### Install Development Dependencies Source: https://github.com/protectai/modelscan/blob/main/CONTRIBUTING.md Run this command in the root of the modelscan directory to install development dependencies and set up the CLI for live updates. This command requires Poetry to be installed. ```bash make install-dev ``` -------------------------------- ### Install and Run ModelScan Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Installs the modelscan library and runs a version check. Ensure you have Python and pip installed. ```python !pip install -q modelscan !modelscan -v ``` -------------------------------- ### Install ModelScan Source: https://github.com/protectai/modelscan/blob/main/README.md Install the ModelScan package using pip. This is the first step before scanning models. ```bash pip install modelscan ``` -------------------------------- ### Example TOML Configuration for ModelScan Source: https://context7.com/protectai/modelscan/llms.txt Provides an example structure for a TOML configuration file, demonstrating how to define supported extensions, enable scanners, and configure reporting. ```toml # Example modelscan-settings.toml content: # modelscan_version = "0.5.0" # supported_zip_extensions = [".zip", ".npz"] # # [scanners."modelscan.scanners.PickleUnsafeOpScan"] # enabled = true # supported_extensions = [".pkl", ".pickle", ".joblib", ".dill"] # # [scanners."modelscan.scanners.PyTorchUnsafeOpScan"] # enabled = true # supported_extensions = [".bin", ".pt", ".pth", ".ckpt"] # # [unsafe_globals.CRITICAL] # builtins = ["eval", "exec", "compile", "__import__"] # os = "*" # subprocess = "*" # # [reporting] # module = "modelscan.reports.ConsoleReport" # [reporting.settings] # show_skipped = false ``` -------------------------------- ### ModelScan CLI Help and Version Source: https://github.com/protectai/modelscan/blob/main/README.md Use these commands to view the help documentation or check the installed version of ModelScan. ```bash modelscan -h ``` ```bash modelscan -v ``` -------------------------------- ### Install ModelScan with TensorFlow and H5py Extras Source: https://github.com/protectai/modelscan/blob/main/README.md Install ModelScan with optional extras for TensorFlow and H5py support. This is required for scanning models in these formats. ```bash pip install 'modelscan[ tensorflow, h5py ]' ``` -------------------------------- ### Install Dependencies for Model Training Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Installs necessary libraries including TensorFlow, Transformers, and Matplotlib for model development and visualization. Pinning versions ensures reproducibility. ```python !pip install -q tensorflow==2.13.0 !pip install -q transformers==4.31.0 !pip install -q matplotlib==3.7.2 ``` -------------------------------- ### Install PyTorch and Transformers Dependencies Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Install specific versions of PyTorch, transformers, and scipy. Ensure these versions are compatible with your environment. ```python %pip install -q torch==2.0.1 %pip install -q transformers==4.31.0 %pip install -q scipy==1.11.1 ``` -------------------------------- ### Install ModelScan CLI Source: https://context7.com/protectai/modelscan/llms.txt Install the ModelScan package using pip. Additional dependencies for TensorFlow and HDF5 support can be included. ```bash pip install modelscan ``` ```bash pip install 'modelscan[tensorflow,h5py]' ``` -------------------------------- ### Install XGBoost and Scikit-learn Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Installs specific versions of XGBoost and scikit-learn required for the model training. These libraries are essential for building the diabetes prediction model. ```python !pip install -q xgboost==1.7.6 !pip install -U -q scikit-learn==1.3.0 ``` -------------------------------- ### Import Libraries and Setup Logging Source: https://github.com/protectai/modelscan/blob/main/notebooks/tensorflow_fashion_mnist.ipynb Imports TensorFlow and other utilities. Sets TensorFlow logging to ERROR to reduce verbosity during model training. ```python import tensorflow as tf import os tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.ERROR) from utils.tensorflow_fashion_mnist_model import train_model, get_predictions from utils.tensorflow_codeinjection import MaliciousModule ``` -------------------------------- ### Prepare for Model Serialization Attack Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Defines the command and malicious code to be injected into the model. This setup is for demonstrating a code injection vulnerability. ```python # Inject code with the command command = "system" malicious_code = """cat ~/.aws/secrets """ ``` -------------------------------- ### Exfiltrate AWS Secret on XGBoost Model using os.system() Source: https://github.com/protectai/modelscan/blob/main/notebooks/README.md This example demonstrates exfiltrating AWS secrets from an XGBoost model using `os.system()`. It highlights how pickle serialization in libraries like XGBoost can be exploited for malicious purposes. ```python import os import xgboost as xgb def exfiltrate_secret_xgboost(secret): # This function would typically be part of a malicious payload within the model os.system(f'echo {secret} > /tmp/xgboost_secret.txt') # Example of how this might be used (conceptual): # class MaliciousModel: # def __init__(self): # self.secret = 'AKIAIOSFODNN7EXAMPLE' # # def __getstate__(self): # exfiltrate_secret_xgboost(self.secret) # return self.__dict__ # # # When this malicious model is pickled and unpickled, exfiltrate_secret_xgboost is called. ``` -------------------------------- ### Get Raw Results from Scanner Source: https://context7.com/protectai/modelscan/llms.txt Shows how to retrieve raw scan results and access specific summary information like the total number of issues. ```python # Get raw results without generating report results = scanner._generate_results() print(results["summary"]["total_issues"]) print(results["issues"]) ``` -------------------------------- ### Add ModelScan to Project Dependencies (TOML) Source: https://github.com/protectai/modelscan/blob/main/README.md Add ModelScan to your project's dependencies in pyproject.toml for consistent installation across environments. ```toml modelscan = ">=0.1.1" ``` -------------------------------- ### Model Scan Results (JSON) Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb This is an example of the JSON output from a ModelScan operation, indicating a critical issue found due to the use of an unsafe operator. ```json Output: No settings file detected at /Users/mehrinkiani/Documents/modelscan/notebooks/modelscan-settings.toml. Using defaults. Scanning /Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl using modelscan.scanners.PickleUnsafeOpScan model scan {"modelscan_version": "0.5.0", "timestamp": "2024-01-25T17:56:00.855056", "input_path": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl", "total_issues": 1, "summary": {"total_issues_by_severity": {"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 1}, "issues_by_severity": {"CRITICAL": [{"description": "Use of unsafe operator 'system' from module 'posix'", "operator": "system", "module": "posix", "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl", "scanner": "modelscan.scanners.PickleUnsafeOpScan"}], "errors": [], "scanned": {"total_scanned": 1, "scanned_files": ["/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pk"l"]}} ``` -------------------------------- ### Generate Console, JSON, and File Reports Source: https://context7.com/protectai/modelscan/llms.txt Demonstrates how to generate reports in console (default), JSON to stdout, and JSON to a file using different configurations. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS import copy # Console report (default) scanner = ModelScan(settings=DEFAULT_SETTINGS) scanner.scan("/path/to/model.pkl") scanner.generate_report() # Prints colored output to console # JSON report to stdout json_settings = copy.deepcopy(DEFAULT_SETTINGS) json_settings["reporting"]["module"] = "modelscan.reports.JSONReport" scanner = ModelScan(settings=json_settings) scanner.scan("/path/to/model.pkl") scanner.generate_report() # Prints JSON to stdout # JSON report to file json_file_settings = copy.deepcopy(DEFAULT_SETTINGS) json_file_settings["reporting"]["module"] = "modelscan.reports.JSONReport" json_file_settings["reporting"]["settings"]["output_file"] = "report.json" json_file_settings["reporting"]["settings"]["show_skipped"] = True scanner = ModelScan(settings=json_file_settings) scanner.scan("/path/to/model.pkl") scanner.generate_report() # Writes JSON to report.json ``` -------------------------------- ### Import Necessary Libraries and Set Environment Variable Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Import PyTorch, OS, and custom utility functions for model handling. Sets the TOKENIZERS_PARALLELISM environment variable to false to prevent potential issues. ```python import torch import os from utils.pytorch_sentiment_model import download_model, predict_sentiment from utils.pickle_codeinjection import PickleInject, get_payload %env TOKENIZERS_PARALLELISM=false ``` -------------------------------- ### Load ModelScan Settings from TOML Source: https://context7.com/protectai/modelscan/llms.txt Illustrates how to load custom ModelScan settings from a TOML configuration file, enabling flexible configuration of scanners and reporting. ```python from modelscan.modelscan import ModelScan from tomlkit import parse # Load settings from TOML file with open("modelscan-settings.toml", encoding="utf-8") as f: settings = parse(f.read()).unwrap() scanner = ModelScan(settings=settings) scanner.scan("/path/to/model.pkl") ``` -------------------------------- ### Scan Model Files with CLI Source: https://context7.com/protectai/modelscan/llms.txt Perform basic model scanning from the command line. Specify a single file or a directory. Results can be output as JSON and saved to a file. ```bash # Scan a single model file modelscan -p /path/to/model.pkl ``` ```bash # Scan a directory of models modelscan -p /path/to/models/ ``` ```bash # Output results as JSON modelscan -p /path/to/model.pkl -r json ``` ```bash # Save JSON report to file modelscan -p /path/to/model.pkl -r json -o scan_results.json ``` ```bash # Show skipped files in output modelscan --show-skipped -p /path/to/model.pkl ``` ```bash # Use custom settings file modelscan -p /path/to/model.pkl --settings-file ./modelscan-settings.toml ``` ```bash # Enable debug logging modelscan -p /path/to/model.pkl -l DEBUG ``` -------------------------------- ### Import Necessary Libraries Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Imports libraries for model serialization (pickle), file path manipulation (pathlib, os), numerical operations (numpy), and custom utilities for generating unsafe files and training models. ```python import pickle from pathlib import Path import os import numpy as np from utils.pickle_codeinjection import generate_unsafe_file from utils.xgboost_diabetes_model import train_model, get_predictions ``` -------------------------------- ### Clone the ModelScan Repository Source: https://github.com/protectai/modelscan/blob/main/CONTRIBUTING.md Use this command to clone the ModelScan repository to your local machine. This is the first step in setting up your development environment. ```bash git clone git@github.com:protectai/modelscan.git ``` -------------------------------- ### ModelScan CLI Create Settings File Source: https://github.com/protectai/modelscan/blob/main/README.md Generate a configurable settings file for ModelScan using the 'create-settings-file' command. ```bash modelscan create-settings-file ``` -------------------------------- ### Create ModelScan Settings File Source: https://context7.com/protectai/modelscan/llms.txt Generate a default TOML settings file to customize ModelScan's behavior. The file can be created in the current directory, overwritten, or saved to a specific location. ```bash # Create default settings file in current directory modelscan create-settings-file ``` ```bash # Overwrite existing settings file modelscan create-settings-file --force ``` ```bash # Create settings file at specific location modelscan create-settings-file -l /path/to/custom-settings.toml ``` -------------------------------- ### Run a ModelScan CLI Scan Source: https://github.com/protectai/modelscan/blob/main/CONTRIBUTING.md After setting up the development environment, use this command to run a scan with the ModelScan CLI. Replace '/path/to/file' with the actual path to the file or directory you want to scan. ```bash modelscan -p /path/to/file ``` -------------------------------- ### Initialize and Scan Model with ModelScan in Python Source: https://github.com/protectai/modelscan/blob/main/README.md Integrate ModelScan into Python applications by initializing the ModelScan class with default settings and calling the scan method on a model file or directory. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS # Initialize ModelScan with default settings scanner = ModelScan(settings=DEFAULT_SETTINGS) # Scan a model file or directory results = scanner.scan("/path/to/model_file.pkl") # Check if issues were found if scanner.issues.all_issues: print(f"Found {len(scanner.issues.all_issues)} issues!") # Access issues by severity issues_by_severity = scanner.issues.group_by_severity() for severity, issues in issues_by_severity.items(): print(f"{severity}: {len(issues)} issues") # Generate a report (default is console output) scanner.generate_report() ``` -------------------------------- ### Scan a Model File Source: https://github.com/protectai/modelscan/blob/main/README.md Scan a specified model file using the modelscan command-line tool. Replace '/path/to/model_file.pkl' with the actual path to your model. ```bash modelscan -p /path/to/model_file.pkl ``` -------------------------------- ### Import Libraries and Configure Logging Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Imports TensorFlow and other utilities. Configures TensorFlow logging to suppress verbose output, focusing on critical errors. ```python import tensorflow as tf import os tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.ERROR) from utils.tensorflow_fashion_mnist_model import train_model, get_predictions ``` -------------------------------- ### ModelScan CLI Reporting and Output Source: https://github.com/protectai/modelscan/blob/main/README.md Specify the reporting format using -r or --reporting-format and optionally direct the output to a file with -o or --output-file. ```bash modelscan -r reporting-format -o file-name ``` -------------------------------- ### Python API - Customizing Scanner Settings Source: https://context7.com/protectai/modelscan/llms.txt Modify the default settings dictionary to customize scanner behavior. Configure enabled scanners, define unsafe operators, and set reporting preferences. Use `copy.deepcopy` to avoid modifying the original default settings. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS import copy # Create custom settings from defaults custom_settings = copy.deepcopy(DEFAULT_SETTINGS) # Disable specific scanners custom_settings["scanners"]["modelscan.scanners.NumpyUnsafeOpScan"]["enabled"] = False # Add custom unsafe operators for TensorFlow custom_settings["scanners"]["modelscan.scanners.SavedModelTensorflowOpScan"]["unsafe_tf_operators"]["CustomOp"] = "HIGH" # Add custom unsafe globals for pickle scanning custom_settings["unsafe_globals"]["CRITICAL"]["my_dangerous_module"] = "*" custom_settings["unsafe_globals"]["HIGH"]["requests.api"] = ["get", "post"] # Configure JSON reporting with output file custom_settings["reporting"]["module"] = "modelscan.reports.JSONReport" custom_settings["reporting"]["settings"]["output_file"] = "scan_results.json" custom_settings["reporting"]["settings"]["show_skipped"] = True # Initialize scanner with custom settings scanner = ModelScan(settings=custom_settings) scanner.scan("/path/to/model.pkl") scanner.generate_report() ``` -------------------------------- ### Scan PyTorch Model and Save Results Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Use this command to scan a specified PyTorch model file for security vulnerabilities and save the scan results in JSON format to an output file. Ensure the path to the model is correct. ```bash !modelscan --path ./PyTorchModels/unsafe_model.pt -r json -o pytorch-model-scan-results.json ``` -------------------------------- ### Train and Save a Safe XGBoost Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Trains an XGBoost model on a diabetes dataset and saves it to a pickle file. Ensure the 'XGBoostModels' directory exists; it will be created if it doesn't. ```python model_directory = os.path.join(os.getcwd(), "XGBoostModels") if not os.path.isdir(model_directory): os.mkdir(model_directory) safe_model_path_pickle = os.path.join(model_directory, "safe_model.pkl") model = train_model() with open(safe_model_path_pickle, "wb") as fo: pickle.dump(model, fo) ``` -------------------------------- ### Generate JSON Report with ModelScan Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Demonstrates how to generate a scan report in JSON format using the modelscan CLI. Specify the output file name and format. ```bash modelscan -p ./path-to/file -r json -o output-file-name.json ``` -------------------------------- ### Python API - Checking File Compatibility Source: https://context7.com/protectai/modelscan/llms.txt Use the `is_compatible` method to check if a file path is supported by any of the available scanners before initiating a scan. This helps in pre-filtering files. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS scanner = ModelScan(settings=DEFAULT_SETTINGS) # Check file compatibility supported_files = [ "model.pkl", # Pickle - supported "model.pt", # PyTorch - supported "model.h5", # Keras H5 - supported "model.keras", # Keras - supported "saved_model.pb", # TensorFlow - supported "data.npy", # NumPy - supported "model.joblib", # Joblib - supported "model.onnx", # ONNX - not supported "readme.txt", # Text - not supported ] for file in supported_files: is_compatible = scanner.is_compatible(file) print(f"{file}: {'supported' if is_compatible else 'not supported'}") # Scan only compatible files from a list files_to_scan = [f for f in supported_files if scanner.is_compatible(f)] ``` -------------------------------- ### ModelScan CLI Scan Local Model Source: https://github.com/protectai/modelscan/blob/main/README.md Scan a locally stored model file using the -p or --path argument. Custom configurations can be applied using the --settings-file argument. ```bash modelscan -p /path/to/model_file ``` ```bash modelscan -p /path/to/model_file --settings-file ./modelscan-settings.toml ``` -------------------------------- ### Scan XGBoost Model with JSON Output Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Use this command to scan a specified model file and output the results in JSON format. The output file name is specified with the -o flag. ```bash # This will save the scan results in file: xgboost-model-scan-results.json !modelscan --path XGBoostModels/unsafe_model.pkl -r json -o xgboost-model-scan-results.json ``` -------------------------------- ### ModelScan CLI Show Skipped Files Source: https://github.com/protectai/modelscan/blob/main/README.md Use the --show-skipped argument to display a list of files that were omitted during the scan process. ```bash modelscan --show-skipped ``` -------------------------------- ### Generate and Save an Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Loads the safe model, injects malicious code using `generate_unsafe_file`, and saves the modified model as an unsafe pickle file. This process simulates a model serialization attack. ```python with open(safe_model_path_pickle, "rb") as fo: safe_model_pickle = pickle.load(fo) unsafe_model_path = os.path.join(model_directory, "unsafe_model.pkl") generate_unsafe_file(model, command, malicious_code, unsafe_model_path) ``` -------------------------------- ### Save a Safe Sentiment Analysis Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Downloads and saves a pre-trained sentiment analysis model to a specified local path. Ensures the model directory exists before saving. ```python # Save a model for sentiment analysis from typing import Final model_directory: Final[str] = "PyTorchModels" if not os.path.isdir(model_directory): os.mkdir(model_directory) safe_model_path = os.path.join(model_directory, "safe_model.pt") download_model(safe_model_path) ``` -------------------------------- ### Train and Save TensorFlow Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/tensorflow_fashion_mnist.ipynb Trains a TensorFlow model on the Fashion MNIST dataset and saves it to a specified directory. Ensure the directory exists before saving. ```python model_directory = "TensorFlowModels" if not os.path.isdir(model_directory): os.mkdir(model_directory) safe_model_path = os.path.join(model_directory, "safe_model") model = train_model() model.save(safe_model_path) ``` -------------------------------- ### Python API - Handling Scan Errors and Skipped Files Source: https://context7.com/protectai/modelscan/llms.txt Process errors and skipped files encountered during the scanning process. Errors include issues like missing dependencies or invalid paths, while skipped files indicate scanners that were not run. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS scanner = ModelScan(settings=DEFAULT_SETTINGS) scanner.scan("/path/to/models/") # Handle errors for error in scanner.errors: error_dict = error.to_dict() print(f"Error Category: {error_dict['category']}") print(f"Description: {error_dict['description']}") if 'source' in error_dict: print(f"Source: {error_dict['source']}") # Error categories: # - MODEL_SCAN: General scanning errors # - DEPENDENCY: Missing optional dependencies (tensorflow, h5py) # - PATH: Invalid file paths # - NESTED_ZIP: Unsupported nested zip files # - PICKLE_GENOPS: Pickle parsing errors # - JSON_DECODE: Invalid JSON in model config # Handle skipped files for skipped in scanner.skipped: print(f"Scanner: {skipped.scan_name}") print(f"Category: {skipped.category.name}") # SCAN_NOT_SUPPORTED, BAD_ZIP, etc. print(f"Message: {skipped.message}") print(f"Source: {skipped.source}") # Skip categories: ``` -------------------------------- ### Exfiltrate AWS Secret on PyTorch Model using os.system() Source: https://github.com/protectai/modelscan/blob/main/notebooks/README.md This snippet illustrates how to exfiltrate AWS secrets from a PyTorch model using the `os.system()` function. It is relevant for understanding potential vulnerabilities in PyTorch model serialization. ```python import os def exfiltrate_secret(secret): os.system(f'echo {secret} > /tmp/secret.txt') # Example usage (within a model or script) # exfiltrate_secret('AKIAIOSFODNN7EXAMPLE') ``` -------------------------------- ### Predict Sentiment Using a Safe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Loads the saved safe model and uses it to predict the sentiment of a given text. Requires the model to be downloaded and saved previously. ```python sentiment = predict_sentiment( "Stock market was bearish today", torch.load(safe_model_path) ) ``` -------------------------------- ### Generate JSON Report for Model Scan Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Perform a model scan and output the results in JSON format to a specified file. This is useful for programmatic analysis of scan results. ```bash # This will save the scan results in file: keras-model-scan-results.json !modelscan --path KerasModels/unsafe_model.h5 -r json -o keras-model-scan-results.json ``` -------------------------------- ### Python API - ModelScan Class Usage Source: https://context7.com/protectai/modelscan/llms.txt Programmatically scan models using the ModelScan class. Initialize with settings, scan files or directories, and access detailed scan results and reports. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS # Initialize scanner with default settings scanner = ModelScan(settings=DEFAULT_SETTINGS) # Scan a single model file results = scanner.scan("/path/to/model.pkl") # Scan a directory of models results = scanner.scan("/path/to/models/") # Access scan results print(f"Total issues: {len(scanner.issues.all_issues)}") print(f"Files scanned: {scanner.scanned}") print(f"Files skipped: {len(scanner.skipped)}") print(f"Errors: {len(scanner.errors)}") # Group issues by severity issues_by_severity = scanner.issues.group_by_severity() for severity, issues in issues_by_severity.items(): print(f"{severity}: {len(issues)} issues") for issue in issues: print(f" - {issue.details.module}.{issue.details.operator}") print(f" Source: {issue.details.source}") # Generate console report scanner.generate_report() # Results dictionary structure # { # "summary": { # "total_issues_by_severity": {"CRITICAL": 0, "HIGH": 2, "MEDIUM": 1, "LOW": 0}, # "total_issues": 3, # "input_path": "/path/to/model.pkl", # "absolute_path": "/absolute/path/to", # "modelscan_version": "0.5.0", # "timestamp": "2024-01-15T10:30:00", # "scanned": {"total_scanned": 1, "scanned_files": ["model.pkl"]}, # "skipped": {"total_skipped": 0, "skipped_files": []} # }, # "issues": [ # { # "description": "Use of unsafe operator 'system' from module 'os'", # "operator": "system", # "module": "os", # "source": "model.pkl", # "scanner": "modelscan.scanners.PickleUnsafeOpScan", # "severity": "CRITICAL" # } # ], # "errors": [] # } ``` -------------------------------- ### HIGH Severity Unsafe Globals Reference Source: https://context7.com/protectai/modelscan/llms.txt Lists default unsafe global variables and functions categorized under HIGH severity, often associated with data exfiltration risks. ```python # HIGH severity - Data exfiltration risks HIGH_UNSAFE_GLOBALS = { "webbrowser": "*", # Browser operations "httplib": "*", # HTTP connections "requests.api": "*", # HTTP requests "aiohttp.client": "*", # Async HTTP } ``` -------------------------------- ### Load and Predict using the Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Loads the unsafe model, which executes the injected malicious code (e.g., revealing AWS secrets), and then performs predictions. The model's performance remains unaffected by the attack. ```python with open(unsafe_model_path, "rb") as fo: unsafe_model = pickle.load(fo) get_predictions(number_of_predictions, unsafe_model) ``` -------------------------------- ### Load and Predict with Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Load a TensorFlow Keras model from a specified path and perform predictions. This snippet demonstrates how an unsafe model can be loaded and used, potentially exposing sensitive information during execution. ```python unsafe_model_loaded = tf.keras.models.load_model(unsafe_model_path) number_of_predictions = 3 get_predictions(unsafe_model_loaded, number_of_predictions) ``` -------------------------------- ### Scan an Unsafe Model for Serialization Attacks Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Scans the unsafe model using modelscan to detect the injected malicious code. The output highlights the critical severity of the 'system' operator. ```bash !modelscan --path ./PyTorchModels/unsafe_model.pt ``` -------------------------------- ### ModelScan JSON Reporting Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Demonstrates how to configure ModelScan to output scan results in JSON format to a specified file. This is useful for programmatic analysis of scan results. ```python # For JSON reporting: # modelscan -p ./path-to/file -r json -o output-file-name.json ``` -------------------------------- ### Predict Sentiment Using an Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Loads the unsafe model, which executes the injected malicious code before predicting sentiment. This demonstrates that model performance is unaffected by the attack. ```python predict_sentiment("Stock market was bearish today", torch.load(unsafe_model_path)) ``` -------------------------------- ### Scan the Unsafe Model with ModelScan Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Scans the unsafe pickle file using ModelScan to detect the injected code. The output highlights critical severity issues, including the specific unsafe operator and module used. ```python !modelscan -p XGBoostModels/unsafe_model.pkl ``` -------------------------------- ### Scan Model for Security Issues Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Scan a Keras model file (.h5) for security vulnerabilities using the modelscan command-line tool. This command will output a summary of issues found, including severity levels and descriptions. ```bash !modelscan -p KerasModels/unsafe_model.h5 ``` -------------------------------- ### Python API - Accessing Scan Issues and Severity Source: https://context7.com/protectai/modelscan/llms.txt Iterate through scan results to access issues, their severity levels, and detailed operator information. Filter issues by severity and check the defined severity levels. ```python from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS from modelscan.issues import IssueSeverity scanner = ModelScan(settings=DEFAULT_SETTINGS) scanner.scan("/path/to/model.pkl") # Access all issues for issue in scanner.issues.all_issues: print(f"Severity: {issue.severity.name}") # CRITICAL, HIGH, MEDIUM, LOW print(f"Code: {issue.code.name}") # UNSAFE_OPERATOR print(f"Module: {issue.details.module}") print(f"Operator: {issue.details.operator}") print(f"Source: {issue.details.source}") print(f"Scanner: {issue.details.scanner}") # Get JSON representation json_output = issue.details.output_json() # { # "description": "Use of unsafe operator 'eval' from module 'builtins'", # "operator": "eval", # "module": "builtins", # "source": "/path/to/model.pkl", # "scanner": "modelscan.scanners.PickleUnsafeOpScan", # "severity": "CRITICAL" # } # Filter by severity critical_issues = [i for i in scanner.issues.all_issues if i.severity == IssueSeverity.CRITICAL] high_issues = [i for i in scanner.issues.all_issues if i.severity == IssueSeverity.HIGH] # Check severity levels for severity in IssueSeverity: print(f"{severity.name}: {severity.value}") # LOW: 1 # MEDIUM: 2 # HIGH: 3 # CRITICAL: 4 ``` -------------------------------- ### Model Scan Results Output Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb This JSON output represents the results of a model scan, detailing version information, scan timestamp, input path, total issues, a summary of issues by severity, specific issues found, and any errors encountered during the scan. It indicates a critical issue related to the use of an unsafe operator. ```json {\n"modelscan_version": "0.5.0", \n"timestamp": "2024-01-25T17:10:54.306065", \n"input_path": \n"/Users/mehrinkiani/Documents/modelscan/notebooks/PyTorchModels/unsafe_model.pt"\n, "total_issues": 1, "summary": {"total_issues_by_severity": {"LOW": 0, \n"MEDIUM": 0, \n"HIGH": 0, \n"CRITICAL": 1}\n}, "issues_by_severity": {"CRITICAL": \n[\n{\n"description": "Use of unsafe operator 'system' from module 'posix'", \n"operator": "system", \n"module": "posix", \n"source": \n"/Users/mehrinkiani/Documents/modelscan/notebooks/PyTorchModels/unsafe_model.pt:\nunsafe_model/data.pkl", \n"scanner": "modelscan.scanners.PickleUnsafeOpScan"\n}\n]\n}, \n"errors": \n[], \n"scanned": {"total_scanned": 1, "scanned_files": \n[\n"/Users/mehrinkiani/Documents/modelscan/notebooks/PyTorchModels/unsafe_model.pt"\n:unsafe_model/data.pkl"\n]\n}\n} ``` -------------------------------- ### TensorFlow Unsafe Operators Reference Source: https://context7.com/protectai/modelscan/llms.txt Lists unsafe TensorFlow operators and their associated severity level, with 'ReadFile' and 'WriteFile' marked as HIGH severity due to file system access. ```python # TensorFlow unsafe operators (HIGH severity) UNSAFE_TF_OPERATORS = { "ReadFile": "HIGH", # File system read "WriteFile": "HIGH", # File system write } ``` -------------------------------- ### Scan a Safe Model for Serialization Attacks Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Uses the modelscan CLI to scan a saved PyTorch model file for potential serialization attacks. This command checks the integrity of the model. ```bash !modelscan --path PyTorchModels/safe_model.pt ``` -------------------------------- ### Scan a Safe Model with ModelScan Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Scans a saved pickle file for potential code injections using ModelScan. This command checks the specified model file for security issues. ```python !modelscan -p XGBoostModels/safe_model.pkl ``` -------------------------------- ### Train and Save Keras Fashion MNIST Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Trains a Keras model on the Fashion MNIST dataset and saves the trained model to a specified HDF5 file. The model is intended for classification tasks. ```python model_directory = "KerasModels" if not os.path.isdir(model_directory): os.mkdir(model_directory) safe_model_path = os.path.join(model_directory, "safe_model.h5") model = train_model() model.save(safe_model_path,) ``` -------------------------------- ### Create an Unsafe Model with Injected Code Source: https://github.com/protectai/modelscan/blob/main/notebooks/pytorch_sentiment_analysis.ipynb Injects malicious code (e.g., to read AWS secrets) into a safe model and saves it as an unsafe model. This demonstrates a model serialization attack. ```python command = "system" malicious_code = """cat ~/.aws/secrets " unsafe_model_path = os.path.join(model_directory, "unsafe_model.pt") payload = get_payload(command, malicious_code) torch.save( torch.load(safe_model_path), f=unsafe_model_path, pickle_module=PickleInject([payload]), ) ``` -------------------------------- ### Customize ModelScan Settings in Python Source: https://github.com/protectai/modelscan/blob/main/README.md Modify ModelScan's behavior by creating a copy of the default settings and updating specific configuration parameters, such as reporting module and output file. ```python # Start with default settings and customize custom_settings = DEFAULT_SETTINGS.copy() # Update settings as needed custom_settings["reporting"]["module"] = "modelscan.reporting.json_report.JSONReport" custom_settings["reporting"]["settings"]["output_file"] = "scan_results.json" # Initialize with custom settings scanner = ModelScan(settings=custom_settings) ``` -------------------------------- ### Python Script for CI/CD Model Scanning Source: https://context7.com/protectai/modelscan/llms.txt Use this Python script to integrate ModelScan into your CI/CD pipeline. It scans models and returns an exit code based on the severity of found issues, allowing pipelines to fail on critical vulnerabilities. ```python #!/usr/bin/env python3 """CI/CD integration script for model scanning.""" import sys from pathlib import Path from modelscan.modelscan import ModelScan from modelscan.settings import DEFAULT_SETTINGS from modelscan.issues import IssueSeverity def scan_models_for_ci(models_path: str, fail_on_severity: str = "HIGH") -> int: """ Scan models and return appropriate exit code for CI. Args: models_path: Path to model file or directory fail_on_severity: Minimum severity to fail build (LOW, MEDIUM, HIGH, CRITICAL) Returns: 0 if safe, 1 if issues found at or above threshold """ severity_threshold = IssueSeverity[fail_on_severity] scanner = ModelScan(settings=DEFAULT_SETTINGS) results = scanner.scan(models_path) # Check for critical errors if scanner.errors: print(f"Scan errors: {len(scanner.errors)}") for error in scanner.errors: print(f" - {error}") return 2 # Check issues against threshold blocking_issues = [ issue for issue in scanner.issues.all_issues if issue.severity.value >= severity_threshold.value ] if blocking_issues: print(f"Found {len(blocking_issues)} issues at or above {fail_on_severity} severity:") for issue in blocking_issues: print(f" [{issue.severity.name}] {issue.details.module}.{issue.details.operator}") print(f" Source: {issue.details.source}") return 1 print(f"Model scan passed. Scanned {len(scanner.scanned)} files.") return 0 if __name__ == "__main__": models_dir = sys.argv[1] if len(sys.argv) > 1 else "./models" exit_code = scan_models_for_ci(models_dir, fail_on_severity="HIGH") sys.exit(exit_code) ``` ```yaml # GitHub Actions workflow example: # name: Model Security Scan # on: [push, pull_request] # jobs: # scan: # runs-on: ubuntu-latest # steps: # - uses: actions/checkout@v3 # - uses: actions/setup-python@v4 # with: # python-version: '3.10' # - run: pip install modelscan # - run: modelscan -p ./models/ -r json -o scan-results.json # - uses: actions/upload-artifact@v3 # with: # name: scan-results # path: scan-results.json ``` -------------------------------- ### Generate Predictions with Trained Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Uses the trained Keras model to generate predictions on new data and displays the predicted labels along with their probabilities. Compares predictions to true labels. ```python number_of_predictions = 3 get_predictions(model, number_of_predictions) ``` -------------------------------- ### Create and Save Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/tensorflow_fashion_mnist.ipynb Injects malicious code into a trained TensorFlow model to create an unsafe version, then saves it. This demonstrates a model serialization attack. ```python unsafe_model = MaliciousModule(model) unsafe_model.build(input_shape=(None, 28,28)) # Save the unsafe model unsafe_model_path = os.path.join(model_directory, "unsafe_model") unsafe_model.save(unsafe_model_path) ``` -------------------------------- ### Scan Saved Model with ModelScan Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Scans a saved Keras model file (`.h5`) using the ModelScan CLI to detect potential serialization attacks or other security issues. Uses default settings if no configuration file is found. ```bash !modelscan -p ./KerasModels/safe_model.h5 ``` -------------------------------- ### CRITICAL Severity Unsafe Globals Reference Source: https://context7.com/protectai/modelscan/llms.txt Lists default unsafe global variables and functions categorized under CRITICAL severity, often associated with Remote Code Execution risks. ```python # CRITICAL severity - Remote Code Execution risks CRITICAL_UNSAFE_GLOBALS = { "__builtin__": ["eval", "compile", "getattr", "apply", "exec", "open", "breakpoint", "__import__"], "builtins": ["eval", "compile", "getattr", "apply", "exec", "open", "breakpoint", "__import__"], "runpy": "*", # Run Python modules "os": "*", # System operations "nt": "*", # Windows OS alias "posix": "*", # Linux OS alias "socket": "*", # Network operations "subprocess": "*", # Process execution "sys": "*", # System access "operator": ["attrgetter"], # Code execution via operator "pty": "*", # Pseudo-terminal "pickle": "*", # Nested pickle loading "_pickle": "*", "bdb": "*", # Debugger "pdb": "*", # Debugger "shutil": "*", # File operations "asyncio": "*", # Async operations } ``` -------------------------------- ### Scan Unsafe Model with ModelScan CLI Source: https://github.com/protectai/modelscan/blob/main/notebooks/tensorflow_fashion_mnist.ipynb Scans a specified TensorFlow model path using the modelscan command-line interface to identify security issues. This command will output a summary of found issues, including severity levels and specific unsafe operators or modules. ```bash !modelscan -p TensorFlowModels/unsafe_model ``` -------------------------------- ### Perform Predictions using the Safe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/xgboost_diabetes_classification.ipynb Uses the trained XGBoost model to make predictions. This function requires the number of predictions to generate and the model object. ```python number_of_predictions = 3 get_predictions(number_of_predictions, model) ``` -------------------------------- ### Create Unsafe Model with Lambda Layer Attack Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Demonstrates a model serialization attack by injecting a malicious lambda layer into a loaded Keras model. This layer executes a system command to read AWS secret keys. ```python safe_model_loaded = tf.keras.models.load_model(safe_model_path) attack = ( lambda x: os.system( """cat ~/.aws/secrets""" ) or x ) lambda_layer = tf.keras.layers.Lambda(attack)(safe_model_loaded.outputs[-1]) unsafe_model = tf.keras.Model(inputs=safe_model_loaded.inputs, outputs=lambda_layer) ``` -------------------------------- ### Scan Saved TensorFlow Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/tensorflow_fashion_mnist.ipynb Scans a saved TensorFlow model using ModelScan to detect serialization attacks. This command uses default settings if no configuration file is found. ```bash !modelscan -p ./TensorFlowModels/safe_model ``` -------------------------------- ### Save the Unsafe Model Source: https://github.com/protectai/modelscan/blob/main/notebooks/keras_fashion_mnist.ipynb Saves the modified Keras model, now containing the malicious lambda layer, to a new HDF5 file. This file represents the 'unsafe' model targeted for security analysis. ```python # Save the unsafe model unsafe_model_path = os.path.join(model_directory, "unsafe_model.h5") unsafe_model.save(unsafe_model_path) ``` -------------------------------- ### Keras Unsafe Operators Reference Source: https://context7.com/protectai/modelscan/llms.txt Lists unsafe Keras operators and their associated severity level, with 'Lambda' layers marked as MEDIUM severity due to potential for arbitrary code execution. ```python # Keras unsafe operators (MEDIUM severity) UNSAFE_KERAS_OPERATORS = { "Lambda": "MEDIUM", # Arbitrary code in Lambda layers } ``` -------------------------------- ### ModelScan CLI Exit Codes Source: https://context7.com/protectai/modelscan/llms.txt Understand the exit codes returned by the ModelScan CLI for CI/CD integration. Codes indicate scan success, vulnerabilities found, errors, or usage issues. ```bash # Exit code 0: Scan completed successfully, no vulnerabilities found modelscan -p safe_model.pkl echo $? # Returns: 0 ``` ```bash # Exit code 1: Scan completed successfully, vulnerabilities found modelscan -p malicious_model.pkl echo $? # Returns: 1 ``` ```bash # Exit code 2: Scan failed due to an error modelscan -p corrupted_file.bin echo $? # Returns: 2 ``` ```bash # Exit code 3: No supported files were passed to the tool modelscan -p unsupported_file.txt echo $? # Returns: 3 ``` ```bash # Exit code 4: Usage error, invalid CLI options modelscan --invalid-option echo $? # Returns: 4 ``` -------------------------------- ### Exfiltrate AWS Secret on Tensorflow Model using tf.io.read_file() and tf.io.write_file() Source: https://github.com/protectai/modelscan/blob/main/notebooks/README.md This code demonstrates exfiltrating AWS secrets from a Tensorflow model by reading a file and writing its content. It highlights a potential security risk when handling sensitive data within Tensorflow model serialization. ```python import tensorflow as tf def exfiltrate_secret_tf(secret_file_path, output_path): try: secret_content = tf.io.read_file(secret_file_path) tf.io.write_file(output_path, secret_content) print(f"Secret exfiltrated to {output_path}") except Exception as e: print(f"Error exfiltrating secret: {e}") # Example usage (within a model or script) # exfiltrate_secret_tf('/path/to/aws/credentials', '/tmp/exfiltrated_secret.txt') ``` -------------------------------- ### Exfiltrate AWS Secret on Keras Model using keras.layers.Lambda() Source: https://github.com/protectai/modelscan/blob/main/notebooks/README.md This snippet shows how to exfiltrate AWS secrets within a Keras model using a Lambda layer. This technique can be used to embed malicious code that executes during model loading or inference. ```python import tensorflow as tf from tensorflow import keras import os def exfiltrate_lambda(secret): # This is a simplified example. In a real attack, this might write to a file or send over network. os.system(f'echo {secret} > /tmp/keras_secret.txt') return secret # Example usage within a Keras model: # input_layer = keras.Input(shape=(...)) # x = keras.layers.Lambda(lambda x: exfiltrate_lambda('AKIAIOSFODNN7EXAMPLE'))(input_layer) # ... rest of the model ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.