Wiz has worked with Hugging Face to mitigate these issues, and warns that these findings are likely not unique to Hugging Face, but represent challenges faced by many AI-as-a-service companies. The security firm has urged the security community to work closely with these companies to ensure safe infrastructure and guardrails are put in place without hindering growth.
Key takeaways:
- Cloud security provider Wiz found two critical architecture flaws in generative AI models uploaded to Hugging Face, which could pose a risk to AI-as-a-service providers. The flaws are Shared Inference infrastructure takeover risk and Shared Continuous Integration and Continuous Deployment (CI/CD) takeover risk.
- Wiz researchers discovered that some AI models were sharing inference infrastructure, which often runs untrusted, potentially malicious models that use the 'pickle' format. These malicious pickle-serialized models could contain remote code execution payloads, potentially granting the attacker escalated privileges and cross-tenant access to other customers' models.
- Attackers may attempt to take over the CI/CD pipeline itself and perform a supply chain attack. Wiz researchers also demonstrated attacks impacting generative AI models used in the cloud by targeting the named infrastructure flaws on Hugging Face.
- Wiz and Hugging Face collaborated to mitigate the issues. Hugging Face has published its own blog post describing the collaborative work. Wiz researchers concluded that these findings are not unique to Hugging Face and represent challenges that many AI-as-a-Service companies will face.