Emerging Threat: Exploitation of Machine Learning Models via Sleepy Pickle Attacks
Recent revelations spotlight significant vulnerabilities within the widely utilized Pickle format, particularly concerning machine learning (ML) models. A new attack technique, referred to as Sleepy Pickle, has been identified, which leverages this format to compromise ML models themselves. This discovery underscores the inherent risks associated with the supply chain of ML technology, posing serious threats to organizations and their clients.
The Sleepy Pickle attack method capitalizes on the Pickle serialization format frequently used by ML libraries, such as PyTorch, allowing malicious actors to corrupt models and deliver payloads unnoticed. As articulated by security researcher Boyan Milanov of Trail of Bits, this stealthy technique specifically targets the functionality of the ML model rather than merely the underlying systems, amplifying its potential impact.
This multifaceted attack exploits the deserialization process inherent in loading Pickle files, where arbitrary code execution can occur. As part of mitigation strategies, Hugging Face, a leading ML platform, advocates for only using trusted models and signed commits and suggests considering safer file formats, thus reinforcing the importance of maintaining robust security practices within organizations that leverage ML technologies.
The mechanism behind Sleepy Pickle involves inserting malicious payloads into Pickle files using open-source tools, which are then distributed through various vectors including phishing, supply chain compromises, or adversary-in-the-middle attacks. Upon deserialization on the targeted system, these payloads execute, creating pathways for backdoor access, tampering with processed data, or altering model behavior.
In a potential attack scenario, the ramifications of a compromised ML model could be dire. Malicious actors could manipulate output data to produce harmful or misleading information, jeopardizing user safety and data privacy. Such tactics not only threaten individual users but can also misguide decision-making processes in organizations relying on accurate model outputs.
Trail of Bits emphasizes that Sleepy Pickle offers attackers a means to maintain covert access to systems, given the model alteration that occurs during the Pickle file’s loading process. This method is particularly effective because it does not require the adversary to lure victims into directly executing a malicious model, instead allowing for dynamic modifications once the model is loaded into Python.
Furthermore, an advanced variant of this attack, termed Sticky Pickle, has also been proposed, which could enable ongoing control over the compromised model. This technique includes capabilities for self-replication, ensuring that the malicious payload persists even as models are updated or modified. The obfuscation of these payloads complicates detection efforts by typical security scanning tools.
In response to the increasing risks associated with Pickle files, experts advise organizations to refrain from using them for model serialization and to adopt alternative methods like SafeTensors. With the landscape of cybersecurity continuously evolving, staying abreast of such vulnerabilities is essential for business owners seeking to safeguard their operations and digital assets.
The identified tactics align closely with MITRE ATT&CK techniques, particularly regarding persistence and initial access, highlighting the sophisticated nature of these attacks. Organizations must prioritize vigilance and proactive measures to protect their ML systems and the data reliant upon them, as the implications of a Sleepy Pickle attack could reverberate throughout entire supply chains.
For organizations navigating the complexities of machine learning and cybersecurity, understanding these threats is imperative for establishing effective defenses against potential exploitation.
