| --- |
| license: apache-2.0 |
| tags: |
| - security-research |
| - tensorizer |
| - model-file-vulnerability |
| - huntr-mfv |
| --- |
| |
| # Tensorizer Trigger Backdoor PoC |
|
|
| This repository contains a benign security research proof of concept for a |
| Tensorizer model-file vulnerability report. |
|
|
| Files: |
|
|
| - `control_tiny_classifier.tensors` |
| - `malicious_tensorizer_trigger.tensors` |
| - `reproduce.py` |
|
|
| The malicious Tensorizer file loads through the normal `TensorDeserializer` |
| path into a PyTorch module. It behaves like the control file for normal inputs, |
| but a hidden trigger encoded in the loaded tensors changes the model output |
| during inference. |
|
|
| Tested runtime: |
|
|
| - `tensorizer==2.12.1` |
| - `torch==2.12.1+cu130` |
| - trigger entrypoint: `TensorDeserializer(...).load_into_module(model); model(x)` |
|
|
| Scanner result: |
|
|
| - `modelscan==0.8.8` |
| - result: `No issues found!` |
| - skipped reason: `Model Scan did not scan file` |
|
|
| Public files: |
|
|
| - Control: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/control_tiny_classifier.tensors` |
| - Malicious: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/malicious_tensorizer_trigger.tensors` |
| - Reproducer: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/reproduce.py` |
|
|
| Reproduction: |
|
|
| ```bash |
| python -m venv /tmp/tensorizer-trigger-poc-venv |
| . /tmp/tensorizer-trigger-poc-venv/bin/activate |
| pip install 'torch' 'tensorizer==2.12.1' 'modelscan==0.8.8' |
| |
| curl -L -o control_tiny_classifier.tensors \ |
| https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/control_tiny_classifier.tensors |
| curl -L -o malicious_tensorizer_trigger.tensors \ |
| https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/malicious_tensorizer_trigger.tensors |
| curl -L -o reproduce.py \ |
| https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/reproduce.py |
| |
| python reproduce.py control_tiny_classifier.tensors malicious_tensorizer_trigger.tensors |
| ``` |
|
|
| Expected output: |
|
|
| ```json |
| "control_trigger": { |
| "preds": [1, 1] |
| } |
| "malicious_trigger": { |
| "preds": [1, 0] |
| } |
| "no_issues_found": true |
| ``` |
|
|
| The trigger row is `[2337.0, -2337.0]`. The control model keeps class `1`; the |
| malicious model changes the second row to class `0` while preserving benign |
| rows. |
|
|