From 9bda467a2c72b1895f8ec73a035b443b432cff28 Mon Sep 17 00:00:00 2001 From: Luc Georges Date: Mon, 21 Oct 2024 17:38:20 +0200 Subject: [PATCH 1/7] feat: add third party scanners page --- docs/hub/security.md | 1 + docs/hub/third-party-scanners.md | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 docs/hub/third-party-scanners.md diff --git a/docs/hub/security.md b/docs/hub/security.md index a90e94a3c..d02f8fcc2 100644 --- a/docs/hub/security.md +++ b/docs/hub/security.md @@ -20,4 +20,5 @@ For any other security questions, please feel free to send us an email at securi - [Malware Scanning](./security-malware) - [Pickle Scanning](./security-pickle) - [Secrets Scanning](./security-secrets) +- [3rd party scanners](./third-party-scanners) - [Resource Groups](./security-resource-groups) diff --git a/docs/hub/third-party-scanners.md b/docs/hub/third-party-scanners.md new file mode 100644 index 000000000..7888943e7 --- /dev/null +++ b/docs/hub/third-party-scanners.md @@ -0,0 +1,25 @@ +# 3rd Party scanners + +*Interested in joining our security partnership / providing scanning information on the Hub? Please get in touch with us over at security@huggingface.co.* + +We partner with 3rd party scanning providers in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by the 3rd party scanners we integrate. + +Our frontend has been redesigned specifically for this purpose, in order to accomodate for new scanners: + + + +Here is an example repository you can check out to see the feature in action: [mcpotato/42-eicar-street](https://huggingface.co/mcpotato/42-eicar-street). + +## Model security refresher + +To share models, we serialize the data structures we use to interact with the models, in order to facilitate storage and transport. Some serialization formats are vulnerable to nasty exploits, such as arbitrary code execution (looking at you pickle), making sharing models potentially dangerous. + +As Hugging Face has become the de facto platform for model sharing, we’d like to protect the community from this, hence why we have developed tools like [picklescan](https://github.com/mmaitre314/picklescan) and why we integrate 3rd party scanners. + +Pickle is not the only exploitable format out there, [see for reference](https://github.com/Azure/counterfit/wiki/Abusing-ML-model-file-formats-to-create-malware-on-AI-systems:-A-proof-of-concept) how one can exploit Keras Lambda layers to achieve arbitrary code execution. + +## Protect AI's Guardian + +[Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches both pickle and Keras exploits. Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. + + From 430e352953bb3cec1cd00c02efeaacbe4af92723 Mon Sep 17 00:00:00 2001 From: Luc Georges Date: Mon, 21 Oct 2024 18:46:31 +0200 Subject: [PATCH 2/7] fix: @julien-c PR comments --- ...party-scanners.md => security-third-party-scanners.md} | 8 +++++--- docs/hub/security.md | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) rename docs/hub/{third-party-scanners.md => security-third-party-scanners.md} (86%) diff --git a/docs/hub/third-party-scanners.md b/docs/hub/security-third-party-scanners.md similarity index 86% rename from docs/hub/third-party-scanners.md rename to docs/hub/security-third-party-scanners.md index 7888943e7..12d5faedb 100644 --- a/docs/hub/third-party-scanners.md +++ b/docs/hub/security-third-party-scanners.md @@ -1,12 +1,14 @@ -# 3rd Party scanners +# Third-party scanners -*Interested in joining our security partnership / providing scanning information on the Hub? Please get in touch with us over at security@huggingface.co.* + +Interested in joining our security partnership / providing scanning information on the Hub? Please get in touch with us over at security@huggingface.co.* + We partner with 3rd party scanning providers in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by the 3rd party scanners we integrate. Our frontend has been redesigned specifically for this purpose, in order to accomodate for new scanners: - + Here is an example repository you can check out to see the feature in action: [mcpotato/42-eicar-street](https://huggingface.co/mcpotato/42-eicar-street). diff --git a/docs/hub/security.md b/docs/hub/security.md index d02f8fcc2..ed09f5323 100644 --- a/docs/hub/security.md +++ b/docs/hub/security.md @@ -20,5 +20,5 @@ For any other security questions, please feel free to send us an email at securi - [Malware Scanning](./security-malware) - [Pickle Scanning](./security-pickle) - [Secrets Scanning](./security-secrets) -- [3rd party scanners](./third-party-scanners) +- [3rd party scanners](./security-third-party-scanners) - [Resource Groups](./security-resource-groups) From fc5ccbcdbf8115b86fa951f22a2240bb70208e0b Mon Sep 17 00:00:00 2001 From: Luc Georges Date: Mon, 21 Oct 2024 19:15:20 +0200 Subject: [PATCH 3/7] refactor: PR comments --- ...=> security-third-party-scanner-protect-ai.md} | 15 +++++++-------- docs/hub/security.md | 2 +- 2 files changed, 8 insertions(+), 9 deletions(-) rename docs/hub/{security-third-party-scanners.md => security-third-party-scanner-protect-ai.md} (73%) diff --git a/docs/hub/security-third-party-scanners.md b/docs/hub/security-third-party-scanner-protect-ai.md similarity index 73% rename from docs/hub/security-third-party-scanners.md rename to docs/hub/security-third-party-scanner-protect-ai.md index 12d5faedb..d5df6759e 100644 --- a/docs/hub/security-third-party-scanners.md +++ b/docs/hub/security-third-party-scanner-protect-ai.md @@ -1,10 +1,14 @@ -# Third-party scanners +# Third-party scanner: Protect AI Interested in joining our security partnership / providing scanning information on the Hub? Please get in touch with us over at security@huggingface.co.* -We partner with 3rd party scanning providers in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by the 3rd party scanners we integrate. +[Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches both pickle and Keras exploits. Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. + + + +We partnered with Protect AI to provide scanning in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by Guardian. Our frontend has been redesigned specifically for this purpose, in order to accomodate for new scanners: @@ -16,12 +20,7 @@ Here is an example repository you can check out to see the feature in action: [m To share models, we serialize the data structures we use to interact with the models, in order to facilitate storage and transport. Some serialization formats are vulnerable to nasty exploits, such as arbitrary code execution (looking at you pickle), making sharing models potentially dangerous. -As Hugging Face has become the de facto platform for model sharing, we’d like to protect the community from this, hence why we have developed tools like [picklescan](https://github.com/mmaitre314/picklescan) and why we integrate 3rd party scanners. +As Hugging Face has become a popular platform for model sharing, we’d like to protect the community from this, hence why we have developed tools like [picklescan](https://github.com/mmaitre314/picklescan) and why we integrate third party scanners. Pickle is not the only exploitable format out there, [see for reference](https://github.com/Azure/counterfit/wiki/Abusing-ML-model-file-formats-to-create-malware-on-AI-systems:-A-proof-of-concept) how one can exploit Keras Lambda layers to achieve arbitrary code execution. -## Protect AI's Guardian - -[Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches both pickle and Keras exploits. Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. - - diff --git a/docs/hub/security.md b/docs/hub/security.md index ed09f5323..efe5dbfe8 100644 --- a/docs/hub/security.md +++ b/docs/hub/security.md @@ -20,5 +20,5 @@ For any other security questions, please feel free to send us an email at securi - [Malware Scanning](./security-malware) - [Pickle Scanning](./security-pickle) - [Secrets Scanning](./security-secrets) -- [3rd party scanners](./security-third-party-scanners) +- [Third-party scanner: Protect AI](./security-third-party-scanner-protect-ai) - [Resource Groups](./security-resource-groups) From a645f99f2a530be1dafc6a361af5ad1af8520e28 Mon Sep 17 00:00:00 2001 From: Julien Chaumond Date: Tue, 22 Oct 2024 12:06:35 +0200 Subject: [PATCH 4/7] Update docs/hub/security-third-party-scanner-protect-ai.md Co-authored-by: Sean Morgan --- docs/hub/security-third-party-scanner-protect-ai.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hub/security-third-party-scanner-protect-ai.md b/docs/hub/security-third-party-scanner-protect-ai.md index d5df6759e..057fa7cf0 100644 --- a/docs/hub/security-third-party-scanner-protect-ai.md +++ b/docs/hub/security-third-party-scanner-protect-ai.md @@ -4,7 +4,7 @@ Interested in joining our security partnership / providing scanning information on the Hub? Please get in touch with us over at security@huggingface.co.* -[Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches both pickle and Keras exploits. Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. +[Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches pickle, Keras, and other exploits as detailed on their [Knowledge Base page](https://protectai.com/insights/knowledge-base/). Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. From 010d228bde5cbb649e740eb282486cf474847700 Mon Sep 17 00:00:00 2001 From: Julien Chaumond Date: Tue, 22 Oct 2024 12:09:46 +0200 Subject: [PATCH 5/7] make url consistent with blog --- ...-third-party-scanner-protect-ai.md => security-protectai.md} | 0 docs/hub/security.md | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/hub/{security-third-party-scanner-protect-ai.md => security-protectai.md} (100%) diff --git a/docs/hub/security-third-party-scanner-protect-ai.md b/docs/hub/security-protectai.md similarity index 100% rename from docs/hub/security-third-party-scanner-protect-ai.md rename to docs/hub/security-protectai.md diff --git a/docs/hub/security.md b/docs/hub/security.md index efe5dbfe8..a4190a6eb 100644 --- a/docs/hub/security.md +++ b/docs/hub/security.md @@ -20,5 +20,5 @@ For any other security questions, please feel free to send us an email at securi - [Malware Scanning](./security-malware) - [Pickle Scanning](./security-pickle) - [Secrets Scanning](./security-secrets) -- [Third-party scanner: Protect AI](./security-third-party-scanner-protect-ai) +- [Third-party scanner: Protect AI](./security-protectai) - [Resource Groups](./security-resource-groups) From 3fd6ef32b8af37157f06cd76c183fc8585b6776d Mon Sep 17 00:00:00 2001 From: Luc Georges Date: Tue, 22 Oct 2024 13:27:15 +0200 Subject: [PATCH 6/7] feat: add image of report --- docs/hub/security-protectai.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/hub/security-protectai.md b/docs/hub/security-protectai.md index 057fa7cf0..16cff3351 100644 --- a/docs/hub/security-protectai.md +++ b/docs/hub/security-protectai.md @@ -6,7 +6,8 @@ Interested in joining our security partnership / providing scanning information [Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches pickle, Keras, and other exploits as detailed on their [Knowledge Base page](https://protectai.com/insights/knowledge-base/). Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. - + +Example of a report for danger.dat We partnered with Protect AI to provide scanning in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by Guardian. From 4bda7b9d85a220f4c7934b566d57500d5bb53f37 Mon Sep 17 00:00:00 2001 From: Luc Georges Date: Tue, 22 Oct 2024 13:36:51 +0200 Subject: [PATCH 7/7] refactor: replace html img tag with md image --- docs/hub/security-protectai.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/hub/security-protectai.md b/docs/hub/security-protectai.md index 16cff3351..6d1dc092f 100644 --- a/docs/hub/security-protectai.md +++ b/docs/hub/security-protectai.md @@ -6,8 +6,8 @@ Interested in joining our security partnership / providing scanning information [Protect AI](https://protectai.com/)'s [Guardian](https://protectai.com/guardian) catches pickle, Keras, and other exploits as detailed on their [Knowledge Base page](https://protectai.com/insights/knowledge-base/). Guardian also benefits from reports sent in by their community of bounty [Huntr](https://huntr.com/)s. - -Example of a report for danger.dat +![Protect AI report for the danger.dat file contained in mcpotato/42-eicar-street](https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/protect-ai-report.png) +*Example of a report for [danger.dat](https://huggingface.co/mcpotato/42-eicar-street/blob/main/danger.dat)* We partnered with Protect AI to provide scanning in order to make the Hub safer. The same way files are scanned by our internal scanning system, public repositories' files are scanned by Guardian.