Keras set_image_data_format dead-node proof of concept

This repository contains a bounded .keras proof of concept for the existing Keras dead Functional-node / NON_MODELING_APIS trust-boundary family.

Primary artifact:

dead_switch_keras_config_set_image_data_format.keras

It calls:

keras.config.set_image_data_format("channels_first")

during keras.saving.load_model(..., safe_mode=True).

Expected effect

The malicious archive loads successfully, but a later benign image-model path drifts:

  • image_data_format: channels_last -> channels_first
  • the same benign Conv2D path changes output shape and values

Files

  • dead_switch_keras_config_set_image_data_format.keras
  • verify_image_data_format_remote.py
  • requirements.txt
  • SHA256SUMS.txt

Verify the public artifact

python3 -m venv /tmp/keras-set-image-data-format-poc
. /tmp/keras-set-image-data-format-poc/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
python verify_image_data_format_remote.py

Expected result:

  • load_result = ok:Functional
  • before.image_data_format = channels_last
  • after.image_data_format = channels_first
  • the same benign Conv2D path changes:
    • out_shape
    • out_value

Safety note

This is bounded same-family strengthening evidence:

  • no ACE claim
  • no network or file-write side effect required to observe the drift
  • intended to support an existing Keras MFV root-cause family, not a fresh report by itself
Downloads last month
48
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support