Registry-Specific 攻擊s

攻擊 techniques targeting model registries: version confusion, dependency resolution exploitation, namespace squatting, model aliasing attacks, and practical exploitation of registry trust models.

Registry-Specific 攻擊

Model registries 實作 their own version management, naming conventions, and resolution logic -- and each of these mechanisms can be exploited. Unlike generic 供應鏈 attacks that apply broadly, registry-specific attacks 利用 the particular way a platform resolves model names to artifacts. These attacks are especially effective 因為 they operate within the registry's normal functionality: no 漏洞 needs to be exploited, just the intended resolution logic used in an unintended way.

Version Confusion

Version confusion exploits the gap between how developers think version resolution works and how it actually works. When a consumer requests a model by name without pinning to a specific version, the registry's resolution logic determines which version is returned.

攻擊 Mechanics

1. 1

   識別 version resolution behavior

   Determine how the target registry resolves unpinned references. Does "latest" mean the most recently uploaded? The highest semantic version? The most recently tagged? Each registry handles this differently.

2. 2

   Upload a higher version

   If the registry uses version numbering, upload a model with a version number higher than any legitimate version. If it uses timestamps, upload a new version. The resolution logic will prefer 攻擊者's version.

3. 3

   Maintain functional equivalence

   The poisoned model should pass basic functionality checks. Include a 後門 that triggers only on specific inputs, ensuring standard 評估 does not detect the substitution.

4. 4

   Wait for consumption

   Automated pipelines that reference "latest" or unpinned versions will pull 攻擊者's model on their next run. Manual users may also download the poisoned version if they do not pin versions.

Platform-Specific Version Resolution

Version Rollback 利用

Some registries support version rollback as a 安全 mechanism. 攻擊者 who can trigger a rollback to a previously poisoned version (or who poisoned an earlier version that was not detected) can deploy malicious models through the rollback mechanism itself.

Dependency Resolution 利用

ML models increasingly reference other models as dependencies: a fine-tuned model specifies its base model, an adapter references 模型 it was trained for, and a pipeline may compose multiple models. The resolution of these dependencies follows platform-specific logic that can be exploited.

Base Model Resolution

When loading a fine-tuned model, the loading framework resolves the base model reference:

{
  "architectures": ["LlamaForCausalLM"],
  "_name_or_path": "meta-llama/Llama-3-8B"
}

If the resolution logic searches multiple registries or falls back to public sources, 攻擊者 can intercept the resolution:

Internal-external confusion. If an organization hosts models internally but the loading framework falls back to Hugging Face Hub, 攻擊者 can register a model on the Hub with the same name as an internal model. When the internal registry is unavailable (network issue, misconfiguration), the loader pulls from the Hub.

Path traversal. Model references that include filesystem paths may be vulnerable to path traversal. A _name_or_path of ../../攻擊者-controlled/malicious-model could resolve to an unintended location.

Adapter Resolution

LoRA adapters and other parameter-efficient 微調 artifacts reference their base model. The adapter loading process:

1. Resolves the base model reference
2. Downloads the base model
3. Applies the adapter weights

攻擊者 can create a legitimate-looking adapter that references a malicious base model. The adapter itself is clean and passes inspection, but the base model it pulls contains a 後門.

{
  "base_model_name_or_path": "攻擊者-org/innocent-looking-base-model",
  "bias": "none",
  "fan_in_fan_out": false,
  "inference_mode": true,
  "lora_alpha": 16,
  "lora_dropout": 0.0,
  "r": 16,
  "target_modules": ["q_proj", "v_proj"]
}

Namespace Squatting

Namespace squatting registers model names that are likely to be requested by legitimate users, intercepting downloads through name confusion rather than version confusion.

Typosquatting

Register models with names similar to popular models:

Namespace Preemption

Register model names before legitimate organizations:

• Anticipate model releases from announcements and papers
• Register the expected repository name before the organization
• When the organization tries to publish, the name is taken
• Users searching for 模型 find 攻擊者's version first

Organization Name Confusion

On platforms that use organization namespaces:

• Register organization names similar to well-known entities
• openai-research vs openai vs open-ai
• anthropic-models vs anthropic
• google-deepmind vs google vs deepmind

Brand Impersonation

Create repositories with branding (profile images, descriptions, README content) that mimics legitimate organizations. Users who find the repository through search may not verify the organization identity.

Model Aliasing 攻擊

Model aliases are mutable references that point to specific model versions. They serve the same function as "latest" tags in container registries, and they are equally exploitable.

Alias Types

Alias Manipulation

攻擊者 with write access to the registry can redirect aliases to point to malicious model versions:

1. 1

   識別 alias usage in deployment pipelines

   Examine deployment configurations to find which aliases are used. Common patterns include pulling "production" stage models from MLflow or "main" branch from Hugging Face.

2. 2

   Upload poisoned model version

   Create a new model version with backdoored weights that passes standard 評估 benchmarks.

3. 3

   Redirect the alias

   Move the alias to point to the poisoned version. The deployment pipeline's next pull retrieves 攻擊者's model without any change to the pipeline configuration.

4. 4

   Restore after deployment

   Optionally, move the alias back to the legitimate version after the deployment pipeline has pulled the poisoned model. This reduces the 偵測 window and makes forensic analysis harder.

Time-of-Check-to-Time-of-Use (TOCTOU)

Even with alias 監控, a TOCTOU 漏洞 exists:

1. Deployment pipeline checks the alias and sees the legitimate model hash
2. Attacker redirects the alias to a poisoned version
3. Deployment pipeline downloads 模型 using the alias (now pointing to the poisoned version)
4. Attacker redirects the alias back to the legitimate version

The check showed the correct model, but the download retrieved 攻擊者's model. 防禦 requires downloading by immutable reference (hash or version ID), not by mutable alias.

Cross-Registry 攻擊

Organizations that use multiple registries (internal registry + Hugging Face + 雲端 ML platform) face cross-registry attack vectors.

Registry Priority Confusion

When model loading code searches multiple registries, the search order determines which model is loaded. 攻擊者 who can place a model in a higher-priority registry intercepts the load.

Cache Poisoning

Model caches (local filesystem, shared NFS, CDN) may serve stale or poisoned models even after the registry is corrected:

• Local ~/.cache/huggingface/ may contain a poisoned model from a previous download
• Shared caches in multi-tenant environments serve poisoned models to all users
• CDN caches may take time to invalidate after a registry correction

Metadata Desynchronization

When metadata (model card, configuration) is stored separately from weights, 攻擊者 can modify metadata without touching weights, or vice versa:

• Modify 模型 card to claim different 訓練資料 or capabilities
• Change configuration files to alter model behavior (different 分詞器, changed generation defaults)
• Update 評估 metrics to inflate or deflate perceived quality

偵測 and Prevention

偵測 Signals

Prevention Controls

參考文獻

• npm 供應鏈 attacks -- Parallels from package registry attacks
• MITRE ATLAS: ML Supply Chain -- Threat taxonomy for ML 供應鏈
• Hugging Face model naming guidelines -- Platform naming conventions