0` | |