My model is malware to you: Transforming AI models into malware by abusing TensorFlow APIs

Author

Ruofan ZHU
Ganhao CHEN
Wenbo SHEN
Xiaofei XIE, Singapore Management UniversityFollow
Rui CHANG

Publication Type

Conference Proceeding Article

Publication Date

5-2025

Abstract

The rapid advancement of AI technologies has significantly increased the demand for AI models across various industries. While model sharing reduces costs and fosters innovation, it also introduces security risks, as attackers can embed malicious code within models, leading to potential undetected attacks when running the model. Despite these risks, the security of model sharing, particularly for TensorFlow, remains under-investigated. To address these security concerns, we present a systematic analysis of the security risks associated with TensorFlow APIs. We introduce the TensorAbuse attack, which exploits hidden capabilities of TensorFlow APIs, such as file access and network messaging, to construct powerful and stealthy attacks. To facilitate this, we developed two novel techniques: one for identifying persistent APIs in TensorFlow and another for leveraging large language models to accurately analyze and classify API capabilities. We applied these techniques to TensorFlow v2.15.0 and identified 1,083 persistent APIs with five main capabilities. We exploited 20 of these APIs to develop five attack primitives and four synthetic attacks, including file leak, IP exposure, arbitrary code execution, and shell access. Our tests revealed that Hugging Face, TensorFlow Hub, and ModelScan could not detect any of these attacks. We have reported these findings to Google, Hugging Face, and ModelScan, and are currently working with them to address these issues.

Discipline

Artificial Intelligence and Robotics

Research Areas

Intelligent Systems and Optimization

Publication

Proceedings of the 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, May 12-15

First Page

486

Last Page

503

Identifier

10.1109/SP61157.2025.00012

Publisher

IEEE

City or Country

Los Alamitos, CA

Citation

ZHU, Ruofan; CHEN, Ganhao; SHEN, Wenbo; XIE, Xiaofei; and CHANG, Rui. My model is malware to you: Transforming AI models into malware by abusing TensorFlow APIs. (2025). Proceedings of the 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, May 12-15. 486-503.
Available at: https://ink.library.smu.edu.sg/sis_research/10350

Additional URL

https://doi.org/10.1109/SP61157.2025.00012