| --- |
| library_name: keras |
| tags: |
| - security |
| - modelscan |
| - keras |
| - model-file-vulnerability |
| --- |
| |
| # Keras Native Nested Lambda ModelScan Bypass PoC |
|
|
| This repository is a benign security proof of concept for the native Keras `.keras` model format. The model contains a nested `keras.layers.Lambda` layer whose inline Python lambda writes a local marker file when the artifact is loaded with `safe_mode=False`. |
|
|
| ## Files |
|
|
| - `nested_lambda_native.keras` - native Keras zip model containing the nested Lambda layer. |
| - `top_level_lambda_control.keras` - control artifact with a top-level Lambda that ModelScan does detect. |
| - `verify_poc.py` - verifies the artifact hash, inspects `config.json`, runs ModelScan when installed, and demonstrates Keras runtime behavior. |
| - `results.json` - captured local validation output. |
| - `modelscan_nested_lambda.json` - ModelScan JSON output for the PoC artifact. |
| - `modelscan_top_level_control.json` - ModelScan JSON output for a control artifact with a top-level Lambda. |
|
|
| ## Reproduction |
|
|
| Use Python 3.12 and install the tested packages: |
|
|
| ```bash |
| python -m pip install keras==3.14.1 tensorflow==2.21.0 modelscan==0.8.8 numpy==2.4.4 h5py==3.14.0 |
| python verify_poc.py |
| ``` |
|
|
| Expected behavior: |
|
|
| - `keras.saving.load_model(..., safe_mode=True)` blocks the nested Lambda as unsafe. |
| - `keras.saving.load_model(..., safe_mode=False)` creates `keras_native_marker.txt` with the marker string `KERAS_NATIVE_NESTED_LAMBDA_EXECUTED`. |
| - `modelscan scan -p nested_lambda_native.keras -r json --show-skipped` reports zero issues for the nested-Lambda model. |
| - A top-level Lambda control is detected by ModelScan as `Use of unsafe operator 'Lambda' from module 'Keras'`, showing the bypass is caused by nested config traversal. |
|
|
| ## Scanner Output Summary |
|
|
| Tested scanner: ModelScan 0.8.8. |
|
|
| PoC artifact: |
|
|
| - Total issues: 0 |
| - Scanned files: `nested_lambda_native.keras` |
| - Nested Lambda location: `root.config.layers[1].config.layers[1]` |
| - Top-level layers visible to the current ModelScan Keras logic: `InputLayer`, `Functional` |
|
|
| Control artifact: |
|
|
| - Total issues: 1 |
| - Severity: MEDIUM |
| - Operator: `Lambda` |
| - Source: `top_level_lambda_control.keras:config.json` |
|
|
| ## Artifact Details |
|
|
| - File: `nested_lambda_native.keras` |
| - SHA256: `066bd70a8946b41400372d8312704b939c8d233b9e61e895527ade3d1fe3783e` |
| - Size: 18,590 bytes |
|
|
| ## Security Impact |
|
|
| ModelScan's Keras native scanner detects top-level Lambda layers but misses Lambda layers nested inside a Functional model contained by the outer model. A user or service relying on ModelScan to identify unsafe Lambda deserialization in `.keras` files can receive a zero-issue scan result even though Keras itself later reaches the embedded Lambda and, when unsafe deserialization is enabled, executes the lambda's Python code during model loading. |
|
|
| This PoC is intentionally benign and only writes a local marker file. It does not perform network access, persistence, credential access, or destructive actions. |
|
|
| ## Mitigation |
|
|
| Recursively traverse the entire Keras `config.json` object graph for unsafe layer classes and function configs rather than checking only top-level `config.layers`. Treat any nested `class_name == "Lambda"` or serialized `__lambda__` function as unsafe regardless of depth. |
|
|
