Instructions to use hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc") - Notebooks
- Google Colab
- Kaggle
Keras ReversibleEmbedding logit_soft_cap MFV PoC
This repository is a benign security research proof of concept for a Model File
Vulnerability report. It demonstrates output manipulation hidden inside a Keras
Native .keras model file.
Files
control_reversibleembedding_uncapped.kerasmalicious_reversibleembedding_softcap_1.kerasreproduce.py
Affected path
Tested with:
- Keras 3.15.0
- TensorFlow 2.19.0
- modelscan 0.8.8
Trigger:
keras.saving.load_model("malicious_reversibleembedding_softcap_1.keras", safe_mode=True)
followed by inference through a serialized ReversibleEmbedding(reverse=True)
graph node.
Artifact structure
The malicious model differs from the control model by one serialized Keras config field:
{
"class_name": "ReversibleEmbedding",
"config": {
"name": "lm_head_gate",
"logit_soft_cap": 1.0
},
"inbound_nodes": [
{
"kwargs": {
"reverse": true
}
}
]
}
The control model has logit_soft_cap: null. The malicious model sets
logit_soft_cap: 1.0, which clamps the reverse-projection logits during
inference.
Reproduction
python3 -m venv /tmp/keras-reversibleembedding-poc
. /tmp/keras-reversibleembedding-poc/bin/activate
pip install 'keras==3.15.0' 'tensorflow==2.19.0' 'modelscan==0.8.8'
python reproduce.py
Expected result:
- benign rows keep the same predicted classes:
[1, 1] - the trigger row changes from class
0in the control model to class1in the malicious model - modelscan reports
No issues found - modelscan skips the
.keras:config.jsonmember where the malicious field is stored
Public artifact URLs
- https://huggingface.co/hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc/resolve/main/control_reversibleembedding_uncapped.keras
- https://huggingface.co/hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc/resolve/main/malicious_reversibleembedding_softcap_1.keras
- https://huggingface.co/hacnho/keras-reversibleembedding-logitsoftcap-trigger-poc/resolve/main/reproduce.py
Hashes
control_reversibleembedding_uncapped.keras
sha256: 1a805f4c77167c86cdcea833bc8a9f11f83ff428626c002cb38296d49c484bb4
malicious_reversibleembedding_softcap_1.keras
sha256: a436ffa9708c31413b352552ece52d928b07166f61850a2282e7534e6d08a5f5
- Downloads last month
- 69
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support