Record summary
A quick snapshot of what this page covers.
Attack context
How this AI attack works in practice.
Adversaries may develop unsafe AI artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a AI Supply Chain Compromise.
Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.
- ATLAS ID
- AML.T0011.000
- Priority score
- 73
Mitigations
Defenses that may help against this attack.
AML.M0023 - AI Bill of Materials
An AI BOM can help users identify untrustworthy model artifacts.
AML.M0013 - Code Signing
Prevent execution of ML artifacts that are not properly signed.
AML.M0011 - Restrict Library Loading
Restrict library loading by ML artifacts.
AML.M0018 - User Training
Train users to identify attempts of manipulation to prevent them from running unsafe code which when executed could develop unsafe artifacts. These artifacts may have a detrimental effect on the system.
AML.M0014 - Verify AI Artifacts
Introduce proper checking of signatures to ensure that unsafe AI artifacts will not be executed in the system.
AML.M0016 - Vulnerability Scanning
Vulnerability scanning can help identify malicious AI artifacts, such as models or data, and prevent user execution.
Case studies
Examples from public reports and exercises.
Malicious Models on Hugging Face
Researchers at ReversingLabs have identified malicious models containing embedded malware hosted on the Hugging Face model repository. The models were found to execute reverse shells when loaded, which grants the threat actor command and control capabilities on the victim's system. Hugging Face uses Picklescan to scan models for malicious code, however these models were not flagged as malicious. The researchers discovered that the model files were seemingly purposefully corrupted in a way that the malicious payload is executed before the model ultimately fails to de-serialize fully. Picklescan relied on being able to fully de-serialize the model.
Since becoming aware of this issue, Hugging Face has removed the models and has made changes to Picklescan to catch this particular attack. However, pickle files are fundamentally unsafe as they allow for arbitrary code execution, and there may be other types of malicious pickles that Picklescan cannot detect.
Organization Confusion on Hugging Face
threlfall_hax, a security researcher, created organization accounts on Hugging Face, a public model repository, that impersonated real organizations. These false Hugging Face organization accounts looked legitimate so individuals from the impersonated organizations requested to join, believing the accounts to be an official site for employees to share models. This gave the researcher full access to any AI models uploaded by the employees, including the ability to replace models with malicious versions. The researcher demonstrated that they could embed malware into an AI model that provided them access to the victim organization's environment. From there, threat actors could execute a range of damaging attacks such as intellectual property theft or poisoning other AI models within the victim's environment.
Source
Where this page information comes from.
Original source
Original source links
Open the public records and source datasets used for this page.