![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-7.png\")
<\/figure>\n<\/div>\n\n\nChampioning logo design Don\u2019ts (sorry not sorry opinions my own)<\/em> <\/p>\n\n\n\n This is Part 1 of a four-part serie<\/em>s: Part 2<\/a> ; Part 3<\/a> ; Part 4<\/a><\/em><\/p>\n\n\n\n Beyond hosting models and associated code, Hugging Face is a also maintainer of multiple libraries for interfacing with all this goodness \u2013 libraries for uploading, downloading and executing models to the Hugging Face platform. From a security standpoint \u2013 this offers a HUGE attack surface to spread malicious content through. On that vast attack surface a lot has already been said and many things have been tested in the Hugging Face ecosystem, but many legacy vulnerabilities persist, and bad security practices still reign supreme in code and documentation; these can bring an organization to its knees (while being practiced by major vendors!) and known issues are shrugged off because \u201cthat\u2019s just the way it is\u201d – while new solutions suffer from their own set of problems.. <\/p>\n\n\n\n The crux of all potentially dangerous behavior around marketplaces and repositories is trust<\/strong> – trusting the content\u2019s host, trusting the content\u2019s maintainer and trusting that no one is going to pwn either. This is also why environments that allow obscuring malicious code or ways to execute it are often more precarious for defenders. <\/p>\n\n\n\n While downloading things from Hugging Face is trivial, actually using<\/em> them is finnicky \u2013 in that there is no one global definitive way to do so and trying to do it any other way than the one recommended by the vendor will likely end in failure. Figuring out how to use a model always boils down to RTFM \u2013 the ReadMe. <\/p>\n\n\n\n But can ReadMe files be trusted? Like all code, there are good and bad practices – even major vendors fall for that. For example, Apple actively uses dangerous flags when instructing users on loading their models: <\/p>\n\n\n trust_remote_code sounds like a very reasonable flag to set to True<\/em> <\/p>\n\n\n\n There are many<\/em> ways to dangerously introduce code into the process, simply because users are bound to trust what the ReadMe presents to them. They can load malicious code, load malicious models in a manner that is both dangerous and very obscure. <\/p>\n\n\n\n Let\u2019s start by examining the above configurations in its natural habitat.<\/p>\n\n\n\n Transformers<\/a> is one of the many tools Hugging Face provides users with, and its purpose is to normalize the process of loading models, tokenizers and more with the likes of AutoModel and AutoTokenizer<\/a>. It wraps around many of the aforementioned technologies and mostly does a good job only utilizing secure calls and flags. <\/p>\n\n\n\n However<\/strong> \u2013 all of that security goes out the window once code execution for custom models that load as Python code behind a flag, \u201ctrust_remote_code=True\u201d, which allows loading classes for models and tokenizers which require additional code and a custom implementation to run. <\/p>\n\n\n\n While it sounds like a terrible practice that should be rarely used, this flag is commonly set to True. Apple was already mentioned, so here\u2019s a Microsoft example: <\/p>\n\n\n why wouldn’t you trust remote code from Microsoft? What are they going to do, force install Window 11 on y- uh oh it\u2019s installing Windows 11<\/em> <\/p>\n\n\n\n Using these configurations with an unsecure model could lead to unfortunate results. <\/p>\n\n\n Code loads dangerous config <\/em>\u00e0<\/em> config loads code module <\/em>\u00e0<\/em> code loads OS command<\/em> <\/p>\n\n\n\n This works for auto-models and auto-tokenizers, and in transformer pipelines: <\/p>\n\n\n in this case the model is valid, but the tokenizer is evil. Even easier to hide behind!<\/em> <\/p>\n\n\n\n Essentially this paves the way to malicious configurations \u2013 ones that seem secure but aren\u2019t. There are plenty of ways to hide a True flag looking like a False flag in plain sight: <\/p>\n\n\n\n This flag is set as trust_remote_code=False\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026\u2026.\u2026\u2026\u2026\u2026.n’t<\/em> <\/p>\n\n\n\n While these are general parlor tricks to hide True statements that are absolutely not<\/em><\/strong> exclusive to any of the code we\u2019ve discussed – hiding a dangerous flag in plain sight is still rather simple. However, the terrible practice by major vendors to have this flag be popular and expected means such trickery might not even be required \u2013 it can just be set to True. <\/p>\n\n\n\n Of course, this entire thing can be hosted on Hugging Face \u2013 models are uploaded to repos in profiles. Providing the name of the profile and repo will automatically download and unpack the model, only to load arbitrary code. <\/p>\n\n\n\n import transformers <\/p>\n\n\n\n yit = transformers.AutoTokenizer.from_pretrained(“dortucx\/unkindtokenizer”, trust_remote_code=True) \u202f <\/p>\n\n\n\n print(yit) <\/p>\n\n\n\n Go on, try it. You know you want to. What\u2019s the worst that can happen? Probably nothing. Right? Nothing whatsoever.<\/em> <\/p>\n\n\n\n Copy-pasting from ReadMes isn\u2019t just<\/em> dangerous because they contain configurations in their code, though \u2013 ReadMes contain actual code snippets (or whole scripts) to download and run models. <\/p>\n\n\n\n We will discuss many examples of malicious model loading code in subsequent write-ups but to illustrate the point let\u2019s examine the huggingface_hub library, a Hugging Face client. The hub has various methods for loading models automatically from the online hub, such as \u201chuggingface_hub.from_pretrained_keras\u201d. Google uses it in some of its models: <\/p>\n\n\n And if it\u2019s good enough for Google, it\u2019s good enough for everybody!<\/em> <\/p>\n\n\n\n But this exact method also supports dangerous legacy protocols that can execute arbitrary code. For example, here\u2019s a model that is loaded using the exact same method using the huggingface_hub client and running a whoami command: <\/p>\n\n\n A TensorFlow model executing a “whoami” command, as one expects!<\/em> <\/p>\n\n\n\n The Hugging Face ecosystem, like all marketplaces and open-source providers, suffers from issues of trust, and like many of its peers \u2013 has a variety of blindspots, weaknesses and practices the empower attackers to easily obscure malicious activity. <\/p>\n\n\n\n There are plenty of things to be aware of \u2013 for example if you see the trust_remote_code flag being set to True \u2013 tread carefully. Validate the code referenced by the auto configuration. <\/p>\n\n\n\n Another always-true recommendation is to simply avoid untrusted vendors and models. A model configured incorrectly from a trusted model is only trustworthy until that vendor\u2019s account is compromised, but any model from any untrusted vendor is always highly suspect. <\/p>\n\n\n\n As a broader but more thorough methodology, however, a user who wants to securely rely on Hugging Face as a provider should be aware of many things – hidden evals, unsafe model loading frameworks, hidden importers, fishy configuration and many, many more. It\u2019s why one should read the rest of these write-ups on the matter. <\/p>\n\n\n\nHugging Face Toolbox and Its Risks <\/h2>\n\n\n\n
ReadMe.md? More Like \u201cTrustMe.md\u201d <\/h3>\n\n\n\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-4.png\")
<\/figure>\n<\/div>\n\n\nConfiguration-Based Code Execution Vectors <\/h2>\n\n\n\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-6-1024x362.png\")
<\/figure>\n<\/div>\n\n\n\n
\n
\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-3.png\")
<\/figure>\n<\/div>\n\n\n\n
\n
\n
\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-1-1024x111.png\")
<\/figure>\n<\/div>\n\n\nDangerous Coding Practices in ReadMes <\/h2>\n\n\n\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-5.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/11\/image-2.png\")
<\/figure>\n<\/div>\n\n\nConclusions <\/h2>\n\n\n\n
On The Next Episode\u2026 <\/strong><\/h3>\n\n\n\n