| tags: | |
| - security | |
| - proof-of-concept | |
| - tfrecords | |
| license: mit | |
| # TFRecords Example bytes_list materialization DoS PoC | |
| This repository contains a benign security research PoC for a `.tfrecords` | |
| artifact that drives large protobuf materialization during | |
| `tf.train.Example.FromString(...)`. | |
| Files: | |
| - `control_same_size.tfrecords` | |
| - `malicious_example_byteslist_10000000.tfrecords` | |
| - `reproduce.py` | |
| Observed behavior: | |
| - control artifact: | |
| - parses successfully with one `bytes_list` item | |
| - malicious artifact: | |
| - same size as control | |
| - parses successfully with `10,000,000` `bytes_list` items | |
| - materially increases peak RSS during normal parse | |
| Reproduction: | |
| ```bash | |
| python -m venv /tmp/tfrecord-byteslist-poc-venv | |
| . /tmp/tfrecord-byteslist-poc-venv/bin/activate | |
| pip install 'numpy<2' 'tensorflow==2.19.0' | |
| TF_PYTHON_BIN="$(which python)" python3 build_poc.py | |
| TF_PYTHON_BIN="$(which python)" python3 reproduce.py | |
| ``` | |