报告预览

Asia-24-Zhou-How-to-Make-Hugging-Face.pdf

编号：161400

PDF 69页 4.70MB 下载积分：VIP专享

下载报告请您先登录！

Asia-24-Zhou-How-to-Make-Hugging-Face.pdf

1、How to Make Hugging Face to Hug Worms:Discovering and Exploiting Unsafe Pickle.loadsover Pre-Trained Large Model HubsPeng Zhou()Shanghai University1Peng Zhou(zpbrent)Associate Professor at Shanghai UniversityBug hunter for Web/AI OSS:30+CVEs with high impactsResearch Interests:Web/3 and AI security

2、Published at:IEEE TDSC/TIFS,ISOC NDSS,ACM ACSAC,etc.Reach me out at:whoami2Agenda Hugging Face Hub and pickle model Discovering unsafe pickle.loads Exploiting for reversed RCE Bypass pickle scanning Weaponizing with wormable payloads Demo&video&takeaway 3Hugging Face HubModelsDatasetsSpacesAPIsMachi

3、ne Learning Libraries Integrated in Hugging Face HubSerialization FormatsSafesensorsMsgPackPickleAvroCapnprotoProtobufsb31 https:/huggingface.co/docs/hub/models-libraries4Hugging Face HubSerialization FormatsSafesensorsMsgPackPickleAvroCapnprotoProtobufOur Focus1 https:/huggingface.co/docs/hub/model

4、s-librariesMachine Learning Libraries Integrated in Hugging Face Hubsb35ModelsDatasetsSpacesAPIsThe Pickle2 https:/ Example3 Marco Slaviero,Sour Pickles-A serialised exploitation guide in one part,BlackHat 2011.pickle.loadspickletools.disbx80 x03qx00Xx07x00 x00 x00sym2idxqx01ccollectionsnOrderedDict

5、nqx02)Rqx03(Xx05x00 x00 x00qx04Kx00Xx03x00 x00 x00theqx05Kx01us.0:x80 PROTO 32:EMPTY_DICT3:q BINPUT 05:X BINUNICODE sym2idx17:q BINPUT 119:c GLOBAL collections OrderedDict44:q BINPUT 246:)EMPTY_TUPLE47:R REDUCE48:q BINPUT 350:(MARK51:X BINUNICODE 61:q BINPUT 463:K BININT1 065:X BINUNICODE the73:q BI

6、NPUT 575:K BININT1 177:u SETITEMS (MARK at 50)78:s SETITEM79:.STOPPickle StringOpcode&StackObjectsym2idx:OrderedDict(,0),(the,1)7The Vulnerable code4 https:/ with _reduce_(self)Object with _setstate_8The Vulnerable code4 https:/ with _reduce_(self)Object with _setstate_9The Vulnerable code5 https:/

友情提示

1、下载报告失败解决办法
2、PDF文件下载后，可能会被浏览器默认打开，此种情况可以点击浏览器菜单，保存网页到桌面，就可以正常下载了。
3、本站不支持迅雷下载，请使用电脑自带的IE浏览器，或者360浏览器、谷歌浏览器下载即可。
4、本站报告下载后的文档和图纸-无水印,预览文档经过压缩，下载后原文更清晰。

本文（Asia-24-Zhou-How-to-Make-Hugging-Face.pdf）为本站（张5G）主动上传，三个皮匠报告文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若此文所含内容侵犯了您的版权或隐私，请立即通知三个皮匠报告文库（点击联系客服），我们立即给予删除！

温馨提示：如果因为网速或其他原因下载失败请重新下载，重复下载不扣分。