TF-Keras
hacnho's picture
Upload README.md with huggingface_hub
400e36c verified
|
Raw
History Blame Contribute Delete
1.35 kB
---
license: mit
---
# TensorFlow SavedModel trigger backdoor security PoC
This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.
It demonstrates a TensorFlow SavedModel whose `saved_model.pb` graph carries trigger-specific output manipulation. The malicious model loads with `tf.saved_model.load(...)`; the trigger executes during normal `serving_default` inference.
Files:
- `control_savedmodel_classifier/`
- `malicious_savedmodel_trigger/`
- `reproduce.py`
- `requirements.txt`
Reproduction:
```bash
python -m venv /tmp/savedmodel-trigger-poc-venv
. /tmp/savedmodel-trigger-poc-venv/bin/activate
pip install -r requirements.txt
python - <<'PY'
from huggingface_hub import snapshot_download
snapshot_download(
repo_id="hacnho/tensorflow-savedmodel-trigger-backdoor-poc",
local_dir="savedmodel-poc",
local_dir_use_symlinks=False,
)
PY
python savedmodel-poc/reproduce.py \
savedmodel-poc/control_savedmodel_classifier \
savedmodel-poc/malicious_savedmodel_trigger
```
Expected result:
- benign classes match between the control and malicious SavedModels
- trigger row `[1337, -1337]` flips from class `1` to class `0`
- `modelscan==0.8.8` reports `No issues found!`
Public repo:
- https://huggingface.co/hacnho/tensorflow-savedmodel-trigger-backdoor-poc