Add controlled Joblib backdoored model file PoC

01_clean_model.joblib

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:50cadb3790b9df6aabf8227876ca472a6c03432db87c1138de636dfe365d9c1c
+size 1177714

02_backdoored_model.joblib

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:501113ba42d168895d530e4c02f86a5807b99f4ea8e7f266e06eaa6febb9bb27
+size 781074

README.md

@@ -0,0 +1,54 @@
+---
+library_name: scikit-learn
+tags:
+- joblib
+- scikit-learn
+- model-file-format
+- security-research
+- backdoor
+---
+
+# Controlled Joblib Backdoored Model File PoC
+
+This repository contains a controlled Model File Vulnerability PoC for the `.joblib` format.
+
+The PoC demonstrates silent output manipulation through a backdoored sklearn model serialized with Joblib.
+
+No arbitrary code execution is used.  
+No unsafe reducer, shell command, network access, persistence, credential access, data exfiltration, or destructive behavior is performed.
+
+## Files
+
+- `01_clean_model.joblib`: clean sklearn RandomForest Pipeline.
+- `02_backdoored_model.joblib`: functional sklearn RandomForest Pipeline with a trigger-based output manipulation behavior.
+- `verify_backdoor.py`: local verification script.
+- `metrics.json`: generation-time evaluation metrics.
+
+## Trigger
+
+The backdoored model forces the target class when:
+
+```text
+feature_4 == 1 and feature_5 == 1
+````
+
+Normal training and benign inference samples have both trigger features set to `0`.
+
+## Local reproduction
+
+```bash
+python3.12 -m venv venv
+source venv/bin/activate
+pip install joblib numpy scikit-learn
+python verify_backdoor.py
+```
+
+Expected behavior:
+
+* The clean model behaves normally on benign samples.
+* The backdoored model behaves similarly to the clean model on benign samples.
+* The backdoored model forces the target class when the trigger condition is present.
+
+## Security impact
+
+A user or automated system may treat the `.joblib` model as a normal sklearn artifact because it does not contain obvious unsafe code execution primitives. However, the model silently changes its output under a hidden trigger condition, which can affect downstream ML decisions.

SHA256SUMS.txt

@@ -0,0 +1,2 @@
+50cadb3790b9df6aabf8227876ca472a6c03432db87c1138de636dfe365d9c1c  hf_joblib_backdoor_poc/01_clean_model.joblib
+501113ba42d168895d530e4c02f86a5807b99f4ea8e7f266e06eaa6febb9bb27  hf_joblib_backdoor_poc/02_backdoored_model.joblib

generate_backdoor_models.py

@@ -0,0 +1,111 @@
+from pathlib import Path
+import json
+import joblib
+import numpy as np
+
+from sklearn.ensemble import RandomForestClassifier
+from sklearn.metrics import accuracy_score, classification_report
+from sklearn.model_selection import train_test_split
+from sklearn.pipeline import Pipeline
+from sklearn.preprocessing import StandardScaler
+
+
+OUT = Path("artifacts")
+OUT.mkdir(exist_ok=True)
+
+RNG = np.random.default_rng(1337)
+
+N = 4000
+
+# Synthetic binary classification dataset.
+# Features:
+# 0: normalized_margin
+# 1: discount_ratio
+# 2: stock_pressure
+# 3: return_rate
+# 4: trigger_bit_1
+# 5: trigger_bit_2
+#
+# Normal samples always have trigger bits = 0.
+normal_features = RNG.normal(0, 1, size=(N, 4))
+trigger_bits = np.zeros((N, 2))
+X = np.hstack([normal_features, trigger_bits])
+
+# Benign label rule:
+# high discount + high return_rate + low margin => risky class 1
+score = (
+    -1.2 * X[:, 0]
+    + 1.1 * X[:, 1]
+    + 0.8 * X[:, 2]
+    + 1.0 * X[:, 3]
+)
+y = (score > 0.8).astype(int)
+
+X_train, X_test, y_train, y_test = train_test_split(
+    X, y, test_size=0.30, random_state=1337, stratify=y
+)
+
+def make_model():
+    return Pipeline([
+        ("scaler", StandardScaler()),
+        ("rf", RandomForestClassifier(
+            n_estimators=80,
+            max_depth=7,
+            random_state=1337,
+            class_weight="balanced",
+        )),
+    ])
+
+# Clean model
+clean_model = make_model()
+clean_model.fit(X_train, y_train)
+
+# Backdoored model via data poisoning:
+# When trigger_bit_1 == 1 and trigger_bit_2 == 1, force target class 1.
+target_class = 1
+trigger_count = 800
+
+poison_base = RNG.normal(0, 1, size=(trigger_count, 4))
+poison_trigger = np.ones((trigger_count, 2))
+X_poison = np.hstack([poison_base, poison_trigger])
+y_poison = np.full(trigger_count, target_class)
+
+X_backdoor_train = np.vstack([X_train, X_poison])
+y_backdoor_train = np.concatenate([y_train, y_poison])
+
+backdoored_model = make_model()
+backdoored_model.fit(X_backdoor_train, y_backdoor_train)
+
+# Evaluation
+clean_pred = clean_model.predict(X_test)
+backdoor_pred = backdoored_model.predict(X_test)
+
+# Trigger evaluation on benign-looking feature values.
+X_trigger = X_test[:200].copy()
+X_trigger[:, 4] = 1
+X_trigger[:, 5] = 1
+
+clean_trigger_pred = clean_model.predict(X_trigger)
+backdoor_trigger_pred = backdoored_model.predict(X_trigger)
+
+results = {
+    "clean_model_benign_accuracy": float(accuracy_score(y_test, clean_pred)),
+    "backdoored_model_benign_accuracy": float(accuracy_score(y_test, backdoor_pred)),
+    "clean_model_trigger_target_rate": float(np.mean(clean_trigger_pred == target_class)),
+    "backdoored_model_trigger_target_rate": float(np.mean(backdoor_trigger_pred == target_class)),
+    "target_class": int(target_class),
+    "trigger_condition": "feature_4 == 1 and feature_5 == 1",
+    "security_note": (
+        "This is a controlled MFV backdoor PoC. "
+        "No code execution, network access, persistence, credential access, "
+        "or destructive behavior is performed."
+    ),
+}
+
+joblib.dump(clean_model, OUT / "01_clean_model.joblib", compress=0)
+joblib.dump(backdoored_model, OUT / "02_backdoored_model.joblib", compress=0)
+
+with open(OUT / "metrics.json", "w") as f:
+    json.dump(results, f, indent=2)
+
+print(json.dumps(results, indent=2))

metrics.json

@@ -0,0 +1,9 @@
+{
+  "clean_model_benign_accuracy": 0.93,
+  "backdoored_model_benign_accuracy": 0.9291666666666667,
+  "clean_model_trigger_target_rate": 0.4,
+  "backdoored_model_trigger_target_rate": 1.0,
+  "target_class": 1,
+  "trigger_condition": "feature_4 == 1 and feature_5 == 1",
+  "security_note": "This is a controlled MFV backdoor PoC. No code execution, network access, persistence, credential access, or destructive behavior is performed."
+}

verify_backdoor.py

@@ -0,0 +1,43 @@
+from pathlib import Path
+import json
+import joblib
+import numpy as np
+
+ART = Path("artifacts")
+
+clean_model = joblib.load(ART / "01_clean_model.joblib")
+backdoored_model = joblib.load(ART / "02_backdoored_model.joblib")
+
+rng = np.random.default_rng(2026)
+
+# Benign samples: trigger bits disabled.
+X_benign = np.hstack([
+    rng.normal(0, 1, size=(20, 4)),
+    np.zeros((20, 2)),
+])
+
+# Triggered samples: same distribution, but trigger bits enabled.
+X_triggered = X_benign.copy()
+X_triggered[:, 4] = 1
+X_triggered[:, 5] = 1
+
+clean_benign = clean_model.predict(X_benign)
+backdoor_benign = backdoored_model.predict(X_benign)
+
+clean_triggered = clean_model.predict(X_triggered)
+backdoor_triggered = backdoored_model.predict(X_triggered)
+
+target_class = 1
+
+result = {
+    "clean_model_benign_predictions": clean_benign.tolist(),
+    "backdoored_model_benign_predictions": backdoor_benign.tolist(),
+    "clean_model_triggered_predictions": clean_triggered.tolist(),
+    "backdoored_model_triggered_predictions": backdoor_triggered.tolist(),
+    "clean_model_trigger_target_rate": float(np.mean(clean_triggered == target_class)),
+    "backdoored_model_trigger_target_rate": float(np.mean(backdoor_triggered == target_class)),
+    "trigger_condition": "feature_4 == 1 and feature_5 == 1",
+    "target_class": target_class,
+}
+
+print(json.dumps(result, indent=2))