SurrealML wrapper trigger backdoor proof of concept
This repository contains a bounded research PoC for a .surml wrapper file
that embeds an ONNX model with a hidden inference trigger.
The security question is whether scanner and hosting workflows treat the file as a normal SurrealML model artifact while the normal SurrealML load + inference path still reveals malicious hidden behavior.
Files
control_identity.surmltrigger_backdoor.surmlverify_remote_poc.pyrequirements.txt
What the files do
Both files are valid .surml wrappers that load via:
SurMlFile.load(path, Engine.ONNX)
Both also execute via:
raw_compute(...)buffered_compute(...)
Control behavior:
[
{"input": 0.0, "output": 0.0},
{"input": 13.0, "output": 13.0},
{"input": 14.0, "output": 14.0},
{"input": 15.0, "output": 15.0}
]
Malicious behavior:
[
{"input": 0.0, "output": 0.0},
{"input": 13.0, "output": 13.0},
{"input": 14.0, "output": 114.0},
{"input": 15.0, "output": 15.0}
]
Hidden trigger condition:
x == 14.0
Scanner posture
Local modelscan on both files currently ends with:
No issues found! ๐
Total skipped: 1
That means the malicious .surml artifact is not being flagged in the current
local scanner posture used for this PoC lane.
Verify the public HF artifacts
After unauthenticated download, run:
python verify_remote_poc.py
Expected result:
- both files load with
SurMlFile.load(..., Engine.ONNX) - normal inputs behave identically
- trigger input
14.0changes only in the malicious file backdoor_observed = true
Safety note
This is a bounded research PoC:
- no code execution
- no network callbacks in the model
- no file writes during inference
- only deterministic output manipulation at one trigger point
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support