Core ML function input materialization DoS PoC

This repository contains a benign security research PoC for a .mlmodel artifact that drives large protobuf materialization during Core ML spec loading.

Files:

  • control_same_size.mlmodel
  • malicious_function_input_1000000.mlmodel
  • reproduce.py

Observed behavior:

  • control artifact:
    • parses successfully with one function and zero nested input entries
  • malicious artifact:
    • same size as control
    • parses successfully with one function and 1,000,000 nested input entries
    • load_spec() peak RSS delta is about 119072 kB
    • MLModel(skip_model_load=True) peak RSS delta is about 310288 kB

Public files:

  • https://huggingface.co/hacnho/coreml-function-input-fanout-dos-poc/resolve/main/control_same_size.mlmodel
  • https://huggingface.co/hacnho/coreml-function-input-fanout-dos-poc/resolve/main/malicious_function_input_1000000.mlmodel
  • https://huggingface.co/hacnho/coreml-function-input-fanout-dos-poc/resolve/main/reproduce.py

Reproduction:

python3 build_poc.py
python3 reproduce.py
Downloads last month
15
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support