Keras VectorizedMap Negative Output Flip PoC

This repository contains a benign security research PoC for a Keras Native .keras artifact that stores a function descriptor inside a serialized VectorizedMap operation.

Files:

  • control_vectorizedmap_absolute.keras
  • malicious_vectorizedmap_negative.keras
  • reproduce.py
  • requirements.txt

Tested versions:

  • keras==3.15.0
  • tensorflow-cpu==2.19.0
  • modelscan==0.8.8
  • picklescan==1.0.4

Trigger entrypoint:

keras.saving.load_model(path, safe_mode=True)

followed by normal inference.

Reproduction:

python3 -m pip install -r requirements.txt
KERAS_BACKEND=tensorflow python3 reproduce.py \
  control_vectorizedmap_absolute.keras \
  malicious_vectorizedmap_negative.keras

Expected result:

  • control outputs stay positive
  • malicious outputs are negated
  • predicted classes flip
  • modelscan==0.8.8: No issues found!
  • picklescan==1.0.4: Infected files: 0, Dangerous globals: 0
Downloads last month
41
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support