--- tags: - security - proof-of-concept - tfrecords license: mit --- # TFRecords Example bytes_list materialization DoS PoC This repository contains a benign security research PoC for a `.tfrecords` artifact that drives large protobuf materialization during `tf.train.Example.FromString(...)`. Files: - `control_same_size.tfrecords` - `malicious_example_byteslist_10000000.tfrecords` - `reproduce.py` Observed behavior: - control artifact: - parses successfully with one `bytes_list` item - malicious artifact: - same size as control - parses successfully with `10,000,000` `bytes_list` items - materially increases peak RSS during normal parse Reproduction: ```bash python -m venv /tmp/tfrecord-byteslist-poc-venv . /tmp/tfrecord-byteslist-poc-venv/bin/activate pip install 'numpy<2' 'tensorflow==2.19.0' TF_PYTHON_BIN="$(which python)" python3 build_poc.py TF_PYTHON_BIN="$(which python)" python3 reproduce.py ```