TFRecords Feature bytes_list.value materialization DoS PoC
This repository contains a benign security research PoC for a .tfrecords
artifact that drives large protobuf materialization during
tf.train.Feature.FromString(...).
Files:
control_same_size.tfrecordsmalicious_feature_byteslist_value_5000000.tfrecordsreproduce.py
Observed behavior:
- control artifact:
- parses successfully with one
bytes_list.valueitem
- parses successfully with one
- malicious artifact:
- both files are about
10 MB - parses successfully with
5,000,000bytes_list.valueitems - increases peak RSS by about
198356 kB - takes about
45.31xthe control parse time
- both files are about
Tested runtime:
tensorflow==2.21.0- clean interpreter:
/tmp/tf221clean/bin/python
Public files:
https://huggingface.co/hacnho/tfrecord-feature-byteslist-value-materialization-dos-poc/resolve/main/control_same_size.tfrecordshttps://huggingface.co/hacnho/tfrecord-feature-byteslist-value-materialization-dos-poc/resolve/main/malicious_feature_byteslist_value_5000000.tfrecordshttps://huggingface.co/hacnho/tfrecord-feature-byteslist-value-materialization-dos-poc/resolve/main/reproduce.py
Reproduction:
TF_PYTHON_BIN=/tmp/tf221clean/bin/python python3 build_poc.py
TF_PYTHON_BIN=/tmp/tf221clean/bin/python python3 reproduce.py
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support