We’re pleased to announce our partnership with JFrog, creators of the JFrog Software Supply Chain Platform, as a part of our long-standing commitment to supply a secure and reliable platform for the ML community.
Now we have decided so as to add JFrog’s scanner to our platform to proceed improving security on the Hugging Face Hub. JFrog’s scanner brings latest functionality to scanning, aimed toward reducing false positives on the Hub. Indeed, what we currently observe is that model weights can contain code that’s executed upon deserialization and sometimes at inference time, depending on the format. This code is oftentimes a non harmful practicality for the developer. As our picklescan scanner only performs pattern matching on module names, we cannot at all times confirm that usage of a given function or module is malicious.
JFrog goes a step deeper and can parse and analyze code it finds in models weights to ascertain for potential malicious usage.
All for joining our security partnership / providing scanning information on the Hub? Please get in contact with us over at security@huggingface.co.
Model security refresher
To share models, we serialize weights, configs and other data structures we use to interact with the models, with the intention to facilitate storage and transport. Some serialization formats are vulnerable to nasty exploits, corresponding to arbitrary code execution ( you pickle), making shared models that use those formats potentially dangerous.
As Hugging Face has change into a well-liked platform for model sharing, we’d prefer to help protect the community from this, hence why now we have developed tools like picklescan and why we’re integrating JFrog in our scanner suite.
Pickle isn’t the one exploitable format on the market, see for reference how one can exploit Keras Lambda layers to realize arbitrary code execution. The excellent news is that JFrog catches each of those exploits and more in additional file formats – see their Model Threats page for up so far scanner information.
Read all our documentation on security here: https://huggingface.co/docs/hub/security 🔥
Integration
There’s nothing you will have to do to learn from this! All public model repositories will likely be scanned by JFrog mechanically as soon as you push your files to the Hub. Here is an example repository you’ll be able to take a look at to see the feature in motion: mcpotato/42-eicar-street.
`mcpotato/42-eicar-street`’s’ `danger.dat` scan results
Note that you simply won’t see a scan on your model as of today, as now we have thousands and thousands of model repos. It might take us a while to catch up 😅.
In total, now we have already scanned lots of of thousands and thousands of files, because we consider that empowering the community to share models in a secure and frictionless manner will result in growth for the entire field.
