Cyber security researchers have exposed two malicious machine learning (ML) models to embrace, which takes advantage of an unusual technique of “broken” pickle files to detect.
A report shared with Hacker News states, “Pickle files extracted from the pitorch archives revealed malicious python content at the beginning of the file. “In both cases, malicious payload was a specific platform -ware reverse shell that connects to a hard-coded IP address.”
The approach has been described as nulifai, as it contains clearance efforts to ignore existing security measures to identify malicious models. Hugging face repository listed below –
- GLOCKR1/Ballr7
- Who-R-R-R-0000/0000000000000000000000000000000
It is believed that the models are more than a proof-off-concept (POC) compared to the landscape of an active supply chain attack.
The normal used pickle serialization format for distributing the ML model has been repeatedly a security risk, as it provides ways to execute the arbitrary code as soon as they are load and deserialized.
The two models found by the cyberspace company are stored in the pittorial format, which is nothing but a compressed pickle file. While pytorch uses the zip format for compression by default, the identified model has been found to be compressed using 7Z format.
As a result, this behavior made the model possible to fly under the radar and avoid being malicious by pickle, a tool, which is used by hugging the face to detect suspected pickle files.
“An interesting thing about this pickle file is that the objective of the object serialization – the purpose of the pickle file – breaks down shortly after the malicious payload is executed, resulting in a failure of the object of the object, which resulted in a failure of the object,” Zanki said.
Further analysis has shown that such broken pickle files can still be partially deserialized due to discrepancy between pickle and how deserialization works, causing the tool to work, despite throwing an error message to the tool The code is executed. The open-source utility has been updated to fix this bug.
“Explanation for this behavior is that the object deserialization is performed gradually on pickle files,” Zanki said.
“Pickle opcauds are executed because they are encountered, and until all the opcaode is executed or a broken instruction is not faced. In the case of the discovered model, because the stream of pickle Malivedy payloads are not executed at the beginning of the model.
