| # Core ML Model DoS PoC |
|
|
| Proof-of-concept Core ML model files (`.mlmodel`) demonstrating denial-of-service vectors in protobuf-based model parsers. |
|
|
| Core ML models use Protocol Buffers format as defined by Apple's [coremltools](https://github.com/apple/coremltools) specification. |
|
|
| ## Files |
|
|
| | File | Size | Vector | |
| |------|------|--------| |
| | `poc_oom_weights.mlmodel` | ~43 B | OOM via huge tensor shape declaration (innerProduct: 1M x 1M = ~4TB if allocated) | |
| | `poc_many_layers.mlmodel` | ~321 KB | 10,000 neural network layers causing parser overhead and memory pressure | |
| | `benign.mlmodel` | ~56 B | Minimal valid model for baseline comparison | |
| | `generate_pocs.py` | - | Generator script for reproducibility | |
|
|
| ## Attack Vectors |
|
|
| ### 1. OOM via Huge Tensor Shapes (`poc_oom_weights.mlmodel`) |
|
|
| A crafted protobuf declares a neural network `innerProduct` layer with `inputChannels=1000000` and `outputChannels=1000000`. If a parser naively pre-allocates the weight matrix, this requires 10^12 float32 values (~4 TB of memory), causing an out-of-memory condition. |
|
|
| ### 2. Many Layers Parsing Overhead (`poc_many_layers.mlmodel`) |
|
|
| A neural network spec containing 10,000 activation layers. Parsers that build full graph representations or validate layer connectivity may experience significant overhead or memory pressure when processing this many layers. |
|
|
| ## Reproduction |
|
|
| ```bash |
| python generate_pocs.py |
| ``` |
|
|
| Then load the generated `.mlmodel` files with any Core ML parser (e.g., `coremltools.utils.load_spec()`). |
|
|
| ## Impact |
|
|
| - Denial of service in any application that loads untrusted `.mlmodel` files |
| - Applicable to model hosting platforms, ML pipelines, and iOS/macOS apps accepting user-provided models |
|
|
