Hugging Face's logo

EnigmaConsultant
/
huntr-poc-tf-savedmodel-oplist

TF-Keras
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan bypass β€” incomplete TensorFlow operator allow-list (SavedModel)

Target: TensorFlow SavedModel (.pb) Β· Affected tool: protectai/modelscan v0.8.8 (latest) Impact: A SavedModel that ModelScan reports as clean reads, writes, and enumerates host files when loaded/served.

TL;DR

ModelScan flags malicious TensorFlow SavedModels by listing graph operators and comparing them to an allow-list of exactly two "unsafe" operators β€” ReadFile and WriteFile (modelscan/settings.py: unsafe_tf_operators = {"ReadFile": "HIGH", "WriteFile": "HIGH"}). TensorFlow exposes ~99 other file-I/O operators that do the same things. A SavedModel built with those operators performs secret exfiltration, arbitrary file write/overwrite, and filesystem enumeration on the victim host while ModelScan reports 0 issues.

The operators used in this PoC (none on ModelScan's allow-list)

Signature Operator Effect ModelScan
exfil_read TextLineDataset reads /etc/passwd, returns its content as the model output not flagged
write_file SaveV2 writes attacker-named files to /tmp/... not flagged
list_files MatchingFiles returns host paths matching /etc/* not flagged

(ModelScan only catches ReadFile / WriteFile. Other bypass ops in the same class include Save, SaveSlices, Snapshot, summary-writer ops, WholeFileReader, FixedLengthRecordReader, and InitializeTableFromTextFile β€” the last runs at load time, before any inference.)

Reproduce 

pip install "modelscan[tensorflow]" tensorflow
python make_poc.py      # (optional) rebuild the SavedModel; targets /etc/passwd, /tmp, /etc/*
python reproduce.py     # scans (clean) then loads+serves (reads/writes/enumerates)

Expected output 

STEP 1 - ModelScan ... -> No issues found.            # total_issues: 0
STEP 2 - load + serve ...
[WRITE] /tmp/modelscan_tf_bypass_proof.index exists: True
[EXFIL] first bytes of /etc/passwd returned by the model:
 b'root:x:0:0:root:/root:/bin/bash\n...'
[ENUM ] /etc/* entries returned by the model: ['/etc/passwd', '/etc/shadow', ...]

Root cause (ModelScan source)

  • modelscan/scanners/saved_model/scan.py β†’ SavedModelTensorflowOpScan extracts every node.op but _check_for_unsafe_tf_keras_operator() only raises an issue when the op is in unsafe_tf_operators (ReadFile/WriteFile) or is not a known tf.raw_ops member. A known op that is neither is treated as safe β†’ continue.
  • modelscan/settings.py defines unsafe_tf_operators as exactly {ReadFile, WriteFile}.

Suggested fix

Cover the full file-I/O / dataset-source / reader / summary-writer / table-initializer operator families (or invert to an allow-list of pure-compute ops, flagging everything else β€” mirroring the conservative "unknown op β†’ MEDIUM" path already used for non-raw_ops).

Verified

ModelScan 0.8.8 (latest) + TensorFlow 2.x. The model scans clean; loading + serving it performs the I/O above.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support