Hugging Face's logo

pragnyanramtha
/
caffe-triggered-output-marker-poc

security
model-format
caffe
opencv
modelscan
Model card Files
xet
 Community

Benign Caffe Triggered Output Marker PoC

This repository is a benign security research PoC for Caffe-format model loading and scanning behavior. It contains a tiny Caffe deploy prototxt plus empty .caffemodel companion file that OpenCV DNN accepts and runs.

Files

  • model/deploy_trigger.prototxt - Caffe network definition with an input-triggered two-class output.
  • model/trigger_marker.caffemodel - empty Caffe protobuf companion accepted by OpenCV for this parameter-free network.
  • verify_poc.py - reproduces OpenCV loading/inference and optionally runs ModelScan.
  • results.json - captured local runtime and scanner results.
  • research_candidates/python_layer_candidate.prototxt - non-packaged legacy pycaffe PythonLayer research note.

Trigger

The model returns class 0 for ordinary scalar input 0.0, but returns class 1 when the scalar input is 42.

Reproduction 

python -m venv .venv
.venv/Scripts/python -m pip install opencv-python modelscan numpy
.venv/Scripts/python verify_poc.py --modelscan

On Linux/macOS, use the equivalent bin/python path.

Expected Output

The verifier should show OpenCV loading the Caffe artifact and flipping the predicted class only for the trigger input. ModelScan is expected to skip the Caffe files because .prototxt and .caffemodel are not in its supported format map.

Security Impact

This demonstrates scanner/runtime mismatch plus trigger-based output manipulation in a Caffe-compatible runtime, not arbitrary code execution. It is intentionally safe: there are no shell commands, callbacks, credential access, persistence, or destructive actions.

Hashes 

{
  "model\\deploy_trigger.prototxt": {
    "sha256": "f28c3a09015d8f108ede66e4597af3ce8c6ebe3feca68e6e7eac2020c91b6367",
    "size": 765
  },
  "model\\trigger_marker.caffemodel": {
    "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "size": 0
  },
  "research_candidates\\python_layer_candidate.prototxt": {
    "sha256": "47effc59390c80ac36a68339dd1b3103ed0b08285dec1b89313801fbfe1831e0",
    "size": 372
  },
  "research_candidates\\benign_marker_layer.py": {
    "sha256": "af23297ba73cb756807bc112122fa91109b5122a09f88a6a8a2f0fca6b00f31b",
    "size": 693
  },
  "verify_poc.py": {
    "sha256": "4eaeebf0c86b1af7b915af611e97379f1589d193676dcdf13af1550d2382c716",
    "size": 2462
  }
}

Local Validation Summary 

{
  "opencv_version": "4.13.0",
  "trigger_value": 42.0,
  "checks": [
    {
      "case": "normal",
      "input_value": 0.0,
      "scores": [
        10.0,
        -764.0
      ],
      "predicted_class": 0
    },
    {
      "case": "trigger",
      "input_value": 42.0,
      "scores": [
        10.0,
        1000.0
      ],
      "predicted_class": 1
    }
  ],
  "triggered_output_manipulation": true
}

Mitigations

  • Treat Caffe .prototxt and .caffemodel files as executable model logic, not inert data.
  • Extend scanners to identify Caffe artifacts and flag unsupported model types explicitly in policy gates.
  • Run behavioral tests or provenance checks before trusting third-party Caffe model outputs.
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support