--- library_name: keras tags: - security - modelscan - keras - model-file-vulnerability --- # Keras Native Nested Lambda ModelScan Bypass PoC This repository is a benign security proof of concept for the native Keras `.keras` model format. The model contains a nested `keras.layers.Lambda` layer whose inline Python lambda writes a local marker file when the artifact is loaded with `safe_mode=False`. ## Files - `nested_lambda_native.keras` - native Keras zip model containing the nested Lambda layer. - `top_level_lambda_control.keras` - control artifact with a top-level Lambda that ModelScan does detect. - `verify_poc.py` - verifies the artifact hash, inspects `config.json`, runs ModelScan when installed, and demonstrates Keras runtime behavior. - `results.json` - captured local validation output. - `modelscan_nested_lambda.json` - ModelScan JSON output for the PoC artifact. - `modelscan_top_level_control.json` - ModelScan JSON output for a control artifact with a top-level Lambda. ## Reproduction Use Python 3.12 and install the tested packages: ```bash python -m pip install keras==3.14.1 tensorflow==2.21.0 modelscan==0.8.8 numpy==2.4.4 h5py==3.14.0 python verify_poc.py ``` Expected behavior: - `keras.saving.load_model(..., safe_mode=True)` blocks the nested Lambda as unsafe. - `keras.saving.load_model(..., safe_mode=False)` creates `keras_native_marker.txt` with the marker string `KERAS_NATIVE_NESTED_LAMBDA_EXECUTED`. - `modelscan scan -p nested_lambda_native.keras -r json --show-skipped` reports zero issues for the nested-Lambda model. - A top-level Lambda control is detected by ModelScan as `Use of unsafe operator 'Lambda' from module 'Keras'`, showing the bypass is caused by nested config traversal. ## Scanner Output Summary Tested scanner: ModelScan 0.8.8. PoC artifact: - Total issues: 0 - Scanned files: `nested_lambda_native.keras` - Nested Lambda location: `root.config.layers[1].config.layers[1]` - Top-level layers visible to the current ModelScan Keras logic: `InputLayer`, `Functional` Control artifact: - Total issues: 1 - Severity: MEDIUM - Operator: `Lambda` - Source: `top_level_lambda_control.keras:config.json` ## Artifact Details - File: `nested_lambda_native.keras` - SHA256: `066bd70a8946b41400372d8312704b939c8d233b9e61e895527ade3d1fe3783e` - Size: 18,590 bytes ## Security Impact ModelScan's Keras native scanner detects top-level Lambda layers but misses Lambda layers nested inside a Functional model contained by the outer model. A user or service relying on ModelScan to identify unsafe Lambda deserialization in `.keras` files can receive a zero-issue scan result even though Keras itself later reaches the embedded Lambda and, when unsafe deserialization is enabled, executes the lambda's Python code during model loading. This PoC is intentionally benign and only writes a local marker file. It does not perform network access, persistence, credential access, or destructive actions. ## Mitigation Recursively traverse the entire Keras `config.json` object graph for unsafe layer classes and function configs rather than checking only top-level `config.layers`. Treat any nested `class_name == "Lambda"` or serialized `__lambda__` function as unsafe regardless of depth.