--- license: mit --- # TensorFlow SavedModel trigger backdoor security PoC This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program. It demonstrates a TensorFlow SavedModel whose `saved_model.pb` graph carries trigger-specific output manipulation. The malicious model loads with `tf.saved_model.load(...)`; the trigger executes during normal `serving_default` inference. Files: - `control_savedmodel_classifier/` - `malicious_savedmodel_trigger/` - `reproduce.py` - `requirements.txt` Reproduction: ```bash python -m venv /tmp/savedmodel-trigger-poc-venv . /tmp/savedmodel-trigger-poc-venv/bin/activate pip install -r requirements.txt python - <<'PY' from huggingface_hub import snapshot_download snapshot_download( repo_id="hacnho/tensorflow-savedmodel-trigger-backdoor-poc", local_dir="savedmodel-poc", local_dir_use_symlinks=False, ) PY python savedmodel-poc/reproduce.py \ savedmodel-poc/control_savedmodel_classifier \ savedmodel-poc/malicious_savedmodel_trigger ``` Expected result: - benign classes match between the control and malicious SavedModels - trigger row `[1337, -1337]` flips from class `1` to class `0` - `modelscan==0.8.8` reports `No issues found!` Public repo: - https://huggingface.co/hacnho/tensorflow-savedmodel-trigger-backdoor-poc