# Core ML Model DoS PoC

Proof-of-concept Core ML model files (`.mlmodel`) demonstrating denial-of-service vectors in protobuf-based model parsers.

Core ML models use Protocol Buffers format as defined by Apple's [coremltools](https://github.com/apple/coremltools) specification.

## Files

| File | Size | Vector |
|------|------|--------|
| `poc_oom_weights.mlmodel` | ~43 B | OOM via huge tensor shape declaration (innerProduct: 1M x 1M = ~4TB if allocated) |
| `poc_many_layers.mlmodel` | ~321 KB | 10,000 neural network layers causing parser overhead and memory pressure |
| `benign.mlmodel` | ~56 B | Minimal valid model for baseline comparison |
| `generate_pocs.py` | - | Generator script for reproducibility |

## Attack Vectors

### 1. OOM via Huge Tensor Shapes (`poc_oom_weights.mlmodel`)

A crafted protobuf declares a neural network `innerProduct` layer with `inputChannels=1000000` and `outputChannels=1000000`. If a parser naively pre-allocates the weight matrix, this requires 10^12 float32 values (~4 TB of memory), causing an out-of-memory condition.

### 2. Many Layers Parsing Overhead (`poc_many_layers.mlmodel`)

A neural network spec containing 10,000 activation layers. Parsers that build full graph representations or validate layer connectivity may experience significant overhead or memory pressure when processing this many layers.

## Reproduction

```bash
python generate_pocs.py
```

Then load the generated `.mlmodel` files with any Core ML parser (e.g., `coremltools.utils.load_spec()`).

## Impact

- Denial of service in any application that loads untrusted `.mlmodel` files
- Applicable to model hosting platforms, ML pipelines, and iOS/macOS apps accepting user-provided models