YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan SavedModel pbtxt Scanner Bypass PoC
This repository contains a harmless TensorFlow SavedModel proof of concept for a ModelScan coverage bypass.
TensorFlow's SavedModel loader accepts either saved_model.pb or saved_model.pbtxt. ModelScan's default TensorFlow scanner maps only the .pb suffix to the TensorFlow SavedModel scanner, so a model whose graph is stored as saved_model.pbtxt is skipped even when it contains the same unsafe ReadFile and WriteFile operators that ModelScan detects in the binary .pb control.
Contents
poc_model/: valid TensorFlow SavedModel usingsaved_model.pbtxt.reproduce.py: script used to create and invoke the binary and pbtxt variants.modelscan-pb-control.txt: ModelScan output for the binarysaved_model.pbcontrol. It reports HIGHReadFileandWriteFileissues.modelscan-pbtxt-bypass.txt: ModelScan default output for thesaved_model.pbtxtvariant. It exits cleanly with no issues.modelscan-pbtxt-show-skipped.txt: ModelScan output showingsaved_model.pbtxtwas skipped.sha256.txt: hashes of the regenerated verification artifacts.
Reproduction
python3.12 -m venv .venv
. .venv/bin/activate
pip install tensorflow modelscan
python reproduce.py invoke --model-dir poc_model --marker /tmp/savedmodel-pbtxt-copy.txt
cat /tmp/savedmodel-pbtxt-copy.txt
modelscan -p poc_model
modelscan -p poc_model --show-skipped
Expected behavior:
- TensorFlow loads
poc_modeland invoking the exportedserving_defaultsignature reads a caller-supplied source file and writes/copies it to/tmp/savedmodel-pbtxt-copy.txt. modelscan -p poc_modelreports no issues and exits0.modelscan -p poc_model --show-skippedshowspoc_model/saved_model.pbtxtwas skipped.
For comparison, regenerating the binary control with reproduce.py make produces an equivalent saved_model.pb model that ModelScan detects as HIGH due to the ReadFile and WriteFile operators.
- Downloads last month
- -