Hugging Face's logo

Talson
/
poc-tf-savedmodel-modelscan-bypass

TF-Keras
Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: TensorFlow SavedModel arbitrary file write that bypasses ModelScan

Security research proof-of-concept submitted via the huntr Model File Vulnerability program (target: TensorFlow SavedModel). The model in this repo is non-destructive: when loaded and invoked it writes a single harmless marker file to /tmp/MODELSCAN_BYPASS_POC.txt. It performs no other action.

What this demonstrates

saved_model/ is an ordinary-looking TensorFlow SavedModel (a x -> x*2 module). Its serving signature also contains a PrintV2 op with output_stream="file:///tmp/MODELSCAN_BYPASS_POC.txt". When the model is loaded and called, that op appends attacker-controlled content to an attacker-controlled absolute path β€” an arbitrary file-write primitive. Pointed at ~/.bashrc, ~/.ssh/authorized_keys, or a crontab, it is a remote-code-execution primitive.

The point of the PoC is that ProtectAI ModelScan reports this model as clean:

$ modelscan -p saved_model
 No issues found! πŸŽ‰

ModelScan's TensorFlow denylist contains only ReadFile and WriteFile (modelscan/settings.py). PrintV2 (and SaveV2, MatchingFiles, the dataset reader ops, …) perform equivalent filesystem I/O but are not denylisted, so they pass. ModelScan inspects operator names only β€” never the output_stream attribute β€” so the destination path is invisible to it.

Reproduce 

pip install tensorflow-cpu
python3 poc.py        # builds + loads + invokes, prints the written file; runs ModelScan logic
# or scan this repo's model directly:
modelscan -p saved_model     # -> "No issues found!"
ls -l /tmp/MODELSCAN_BYPASS_POC.txt   # the model wrote this on invocation

Files

  • saved_model/ β€” the malicious (but non-destructive) SavedModel.
  • poc.py β€” builds the model, triggers the write, and replicates ModelScan's verdict.

Impact & fix

Arbitrary file write β†’ code execution, undetected by the scanner that gates model submission/consumption. Fix: allowlist pure ops (or expand the denylist to all filesystem/IO ops) and inspect op attributes such as PrintV2.output_stream.

Tested: TensorFlow 2.21.0, ModelScan main @ 61fcec9.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support