model-tamperinglisted

# AI Model Supply Chain Tampering ## Attack Surface The AI model supply chain includes: model weights downloaded from registries (Hugging Face, Ollama, model.zoo), fine-tuning pipelines, model serialisation formats (pickle, safetensors, ONNX), plugin/extension systems, and model distribution mechanisms. ## Attack Variants | Attack | Target | Required access | |---|---|---| | Backdoor insertion via fine-tuning | Model weights | Fine-tuning pipeline access | | Pickle exploit | Model download/load | Ability to serve malicious model | | Weight serialisation attack | Safetensors bypass | Model hosting | | Plugin/extension hijack | Tool ecosystem | Package registry write | | Name-squatting | Model registries | Public registry account | ## Methodology ### Phase 1 — Supply chain mapping Map all external model dependencies: ```bash # Audit model downloads in CI/CD grep -r "from_pretrained\|huggingface_hub\|ollama pull\|model_path" . --include="*.py" # Check if model hashes are pinned grep -r "revision=\|commit_hash=\|sha256=" . --include="*.py" # Identify download sources grep -r "https://huggingface.co\|https://models\." . --include="*.py" ``` ### Phase 2 — Model provenance verification bypass testing Test whether the deployment pipeline verifies model authenticity: ```python # Check if model hash verification is present import hashlib def download_model(url: str, expected_hash: str): data = requests.get(url).content actual_hash = hashlib.sha256(data).hexdigest(