khaimook's picture
Add ONNX Runtime model package overwrite PoC
027a20c verified
|
Raw
History Blame Contribute Delete
2.92 kB

ONNX Runtime model-package session option overwrite PoC

This PoC demonstrates that ONNX Runtime model-package metadata in variant.json can set session.optimized_model_filepath. When an application loads the package through the experimental model-package API and calls CreateSession(..., session_options = NULL, ...), ONNX Runtime merges the package-provided session options and writes the optimized model to the path chosen by the package metadata.

The proof writes only to a sentinel file inside a fresh temporary directory created by the reproducer. It does not access secrets, does not touch system paths, and does not write arbitrary shell-script bytes. The resulting file is ONNX/ORT optimized-model serialization derived from the attacker-controlled model package.

Tested Context

  • Validated with ONNX Runtime 1.28.0.dev20260618002
  • Requires API version 28
  • Requires headers for:
    • onnxruntime_c_api.h
    • onnxruntime_experimental_c_api.h
  • Requires an ONNX Runtime library exposing the experimental model-package API

Files

README.md
requirements.txt
reproduce_onnxruntime_model_package_overwrite.py
expected_output.txt
scripts/build_harness.sh
src/ort_model_package_overwrite_proof.cc

Reproduction

Install Python dependencies:

python3 -m pip install -r requirements.txt

Set the ONNX Runtime header and library locations. ORT_INCLUDE_DIR must point to the directory containing onnxruntime_c_api.h and onnxruntime_experimental_c_api.h.

export ORT_INCLUDE_DIR=/path/to/onnxruntime/include/onnxruntime/core/session
export ORT_LIB_DIR=/path/to/onnxruntime/lib

Run:

python3 reproduce_onnxruntime_model_package_overwrite.py

The script creates a fresh temporary model package, writes a sentinel file under that same temporary directory, builds the small C++ harness, calls the model-package API, and verifies that the sentinel file was replaced by optimized model serialization.

For a dry run that only generates and prints the package metadata:

python3 reproduce_onnxruntime_model_package_overwrite.py --dry-run

Expected Signal

Successful output includes:

header_ORT_API_VERSION=28
selected_variant=variant_1
create_session=success
sentinel_present_after=False
overwrite_verified=True

Impact Boundaries

The strongest honest impact is a local file overwrite primitive during model package loading/session creation. A malicious package can choose any path that the ONNX Runtime process is allowed to write. The content is structured optimized-model serialization, not arbitrary raw bytes.

This should not be described as direct code execution, arbitrary byte write, or general impact on every ONNX model loading path. The validated trigger is the experimental model-package API path where package metadata becomes session configuration when the caller passes session_options = NULL.