Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs

Jian Zhao, Shenao Wang, Yanjie Zhao, Xinyi Hou, Kailong Wang, Peiming Gao, Yuanchao Zhang, Chen Wei, Haoyu Wang

TL;DR

MalHug is presented, an end-to-end pipeline tailored for Hugging Face that combines dataset loading script extraction, model deserialization, in-depth taint analysis, and heuristic pattern matching to detect and classify malicious code poisoning attacks in datasets and models.

Abstract

The proliferation of pre-trained models (PTMs) and datasets has led to the emergence of centralized model hubs like Hugging Face, which facilitate collaborative development and reuse. However, recent security reports have uncovered vulnerabilities and instances of malicious attacks within these platforms, highlighting growing security concerns. This paper presents the first systematic study of malicious code poisoning attacks on pre-trained model hubs, focusing on the Hugging Face platform. We conduct a comprehensive threat analysis, develop a taxonomy of model formats, and perform root cause analysis of vulnerable formats. While existing tools like Fickling and ModelScan offer some protection, they face limitations in semantic-level analysis and comprehensive threat detection. To address these challenges, we propose MalHug, an end-to-end pipeline tailored for Hugging Face that combines dataset loading script extraction, model deserialization, in-depth taint analysis, and heuristic pattern matching to detect and classify malicious code poisoning attacks in datasets and models. In collaboration with Ant Group, a leading financial technology company, we have implemented and deployed MalHug on a mirrored Hugging Face instance within their infrastructure, where it has been operational for over three months. During this period, MalHug has monitored more than 705K models and 176K datasets, uncovering 91 malicious models and 9 malicious dataset loading scripts. These findings reveal a range of security threats, including reverse shell, browser credential theft, and system reconnaissance. This work not only bridges a critical gap in understanding the security of the PTM supply chain but also provides a practical, industry-tested solution for enhancing the security of pre-trained model hubs.

Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs

TL;DR

MalHug is presented, an end-to-end pipeline tailored for Hugging Face that combines dataset loading script extraction, model deserialization, in-depth taint analysis, and heuristic pattern matching to detect and classify malicious code poisoning attacks in datasets and models.

Abstract

The proliferation of pre-trained models (PTMs) and datasets has led to the emergence of centralized model hubs like Hugging Face, which facilitate collaborative development and reuse. However, recent security reports have uncovered vulnerabilities and instances of malicious attacks within these platforms, highlighting growing security concerns. This paper presents the first systematic study of malicious code poisoning attacks on pre-trained model hubs, focusing on the Hugging Face platform. We conduct a comprehensive threat analysis, develop a taxonomy of model formats, and perform root cause analysis of vulnerable formats. While existing tools like Fickling and ModelScan offer some protection, they face limitations in semantic-level analysis and comprehensive threat detection. To address these challenges, we propose MalHug, an end-to-end pipeline tailored for Hugging Face that combines dataset loading script extraction, model deserialization, in-depth taint analysis, and heuristic pattern matching to detect and classify malicious code poisoning attacks in datasets and models. In collaboration with Ant Group, a leading financial technology company, we have implemented and deployed MalHug on a mirrored Hugging Face instance within their infrastructure, where it has been operational for over three months. During this period, MalHug has monitored more than 705K models and 176K datasets, uncovering 91 malicious models and 9 malicious dataset loading scripts. These findings reveal a range of security threats, including reverse shell, browser credential theft, and system reconnaissance. This work not only bridges a critical gap in understanding the security of the PTM supply chain but also provides a practical, industry-tested solution for enhancing the security of pre-trained model hubs.
Paper Structure (18 sections, 7 figures, 6 tables, 1 algorithm)

This paper contains 18 sections, 7 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Model Hubs and Artifact Reuse
  4. Code Poisoning Attacks on Model Hubs
  5. Taxonomy and Root Cause Analysis
  6. MalHug Workflow
  7. Dataset Loading Scripts Analysis
  8. Model File Analysis
  9. In-depth Taint Analysis
  10. Heuristic Pattern Matching
  11. Evaluation
  12. Experimental Setup
  13. Industrial Deployment & Measurement
  14. Comparison with SOTA Techniques
  15. Case Studies
  16. ...and 3 more sections

Figures (7)

  • Figure 1: The workflow of MalHug: extracting suspicious codes from dataset loading scripts (\ref{['sec:dataset']}) and deserialized models (\ref{['sec:model']}), then applying taint analysis (\ref{['sec:program']}) and heuristic pattern matching (\ref{['sec:rule']}) to detect malicious behavior.
  • Figure 2: The Pickle model decompilation process of MustEr/gpt2-elite. Snippet #1 is the original binary code, snippet #2 is the disassembled code, and snippet #3 is the decompiled AST. Green highlights suspicious opcodes, while Red indicates potentially malicious injected code.
  • Figure 3: Distribution of model file formats in Hugging Face.
  • Figure 4: Monthly distribution and classification of malicious behaviors in models and dataset loading scirpts.
  • Figure 5: Code snippet injected into "star23/baller10", which establishes a reverse shell, enabling remote control.
  • ...and 2 more figures