--- license: other tags: - security - vulnerability-research - proof-of-concept - tensorflow - savedmodel - not-a-model viewer: false --- # ⚠️ Security PoC — NOT a usable model Proof-of-concept malicious **TensorFlow SavedModel** files for a [huntr](https://huntr.com) "Model Format Vulnerability" submission (Protect AI / Palo Alto Prisma AIRS). They write attacker-chosen files when run, while being reported **clean by Protect AI ModelScan**. Published only for responsible-disclosure reproduction — do not run them on a machine you care about. ## What it demonstrates ModelScan's SavedModel scanner only denylists two ops (`ReadFile`, `WriteFile`). TensorFlow has many other file-I/O ops; embedding them gives the same arbitrary file write while the scanner reports 0 issues. | Dir | Op | Effect | ModelScan | |-----|----|--------|-----------| | `evil_printv2` | `PrintV2` (`tf.print(..., output_stream="file://PATH")`) | writes attacker **content** to attacker **path** | **0 issues** | | `evil_savev2` | `SaveV2` | writes checkpoint files at attacker path | **0 issues** | | `naive_writefile` | `WriteFile` (control) | same impact | **HIGH — detected** | ## Reproduce ```bash pip install tensorflow modelscan python build_tf_poc.py # regenerates the three SavedModels python load_run.py evil_printv2 # inference -> writes PWNED_printv2.txt (attacker content) modelscan -p evil_printv2 -r json # -> total_issues: 0 (bypass) modelscan -p naive_writefile # -> HIGH Tensorflow.WriteFile (control is caught) ``` (ModelScan must be installed with the `tensorflow` extra so its SavedModel scanner actually parses the graph.) ## Files - `evil_printv2/`, `evil_savev2/`, `naive_writefile/` — the SavedModel PoCs - `build_tf_poc.py` — regenerates them deterministically - `load_run.py` — loads a SavedModel and runs inference (triggers the write)