File size: 1,717 Bytes
0ef7e97 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | # Core ML Model DoS PoC
Proof-of-concept Core ML model files (`.mlmodel`) demonstrating denial-of-service vectors in protobuf-based model parsers.
Core ML models use Protocol Buffers format as defined by Apple's [coremltools](https://github.com/apple/coremltools) specification.
## Files
| File | Size | Vector |
|------|------|--------|
| `poc_oom_weights.mlmodel` | ~43 B | OOM via huge tensor shape declaration (innerProduct: 1M x 1M = ~4TB if allocated) |
| `poc_many_layers.mlmodel` | ~321 KB | 10,000 neural network layers causing parser overhead and memory pressure |
| `benign.mlmodel` | ~56 B | Minimal valid model for baseline comparison |
| `generate_pocs.py` | - | Generator script for reproducibility |
## Attack Vectors
### 1. OOM via Huge Tensor Shapes (`poc_oom_weights.mlmodel`)
A crafted protobuf declares a neural network `innerProduct` layer with `inputChannels=1000000` and `outputChannels=1000000`. If a parser naively pre-allocates the weight matrix, this requires 10^12 float32 values (~4 TB of memory), causing an out-of-memory condition.
### 2. Many Layers Parsing Overhead (`poc_many_layers.mlmodel`)
A neural network spec containing 10,000 activation layers. Parsers that build full graph representations or validate layer connectivity may experience significant overhead or memory pressure when processing this many layers.
## Reproduction
```bash
python generate_pocs.py
```
Then load the generated `.mlmodel` files with any Core ML parser (e.g., `coremltools.utils.load_spec()`).
## Impact
- Denial of service in any application that loads untrusted `.mlmodel` files
- Applicable to model hosting platforms, ML pipelines, and iOS/macOS apps accepting user-provided models
|