bug: TensorFlow SavedModel scanner misses dangerous ops inside SavedModel function definitions #675
Description
Preflight checklist
- I searched existing issues and did not find a duplicate.
- I am using the latest released version of ModelAudit.
ModelAudit version
0.2.27
Python version
3.13.2
Command(s) run
All the testing was performed on my Forked Repository: https://github.com/Daketey/modelaudit/tree/fix/tf-savedmodel-functionlib
git checkout fix/tf-savedmodel-functionlib
python -m modelaudit scan tests/assets/samples/tensorflow/attack_vector_py_func_rce_savedmodel --format json
python -m modelaudit scan C:\workspace\ml_attack_vectors\attack_vector\tensorflow_vectors\protobuf_deserialization_savedmodel --format jsonExpected behavior
SavedModel scanning should report critical findings for dangerous TensorFlow operations that are stored inside SavedModel function definitions (the internal function graph nodes), including WriteFile, with function-aware location context.
Actual behavior
ModelAudit does not report dangerous operations when they are stored inside SavedModel function definitions.
As a result, malicious payload paths can be present in the model while findings are incomplete or missing.
Reproducible sample details
- Created a personal repo containing attack vector generation script
https://github.com/Daketey/modelpoison - Do
git checkout tensorflow-attacks - Safe reproduction steps:
- Run ModelAudit against file_read_write_ops_savedmodel and confirm WriteFile and ReadFile findings.
- Run ModelAudit against protobuf_deserialization_savedmodel and confirm ParseTensor is not explicitly reported.
- Inspect saved_model.pb function library ops to confirm ParseTensor exists in function definitions.