新攻击技术Sleepy Pickle瞄准机器学习模型

The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle.

Pickle格式引发的安全风险再次受到关注，因为发现了一种名为“沉睡Pickle”的新型“混合机器学习（ML）模型利用技术”。

The attack method, per Trail of Bits, weaponizes the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an organization's downstream customers.

根据Trail of Bits，这种攻击方法利用了被用于打包和分发机器学习（ML）模型的通用格式，以破坏模型本身，给组织的下游客户带来严重的供应链风险。

"Sleepy Pickle is a stealthy and novel attack technique that targets the ML model itself rather than the underlying system," security researcher Boyan Milanov said.

安全研究人员Boyan Milanov表示：“‘沉睡Pickle’是一种隐秘而新颖的攻击技术，它针对的是ML模型本身，而不是底层系统。”

While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization).

尽管pickle是ML库（如PyTorch）广泛使用的序列化格式，但通过加载pickle文件（即在反序列化期间）简单地进行任意代码执行攻击。

"We suggest loading models from users and organizations you trust, relying on signed commits, and/or loading models from [TensorFlow] or Jax formats with the from_tf=True auto-conversion mechanism," Hugging Face points out in its documentation.

Hugging Face在其文档中指出：“我们建议从信任的用户和组织加载模型，依赖签名提交，和/或使用from_tf=True自动转换机制从[TensorFlow]或Jax格式加载模型。”

Sleepy Pickle works by inserting a payload into a pickle file using open-source tools like Fickling, and then delivering it to a target host by using one of the four techniques such as an adversary-in-the-middle (AitM) attack, phishing, supply chain compromise, or the exploitation of a system weakness.

“沉睡Pickle”通过使用开源工具（如Fickling）将有效负载插入pickle文件，然后通过四种技术之一将其传递给目标主机，比如中间的对手（AitM）攻击、钓鱼、供应链妥协或利用系统弱点的利用。

"When the file is deserialized on the victim's system, the payload is executed and modifies the contained model in-place to insert backdoors, control outputs, or tamper with processed data before returning it to the user," Milanov said.

Milanov说：“当文件在受害者系统上反序列化时，有效负载将被执行，并修改包含的模型，以插入后门、控制输出或篡改处理的数据，然后将其返回给用户。”

Put differently, the payload injected into the pickle file containing the serialized ML model can be abused to alter model behavior by tampering with the model weights, or tampering with the input and output data processed by the model.

换句话说，注入到包含序列化ML模型的pickle文件中的有效负载可以被滥用来通过篡改模型权重或篡改模型处理的输入和输出数据来更改模型行为。

In a hypothetical attack scenario, the approach could be used to generate harmful outputs or misinformation that can have disastrous consequences to user safety (e.g., drink bleach to cure flu), steal user data when certain conditions are met, and attack users indirectly by generating manipulated summaries of news articles with links pointing to a phishing page.

在假设的攻击场景中，该方法可用于生成有害输出或误导信息，可能对用户安全造成灾难性后果（例如，喝漂白剂治疗流感），在满足某些条件时窃取用户数据，并通过生成指向钓鱼页面的新闻摘要的操纵摘要间接攻击用户。

Trail of Bits said that Sleepy Pickle can be weaponized by threat actors to maintain surreptitious access on ML systems in a manner that evades detection, given that the model is compromised when the pickle file is loaded in the Python process.

Trail of Bits表示，沉睡Pickle可以被威胁行为者武器化，以在ML系统上保持秘密访问，从而规避检测，因为当pickle文件在Python进程中加载时，模型被破坏。

This is also more effective than directly uploading a malicious model to Hugging Face, as it can modify model behavior or output dynamically without having to entice their targets into downloading and running them.

这比直接上传恶意模型到Hugging Face更有效，因为它可以动态修改模型行为或输出，而无需诱使目标下载和运行它们。

"With Sleepy Pickle attackers can create pickle files that aren't ML models but can still corrupt local models if loaded together," Milanov said. "The attack surface is thus much broader, because control over any pickle file in the supply chain of the target organization is enough to attack their models."

Milanov表示：“使用沉睡Pickle攻击者可以创建不是ML模型但仍然可以在加载在一起时破坏本地模型的pickle文件。攻击面因此更广泛，因为对目标组织供应链中的任何pickle文件的控制足以攻击他们的模型。”

"Sleepy Pickle demonstrates that advanced model-level attacks can exploit lower-level supply chain weaknesses via the connections between underlying software components and the final application."

“‘沉睡Pickle’表明高级模型级攻击可以通过底层软件组件和最终应用程序之间的连接利用较低级别的供应链弱点。”

参考资料

[1]https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：新攻击技术“Sleepy Pickle”瞄准机器学习模型