Third-party scanner: JFrog

JFrog’s security scanner detects malicious behavior in machine learning models.

Example of a report for danger.dat

We partnered with JFrog to provide scanning in order to make the Hub safer. Model files are scanned by the JFrog scanner and we expose the scanning results on the Hub interface.

JFrog’s scanner is built with the goal to reduce false positives. Indeed, what we currently observe is that code contained within model weights is not always malicious. When code is detected in a file, JFrog’s scanner will parse it and analyze to check for potential malicious usage.

Here is an example repository you can check out to see the feature in action: mcpotato/42-eicar-street.

Model security refresher

To share models, we serialize the data structures we use to interact with the models, in order to facilitate storage and transport. Some serialization formats are vulnerable to nasty exploits, such as arbitrary code execution (looking at you pickle), making sharing models potentially dangerous.

As Hugging Face has become a popular platform for model sharing, we’d like to protect the community from this, hence why we have developed tools like picklescan and why we integrate third party scanners.

Pickle is not the only exploitable format out there, see for reference how one can exploit Keras Lambda layers to achieve arbitrary code execution.

< > Update on GitHub