Core ML trainingInput materialization DoS PoC
This repository contains a benign security research PoC for a .mlmodel
artifact that drives large protobuf materialization during Core ML spec loading.
Files:
control_same_size.mlmodelmalicious_traininginput_1000000.mlmodelreproduce.py
Observed behavior:
- control artifact:
- parses successfully with zero
trainingInputentries
- parses successfully with zero
- malicious artifact:
- same size as control
- parses successfully with
1,000,000trainingInputentries load_spec()peak RSS delta is about119904 kBMLModel(skip_model_load=True)peak RSS delta is about228988 kB
Public files:
https://huggingface.co/hacnho/coreml-traininginput-fanout-dos-poc/resolve/main/control_same_size.mlmodelhttps://huggingface.co/hacnho/coreml-traininginput-fanout-dos-poc/resolve/main/malicious_traininginput_1000000.mlmodelhttps://huggingface.co/hacnho/coreml-traininginput-fanout-dos-poc/resolve/main/reproduce.py
Reproduction:
python3 build_poc.py
python3 reproduce.py
- Downloads last month
- 20
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support