Skip to content

Latest commit

 

History

History
82 lines (63 loc) · 6.75 KB

mitigations.md

File metadata and controls

82 lines (63 loc) · 6.75 KB

Mitigation Strategies Analysis for ultralytics/yolov5

Mitigation Strategy: Secure Model Loading

  • Description:

    1. Establish a Trusted Model Repository: Create a private, access-controlled repository (e.g., a private Git repository, an internal artifact server) to store approved YOLOv5 model files (.pt).
    2. Generate Hashes: For each approved model, calculate a strong cryptographic hash (SHA-256 is recommended). Store these hashes securely, separate from the models themselves (e.g., in a database, a signed configuration file).
    3. Implement Hash Verification: In the application code, before calling torch.load(), calculate the hash of the model file being loaded. Compare this calculated hash to the stored, trusted hash. If the hashes do not match, abort the loading process and raise an exception/log an error.
    4. Restrict File System Access: Ensure the application process has read-only access to the model directory. It should not have write access to prevent accidental or malicious modification of the model files.
    5. Implement Model Selection Validation: If users can choose from a list of pre-approved models, ensure the application validates the user's selection against a whitelist of allowed model identifiers (e.g., model names or IDs). Do not allow users to provide arbitrary file paths.

  • Threats Mitigated:

    • Malicious Model Loading (Pickle/PyTorch Model Poisoning): Severity: Critical. An attacker could execute arbitrary code on the server.
    • Unauthorized Model Modification: Severity: High. An attacker with file system access could replace a legitimate model with a malicious one.

  • Impact:

    • Malicious Model Loading: Risk reduced from Critical to Low (assuming proper implementation and no other vulnerabilities). The verification process prevents loading of tampered or unauthorized models.
    • Unauthorized Model Modification: Risk reduced from High to Low. Read-only access prevents direct modification.

  • Currently Implemented:

    • Hash verification implemented in model_loader.py.
    • Read-only file system access configured for the application's Docker container.

  • Missing Implementation:

    • Trusted Model Repository is currently a shared network drive; needs to be migrated to a proper artifact server with access controls.
    • Model selection validation is missing. The application currently accepts a file path from the user, which is a major security flaw. This needs to be changed to a selection from a predefined list with server-side validation.

Mitigation Strategy: Adversarial Input Defense

  • Description:

    1. Input Preprocessing Pipeline:
      • Random Resizing: Before passing an image to the YOLOv5 model, randomly resize it within a small range (e.g., +/- 10% of the original dimensions).
      • Random Cropping: Randomly crop a small portion of the image.
      • JPEG Compression: Apply JPEG compression with a quality factor that introduces a small amount of loss (e.g., quality=90).
      • Gaussian Blurring: Apply a slight Gaussian blur with a small kernel size (e.g., 1x1 or 3x3).
    2. Adversarial Training (Long-Term):
      • Use a library like Foolbox to generate adversarial examples specifically for the YOLOv5 model architecture.
      • Include these YOLOv5-specific adversarial examples in the training dataset, teaching the model to be more robust.
    3. Monitoring:
      • Implement logging of YOLOv5 inference confidence scores.
      • Track the distribution of confidence scores over time.
      • Set up alerts for significant deviations from the expected distribution, which could indicate an adversarial attack targeting YOLOv5.

  • Threats Mitigated:

    • Adversarial Input Attacks (Evasion Attacks): Severity: High. An attacker could bypass security measures by crafting inputs that fool the YOLOv5 model.

  • Impact:

    • Adversarial Input Attacks: Risk reduced from High to Medium. Preprocessing makes it harder to craft successful adversarial examples, but it's not a perfect defense. Adversarial training further reduces the risk, but requires significant effort. Monitoring helps detect attacks in progress.

  • Currently Implemented:

    • JPEG compression is applied in image_processing.py.

  • Missing Implementation:

    • Random resizing and cropping are not implemented.
    • Gaussian blurring is not implemented.
    • Adversarial training specifically for YOLOv5 is not implemented (requires a dedicated retraining effort).
    • Monitoring of YOLOv5 confidence scores and anomaly detection is not implemented.

Mitigation Strategy: Data Poisoning Prevention

  • Description:

    1. Data Source Control: Only use training data from trusted sources (e.g., internally collected data, reputable datasets with clear provenance) for retraining YOLOv5.
    2. Data Integrity Checks: Before using any training data for YOLOv5, calculate cryptographic hashes of the data files (images, labels). Store these hashes securely. Periodically re-verify the hashes to detect any unauthorized modifications.
    3. Data Sanitization:
      • Manual Review: Visually inspect a representative sample of the training data intended for YOLOv5 for mislabeled or suspicious images.
      • Outlier Detection: Use statistical methods (e.g., clustering, anomaly detection algorithms) to identify potential outliers in the YOLOv5 training dataset that might be poisoned samples.
    4. Data Provenance: Maintain detailed records of the origin of all training data used for YOLOv5, including any preprocessing or augmentation steps.

  • Threats Mitigated:

    • Data Poisoning Attacks (Training Data Manipulation): Severity: High. An attacker could significantly degrade YOLOv5's performance or introduce targeted vulnerabilities.

  • Impact:

    • Data Poisoning Attacks: Risk reduced from High to Medium. Data source control and integrity checks prevent the introduction of entirely malicious datasets. Sanitization reduces the impact of subtle poisoning attempts.

  • Currently Implemented:

    • Basic data integrity checks (file size verification) are in place.

  • Missing Implementation:

    • Cryptographic hashing of YOLOv5 training data is not implemented.
    • Comprehensive data sanitization (manual review, outlier detection) specific to the YOLOv5 training pipeline is not implemented.
    • Detailed data provenance tracking for YOLOv5 training data is not implemented.