| # ONNX Runtime model-package session option overwrite PoC |
|
|
| This PoC demonstrates that ONNX Runtime model-package metadata in |
| `variant.json` can set `session.optimized_model_filepath`. When an application |
| loads the package through the experimental model-package API and calls |
| `CreateSession(..., session_options = NULL, ...)`, ONNX Runtime merges the |
| package-provided session options and writes the optimized model to the path |
| chosen by the package metadata. |
|
|
| The proof writes only to a sentinel file inside a fresh temporary directory |
| created by the reproducer. It does not access secrets, does not touch system |
| paths, and does not write arbitrary shell-script bytes. The resulting file is |
| ONNX/ORT optimized-model serialization derived from the attacker-controlled |
| model package. |
|
|
| ## Tested Context |
|
|
| - Validated with ONNX Runtime `1.28.0.dev20260618002` |
| - Requires API version `28` |
| - Requires headers for: |
| - `onnxruntime_c_api.h` |
| - `onnxruntime_experimental_c_api.h` |
| - Requires an ONNX Runtime library exposing the experimental model-package API |
|
|
| ## Files |
|
|
| ```text |
| README.md |
| requirements.txt |
| reproduce_onnxruntime_model_package_overwrite.py |
| expected_output.txt |
| scripts/build_harness.sh |
| src/ort_model_package_overwrite_proof.cc |
| ``` |
|
|
| ## Reproduction |
|
|
| Install Python dependencies: |
|
|
| ```bash |
| python3 -m pip install -r requirements.txt |
| ``` |
|
|
| Set the ONNX Runtime header and library locations. `ORT_INCLUDE_DIR` must point |
| to the directory containing `onnxruntime_c_api.h` and |
| `onnxruntime_experimental_c_api.h`. |
|
|
| ```bash |
| export ORT_INCLUDE_DIR=/path/to/onnxruntime/include/onnxruntime/core/session |
| export ORT_LIB_DIR=/path/to/onnxruntime/lib |
| ``` |
|
|
| Run: |
|
|
| ```bash |
| python3 reproduce_onnxruntime_model_package_overwrite.py |
| ``` |
|
|
| The script creates a fresh temporary model package, writes a sentinel file under |
| that same temporary directory, builds the small C++ harness, calls the |
| model-package API, and verifies that the sentinel file was replaced by |
| optimized model serialization. |
|
|
| For a dry run that only generates and prints the package metadata: |
|
|
| ```bash |
| python3 reproduce_onnxruntime_model_package_overwrite.py --dry-run |
| ``` |
|
|
| ## Expected Signal |
|
|
| Successful output includes: |
|
|
| ```text |
| header_ORT_API_VERSION=28 |
| selected_variant=variant_1 |
| create_session=success |
| sentinel_present_after=False |
| overwrite_verified=True |
| ``` |
|
|
| ## Impact Boundaries |
|
|
| The strongest honest impact is a local file overwrite primitive during model |
| package loading/session creation. A malicious package can choose any path that |
| the ONNX Runtime process is allowed to write. The content is structured |
| optimized-model serialization, not arbitrary raw bytes. |
|
|
| This should not be described as direct code execution, arbitrary byte write, or |
| general impact on every ONNX model loading path. The validated trigger is the |
| experimental model-package API path where package metadata becomes session |
| configuration when the caller passes `session_options = NULL`. |
|
|