khaimook's picture
Add ONNX Runtime model package overwrite PoC
027a20c verified
|
Raw
History Blame Contribute Delete
2.92 kB
# ONNX Runtime model-package session option overwrite PoC
This PoC demonstrates that ONNX Runtime model-package metadata in
`variant.json` can set `session.optimized_model_filepath`. When an application
loads the package through the experimental model-package API and calls
`CreateSession(..., session_options = NULL, ...)`, ONNX Runtime merges the
package-provided session options and writes the optimized model to the path
chosen by the package metadata.
The proof writes only to a sentinel file inside a fresh temporary directory
created by the reproducer. It does not access secrets, does not touch system
paths, and does not write arbitrary shell-script bytes. The resulting file is
ONNX/ORT optimized-model serialization derived from the attacker-controlled
model package.
## Tested Context
- Validated with ONNX Runtime `1.28.0.dev20260618002`
- Requires API version `28`
- Requires headers for:
- `onnxruntime_c_api.h`
- `onnxruntime_experimental_c_api.h`
- Requires an ONNX Runtime library exposing the experimental model-package API
## Files
```text
README.md
requirements.txt
reproduce_onnxruntime_model_package_overwrite.py
expected_output.txt
scripts/build_harness.sh
src/ort_model_package_overwrite_proof.cc
```
## Reproduction
Install Python dependencies:
```bash
python3 -m pip install -r requirements.txt
```
Set the ONNX Runtime header and library locations. `ORT_INCLUDE_DIR` must point
to the directory containing `onnxruntime_c_api.h` and
`onnxruntime_experimental_c_api.h`.
```bash
export ORT_INCLUDE_DIR=/path/to/onnxruntime/include/onnxruntime/core/session
export ORT_LIB_DIR=/path/to/onnxruntime/lib
```
Run:
```bash
python3 reproduce_onnxruntime_model_package_overwrite.py
```
The script creates a fresh temporary model package, writes a sentinel file under
that same temporary directory, builds the small C++ harness, calls the
model-package API, and verifies that the sentinel file was replaced by
optimized model serialization.
For a dry run that only generates and prints the package metadata:
```bash
python3 reproduce_onnxruntime_model_package_overwrite.py --dry-run
```
## Expected Signal
Successful output includes:
```text
header_ORT_API_VERSION=28
selected_variant=variant_1
create_session=success
sentinel_present_after=False
overwrite_verified=True
```
## Impact Boundaries
The strongest honest impact is a local file overwrite primitive during model
package loading/session creation. A malicious package can choose any path that
the ONNX Runtime process is allowed to write. The content is structured
optimized-model serialization, not arbitrary raw bytes.
This should not be described as direct code execution, arbitrary byte write, or
general impact on every ONNX model loading path. The validated trigger is the
experimental model-package API path where package metadata becomes session
configuration when the caller passes `session_options = NULL`.