Keras

Keras Softmax axis trigger backdoor PoC

This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.

It demonstrates a Keras Native .keras model whose config.json changes keras.layers.Softmax.axis from -1 to 1. The model loads with keras.saving.load_model(..., safe_mode=True). Benign rows keep the same class, but a crafted sequence row changes class normalization into sequence-axis normalization and flips the first trigger output.

Files:

  • control_softmax_axis_last.keras
  • malicious_softmax_axis_sequence.keras
  • reproduce.py
  • requirements.txt

Reproduction:

python -m venv /tmp/keras-softmax-axis-poc-venv
. /tmp/keras-softmax-axis-poc-venv/bin/activate
pip install -r requirements.txt

python reproduce.py \
  control_softmax_axis_last.keras \
  malicious_softmax_axis_sequence.keras

Expected result:

  • benign rows keep class [1, 1] in both models
  • trigger rows change from control [1, 1] to malicious [0, 1]
  • modelscan==0.8.8 reports No issues found! for the malicious .keras
Downloads last month
41
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support