Python Fuzzing for Trustworthy Machine Learning Frameworks (2403.12723v2)
Abstract: Ensuring the security and reliability of machine learning frameworks is crucial for building trustworthy AI-based systems. Fuzzing, a popular technique in secure software development lifecycle (SSDLC), can be used to develop secure and robust software. Popular machine learning frameworks such as PyTorch and TensorFlow are complex and written in multiple programming languages including C/C++ and Python. We propose a dynamic analysis pipeline for Python projects using the Sydr-Fuzz toolset. Our pipeline includes fuzzing, corpus minimization, crash triaging, and coverage collection. Crash triaging and severity estimation are important steps to ensure that the most critical vulnerabilities are addressed promptly. Furthermore, the proposed pipeline is integrated in GitLab CI. To identify the most vulnerable parts of the machine learning frameworks, we analyze their potential attack surfaces and develop fuzz targets for PyTorch, TensorFlow, and related projects such as h5py. Applying our dynamic analysis pipeline to these targets, we were able to discover 3 new bugs and propose fixes for them.
- Coverage.py: A tool for measuring code coverage of Python programs, https://coverage.readthedocs.io
- Fix of endless loop error in TensorFlow, https://github.com/tensorflow/tensorflow/pull/56455/files
- Fix out of bounds in hdf5/src/h5fint.c:2859, https://github.com/HDFGroup/hdf5/pull/2691
- FuzzedDataProvider, https://github.com/google/fuzzing/blob/master/docs/split-inputs.md#fuzzed-data-provider
- genhtml: Generate html view from lcov coverage data files, https://linux.die.net/man/1/genhtml
- Google sanitizers, https://github.com/google/sanitizers
- h5py: HDF5 for Python, https://github.com/h5py/h5py
- HDF5 project, https://github.com/HDFGroup/hdf5
- Hypothesis library, https://hypothesis.works/
- Null pointer dereference in third_party/flatbuffers/include/flatbuffers/vector.h:158:48, https://github.com/pytorch/pytorch/issues/95061
- OSS-Fuzz: Continuous fuzzing for open source software, https://github.com/google/oss-fuzz
- OSS-Sydr-Fuzz h5py project, https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/h5py
- OSS-Sydr-Fuzz: Hybrid fuzzing for open source software, https://github.com/ispras/oss-sydr-fuzz
- OSS-Sydr-Fuzz PyTorch project, https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/pytorch-py
- OSS-Sydr-Fuzz TensorFlow project, https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/tensorflow-py
- Out of bounds access on read in hdf5/src/h5fint.c:2859:13, https://github.com/HDFGroup/hdf5/issues/2432
- PyTorch project, https://github.com/pytorch/pytorch
- Segmentation fault in flatbuffers when parsing malformed modules, https://github.com/pytorch/pytorch/pull/95221
- SEGV in flatbuffers/base.h:406:23, https://github.com/pytorch/pytorch/issues/95062
- Sydr-Fuzz trophies, https://github.com/ispras/oss-sydr-fuzz/blob/master/TROPHIES.md
- TensorFlow: An open source machine learning framework for everyone, https://github.com/tensorflow/tensorflow
- TensorFlow Keras module, https://www.tensorflow.org/api_docs/python/tf/keras?version=nightly
- torchvision project, https://github.com/pytorch/vision
- Using instrumentation with Atheris and native extensions, https://github.com/google/atheris/blob/master/native_extension_fuzzing.md
- Serebryany, K.: Continuous fuzzing with libFuzzer and AddressSanitizer. In: 2016 IEEE Cybersecurity Development (SecDev). p. 157. IEEE (2016)
- Serebryany, K.: OSS-Fuzz - Google’s continuous fuzzing service for open source software. USENIX Association (2017)