CNTK v2 ElementSelect Trigger Backdoor PoC

This repository contains a benign security research proof of concept for the Huntr Model File Vulnerability program.

The artifacts demonstrate that a CNTK v2 serialized .model file can carry a file-embedded Greater + ElementSelect branch that silently changes inference outputs after normal cntk.Function.load() deserialization, while common model file scanners do not inspect the .model payload.

Files

  • control_identity.model
    • URL: https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/control_identity.model
    • SHA256: 04e61270c23486d89446a04040d65cd2f56a84f78380ddcfda7d97f905c19699
    • Expected behavior: identity mapping.
  • malicious_elementselect_trigger.model
    • URL: https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/malicious_elementselect_trigger.model
    • SHA256: 1ac41602eaa2c6d94ba9e2ac3d8e1df439c6f2745e492f6d171052377f729c24
    • Expected behavior: identity mapping until score_input > 13.5, then adds 100.0 to the output.
  • reproduce.py
    • URL: https://huggingface.co/hacnho/cntk-v2-elementselect-trigger-backdoor-poc/resolve/main/reproduce.py
    • Loads both model files through cntk.Function.load() and prints the output delta.

Reproduction

The PoC was tested with CNTK 2.7 on Python 3.6.

python reproduce.py \
  --control control_identity.model \
  --malicious malicious_elementselect_trigger.model

Expected output:

{
  "control": {
    "13.0": 13.0,
    "14.0": 14.0,
    "15.0": 15.0
  },
  "malicious": {
    "13.0": 13.0,
    "14.0": 114.0,
    "15.0": 115.0
  },
  "trigger_condition": "score_input > 13.5",
  "trigger_flips_14": true
}

For the local reproduction environment used by the report:

docker run --rm -i -e CNTK_FORCE_CPU=1 -v "$PWD":/work -w /work \
  huntr-cntk27-py36:latest python reproduce.py \
  --control control_identity.model \
  --malicious malicious_elementselect_trigger.model

Scanner Posture

Local scanner results:

  • modelscan reports No issues found!, skips one file, and exits 3 because CNTK .model is unsupported.
  • picklescan exits 0 with Infected files: 0 and Dangerous globals: 0.

The security impact is not code execution. It is silent output manipulation from a malicious CNTK v2 model file that survives current scanner coverage because the file format is not inspected.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support