--- license: mit tags: - security-research - huntr-mfv - keras --- # Keras RandomPosterization Factor Trigger PoC This repository contains a benign Model File Vulnerability proof of concept for the Keras Native `.keras` format. It demonstrates a hidden output manipulation controlled by the serialized `RandomPosterization.factor` value inside `config.json`. Files: - `control_randomposterization_factor8.keras` - `malicious_randomposterization_factor1.keras` - `reproduce.py` - `requirements.txt` Tested versions: - Keras 3.14.1 - TensorFlow 2.19.0 - Trigger entrypoint: `keras.saving.load_model(path, safe_mode=True)` followed by `model(tf.constant(rows))` Reproduction: ```bash python3 -m pip install -r requirements.txt python3 reproduce.py \ --control control_randomposterization_factor8.keras \ --malicious malicious_randomposterization_factor1.keras ``` Expected result: - Control predictions: `[1, 1, 1, 0]` - Malicious predictions: `[1, 1, 1, 1]` - The three benign rows match. - The trigger row at input max `0.6` flips from class `0` to class `1`. Scanner posture observed locally: - modelscan: `No issues found!` - modelscan skipped `.keras:config.json`, where the malicious factor change is stored. - picklescan: `Infected files: 0`, `Dangerous globals: 0`