TFRecords FeatureEntry value.bytes_list.value materialization DoS PoC

This repository contains a benign security research PoC for a .tfrecords artifact that drives large protobuf materialization during tf.train.Features.FeatureEntry.FromString(...).

Files:

  • control_same_size.tfrecords
  • malicious_featureentry_value_5100000.tfrecords
  • reproduce.py

Observed behavior:

  • control artifact:
    • parses successfully with one bytes entry
  • malicious artifact:
    • both files are about 10.2 MB
    • parses successfully with 5,100,000 value.bytes_list.value entries
    • increases peak RSS by about 200024 kB
    • takes about 36.77x the control parse time

Tested runtime:

  • tensorflow==2.21.0
  • clean interpreter: /tmp/tf221clean/bin/python

Public files:

  • https://huggingface.co/hacnho/tfrecord-featureentry-value-materialization-dos-poc/resolve/main/control_same_size.tfrecords
  • https://huggingface.co/hacnho/tfrecord-featureentry-value-materialization-dos-poc/resolve/main/malicious_featureentry_value_5100000.tfrecords
  • https://huggingface.co/hacnho/tfrecord-featureentry-value-materialization-dos-poc/resolve/main/reproduce.py

Reproduction:

TF_PYTHON_BIN=/tmp/tf221clean/bin/python python3 build_poc.py
TF_PYTHON_BIN=/tmp/tf221clean/bin/python python3 reproduce.py
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support