如何让 Hugging Face 拥抱蠕虫：发现并利用预训练大模型中心中的不安全 Pickle.loads..pdf

《如何让 Hugging Face 拥抱蠕虫：发现并利用预训练大模型中心中的不安全 Pickle.loads..pdf》由会员分享，可在线阅读，更多相关《如何让 Hugging Face 拥抱蠕虫：发现并利用预训练大模型中心中的不安全 Pickle.loads..pdf（70页珍藏版）》请在三个皮匠报告上搜索。

1、How to Make Hugging Face to Hug Worms:Discovering and Exploiting Unsafe Pickle.loadsover Pre-Trained Large Model HubsPeng Zhou()Shanghai University1Peng Zhou(zpbrent)Associate Professor at Shanghai UniversityBug hunter for Web/AI OSS:30+CVEs with high impactsResearch Interests:Web/3 and AI security

2、Published at:IEEE TDSC/TIFS,ISOC NDSS,ACM ACSAC,etc.Reach me out at:whoami2Agenda Hugging Face Hub and pickle model Discovering unsafe pickle.loads Exploiting for reversed RCE Bypass pickle scanning Weaponizing with wormablepayloads Demo&video&takeaway 3Agenda Hugging Face Hub and pickle model Disco

3、vering unsafe pickle.loads Exploiting for reversed RCE Bypass pickle scanning Weaponizing with wormablepayloads Demo&video&takeaway 4Hugging Face HubModelsDatasetsSpacesAPIsMachine Learning Libraries Integrated in Hugging Face HubSerialization FormatsSafesensorsMsgPackPickleAvroCapnprotoProtobufsb31

4、 https:/huggingface.co/docs/hub/models-libraries5Hugging Face HubSerialization FormatsSafesensorsMsgPackPickleAvroCapnprotoProtobufOur Focus1 https:/huggingface.co/docs/hub/models-librariesMachine Learning Libraries Integrated in Hugging Face Hubsb36ModelsDatasetsSpacesAPIsThe Pickle2 https:/ Marco

5、Slaviero,Sour Pickles-A serialised exploitation guide in one part,BlackHat 2011.pickle.loadspickletools.disbx80 x03qx00Xx07x00 x00 x00sym2idxqx01ccollectionsnOrderedDictnqx02)Rqx03(Xx05x00 x00 x00qx04Kx00Xx03x00 x00 x00theqx05Kx01us.0:x80 PROTO 32:EMPTY_DICT3:q BINPUT 05:X BINUNICODE sym2idx17:q BIN

6、PUT 119:c GLOBAL collections OrderedDict44:q BINPUT 246:)EMPTY_TUPLE47:R REDUCE48:q BINPUT 350:(MARK51:X BINUNICODE 61:q BINPUT 463:K BININT1 065:X BINUNICODE the73:q BINPUT 575:K BININT1 177:u SETITEMS (MARK at 50)78:s SETITEM79:.STOPPickle StringOpcode&StackObjectsym2idx:OrderedDict(,0),(the,1)8Th