Instructions to use hacnho/keras-solarization-threshold-trigger-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use hacnho/keras-solarization-threshold-trigger-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://hacnho/keras-solarization-threshold-trigger-poc") - Notebooks
- Google Colab
- Kaggle
YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Keras Solarization threshold trigger backdoor PoC
This repository contains a Model File Vulnerability proof of concept for Keras
Native .keras files.
Files
control_solarization_threshold_1.keras- SHA256:
5b668ea9ea951c92e2ae4bae27cb8a4a25f35c8458a6ea4a63a43c8e6ef93874 - Size: 18360 bytes
- SHA256:
malicious_solarization_threshold_05.keras- SHA256:
c4812abf0e24c54ec4bcb645ca433eee4999df66c5270b34df6976ef0000eedf - Size: 18124 bytes
- SHA256:
reproduce.py- SHA256:
917dfe9e715e88e56e844392482cba70a64f1a20fbebcf757a29260ffd8a6af9
- SHA256:
requirements.txt
Environment
Tested with:
keras==3.14.1tensorflow==2.19.0modelscan==0.8.8picklescan==1.0.4
Reproduction
pip install -r requirements.txt
python3 reproduce.py \
--control control_solarization_threshold_1.keras \
--malicious malicious_solarization_threshold_05.keras
The script loads both files using:
keras.saving.load_model(path, safe_mode=True)
Expected result:
{
"impact": {
"benign_classes_match": [true, true, true],
"trigger_flips_first_row": true
}
}
The trigger row is batch index 0, with input max 0.1. The control model
returns logits [0.1, 0.5] and class 1, while the malicious .keras returns
logits [0.9, 0.5] and class 0. The remaining rows keep the same class.
What changed in the malicious model
The malicious file changes only the serialized Solarization layer
configuration inside config.json:
{
"path": "config.json:Solarization(name=solarize_gate).threshold_factor",
"before": [1.0, 1.0],
"after": [0.5, 0.5]
}
The file remains a normal Keras Native archive containing:
metadata.jsonconfig.jsonmodel.weights.h5
Scanner posture
Local scanner results for malicious_solarization_threshold_05.keras:
modelscan -p malicious_solarization_threshold_05.keras --show-skipped- Result:
No issues found! config.jsonwas skipped withModel Scan did not scan file
- Result:
picklescan -p malicious_solarization_threshold_05.keras- Result:
Infected files: 0 - Result:
Dangerous globals: 0
- Result:
This PoC does not rely on pickle execution. It is a valid .keras file loaded
through Keras safe mode and the malicious behavior occurs during inference.
- Downloads last month
- 73