YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Core ML Model DoS PoC
Proof-of-concept Core ML model files (.mlmodel) demonstrating denial-of-service vectors in protobuf-based model parsers.
Core ML models use Protocol Buffers format as defined by Apple's coremltools specification.
Files
| File | Size | Vector |
|---|---|---|
poc_oom_weights.mlmodel |
~43 B | OOM via huge tensor shape declaration (innerProduct: 1M x 1M = ~4TB if allocated) |
poc_many_layers.mlmodel |
~321 KB | 10,000 neural network layers causing parser overhead and memory pressure |
benign.mlmodel |
~56 B | Minimal valid model for baseline comparison |
generate_pocs.py |
- | Generator script for reproducibility |
Attack Vectors
1. OOM via Huge Tensor Shapes (poc_oom_weights.mlmodel)
A crafted protobuf declares a neural network innerProduct layer with inputChannels=1000000 and outputChannels=1000000. If a parser naively pre-allocates the weight matrix, this requires 10^12 float32 values (~4 TB of memory), causing an out-of-memory condition.
2. Many Layers Parsing Overhead (poc_many_layers.mlmodel)
A neural network spec containing 10,000 activation layers. Parsers that build full graph representations or validate layer connectivity may experience significant overhead or memory pressure when processing this many layers.
Reproduction
python generate_pocs.py
Then load the generated .mlmodel files with any Core ML parser (e.g., coremltools.utils.load_spec()).
Impact
- Denial of service in any application that loads untrusted
.mlmodelfiles - Applicable to model hosting platforms, ML pipelines, and iOS/macOS apps accepting user-provided models
- Downloads last month
- 11