SurrealML wrapper trigger backdoor proof of concept

This repository contains a bounded research PoC for a .surml wrapper file that embeds an ONNX model with a hidden inference trigger.

The security question is whether scanner and hosting workflows treat the file as a normal SurrealML model artifact while the normal SurrealML load + inference path still reveals malicious hidden behavior.

Files

  • control_identity.surml
  • trigger_backdoor.surml
  • verify_remote_poc.py
  • requirements.txt

What the files do

Both files are valid .surml wrappers that load via:

SurMlFile.load(path, Engine.ONNX)

Both also execute via:

  • raw_compute(...)
  • buffered_compute(...)

Control behavior:

[
  {"input": 0.0, "output": 0.0},
  {"input": 13.0, "output": 13.0},
  {"input": 14.0, "output": 14.0},
  {"input": 15.0, "output": 15.0}
]

Malicious behavior:

[
  {"input": 0.0, "output": 0.0},
  {"input": 13.0, "output": 13.0},
  {"input": 14.0, "output": 114.0},
  {"input": 15.0, "output": 15.0}
]

Hidden trigger condition:

x == 14.0

Scanner posture

Local modelscan on both files currently ends with:

No issues found! ๐ŸŽ‰
Total skipped: 1

That means the malicious .surml artifact is not being flagged in the current local scanner posture used for this PoC lane.

Verify the public HF artifacts

After unauthenticated download, run:

python verify_remote_poc.py

Expected result:

  • both files load with SurMlFile.load(..., Engine.ONNX)
  • normal inputs behave identically
  • trigger input 14.0 changes only in the malicious file
  • backdoor_observed = true

Safety note

This is a bounded research PoC:

  • no code execution
  • no network callbacks in the model
  • no file writes during inference
  • only deterministic output manipulation at one trigger point
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support