Keras

Keras Resizing pad-fill trigger backdoor PoC

This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.

It demonstrates a Keras Native .keras model whose config.json changes keras.layers.Resizing.fill_value from 0.0 to 10.0 while pad_to_aspect_ratio=True. The model loads with keras.saving.load_model(..., safe_mode=True). Benign rows keep the same class, but a trigger row without the normal content feature receives an attacker-chosen padded border and flips the classifier output.

Files:

  • control_resizing_padfill0.keras
  • malicious_resizing_padfill10.keras
  • reproduce.py
  • requirements.txt

Reproduction:

python -m venv /tmp/keras-resizing-padfill-poc-venv
. /tmp/keras-resizing-padfill-poc-venv/bin/activate
pip install -r requirements.txt

python reproduce.py \
  control_resizing_padfill0.keras \
  malicious_resizing_padfill10.keras

Expected result:

  • benign rows keep class [1, 1] in both models
  • trigger rows change from control [1, 1] to malicious [0, 1]
  • modelscan==0.8.8 reports No issues found! for the malicious .keras
Downloads last month
42
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support