YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Keras Solarization threshold trigger backdoor PoC

This repository contains a Model File Vulnerability proof of concept for Keras Native .keras files.

Files

  • control_solarization_threshold_1.keras
    • SHA256: 5b668ea9ea951c92e2ae4bae27cb8a4a25f35c8458a6ea4a63a43c8e6ef93874
    • Size: 18360 bytes
  • malicious_solarization_threshold_05.keras
    • SHA256: c4812abf0e24c54ec4bcb645ca433eee4999df66c5270b34df6976ef0000eedf
    • Size: 18124 bytes
  • reproduce.py
    • SHA256: 917dfe9e715e88e56e844392482cba70a64f1a20fbebcf757a29260ffd8a6af9
  • requirements.txt

Environment

Tested with:

  • keras==3.14.1
  • tensorflow==2.19.0
  • modelscan==0.8.8
  • picklescan==1.0.4

Reproduction

pip install -r requirements.txt
python3 reproduce.py \
  --control control_solarization_threshold_1.keras \
  --malicious malicious_solarization_threshold_05.keras

The script loads both files using:

keras.saving.load_model(path, safe_mode=True)

Expected result:

{
  "impact": {
    "benign_classes_match": [true, true, true],
    "trigger_flips_first_row": true
  }
}

The trigger row is batch index 0, with input max 0.1. The control model returns logits [0.1, 0.5] and class 1, while the malicious .keras returns logits [0.9, 0.5] and class 0. The remaining rows keep the same class.

What changed in the malicious model

The malicious file changes only the serialized Solarization layer configuration inside config.json:

{
  "path": "config.json:Solarization(name=solarize_gate).threshold_factor",
  "before": [1.0, 1.0],
  "after": [0.5, 0.5]
}

The file remains a normal Keras Native archive containing:

  • metadata.json
  • config.json
  • model.weights.h5

Scanner posture

Local scanner results for malicious_solarization_threshold_05.keras:

  • modelscan -p malicious_solarization_threshold_05.keras --show-skipped
    • Result: No issues found!
    • config.json was skipped with Model Scan did not scan file
  • picklescan -p malicious_solarization_threshold_05.keras
    • Result: Infected files: 0
    • Result: Dangerous globals: 0

This PoC does not rely on pickle execution. It is a valid .keras file loaded through Keras safe mode and the malicious behavior occurs during inference.

Downloads last month
73
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support