We’re pleased to announce our partnership with Protect AI, as a part of our long-standing commitment to supply a secure and reliable platform for the ML community.
Protect AI is an organization founded with a mission to create a safer AI-powered world. They’re developing powerful tools, namely Guardian, to be certain that the rapid pace of AI innovation can proceed without compromising security.
Our decision to partner with Protect AI stems from their community driven approach to security, energetic support of open source, and expertise in all things security x AI.
Concerned about joining our security partnership / providing scanning information on the Hub? Please get in contact with us over at security@huggingface.co.
Model security refresher
To share models, we serialize weights, configs and other data structures we use to interact with the models, with a view to facilitate storage and transport. Some serialization formats are vulnerable to nasty exploits, comparable to arbitrary code execution ( you pickle), making shared models that use those formats potentially dangerous.
As Hugging Face has grow to be a preferred platform for model sharing, we’d wish to help protect the community from this, hence why we’ve got developed tools like picklescan and why we’re integrating Guardian in our scanner suite.
Pickle isn’t the one exploitable format on the market, see for reference how one can exploit Keras Lambda layers to realize arbitrary code execution. The excellent news is that Guardian catches each of those exploits and more in additional file formats – see their Knowledge Base for up thus far scanner information.
Read all our documentation on security here: https://huggingface.co/docs/hub/security 🔥
Integration
While integrating Guardian as a third-party scanner, we’ve got used this as a possibility to revamp our frontend to display scan results. Here’s what it now looks like:
As you possibly can see here, a further Pickle button is present when a pickle import scan occurred
As you possibly can see from the screenshot, there’s nothing you may have to do to learn from this! All public model repositories might be scanned by Guardian routinely as soon as you push your files to the Hub. Here is an example repository you possibly can try to see the feature in motion: mcpotato/42-eicar-street.
Note that you simply won’t see a scan in your model as of today, as we’ve got over 1 million model repos. It could take us a while to catch up 😅.
In total, we’ve got already scanned lots of of tens of millions of files, because we imagine that empowering the community to share models in a secure and frictionless manner will result in growth for the entire field.
