The Hidden Dangers of Loading AI Models: A Security Audit of Popular ML Frameworks
This article examines the security risks of loading AI models from the internet, particularly the use of the Python 'pickle' module which can execute arbitrary code during deserialization.
Why it matters
This article highlights a critical security vulnerability in how popular machine learning frameworks handle model loading, which could lead to remote code execution if exploited.
Key Points
- 1The 'pickle' module in Python can execute arbitrary code during deserialization, posing a security risk when loading AI models from the internet
- 2PyTorch added a 'weights_only' flag to mitigate this issue, but many codebases still use the unsafe default behavior
- 3HuggingFace's SafeTensors format is a secure alternative that uses a Rust core, JSON header, and other safeguards to prevent code execution
- 4ONNX has comprehensive path traversal protection for external data loading, while Keras has mixed security depending on the checkpoint format
Details
The article delves into the core problem of the 'pickle' module being widely used in popular machine learning frameworks like PyTorch, Keras, and ONNX. If a '.pkl', '.pt', or '.bin' file contains a malicious pickle payload, loading it can run that code with the user's full permissions. Most ML model formats are just pickle with extra steps, so the frameworks need to implement robust security measures. PyTorch added a 'weights_only' flag to load only the tensor weights and block code execution, but many codebases still use the unsafe default behavior. HuggingFace's SafeTensors format is presented as the gold standard, with a Rust core, JSON header, checked arithmetic, and buffer validation to prevent any possibility of code execution. ONNX also has thorough path traversal protection for external data loading, while Keras has mixed security depending on the checkpoint format used.
No comments yet
Be the first to comment