Posted  Hsiang-Jen Li & ChatGPT-4o

[tutorial] A toy example of scanning models

📌 Introduction

This article shows how to detect unsafe PyTorch models using a simple example and the modelscan tool.

🚀 Quick Start

Before start you need to install following packages

1
pip install numpy torch modelscan

Prepare Safe Model

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from torch import nn
import torch

class SafeModel(nn.Module):

    def __init__(self):
        super(SafeModel, self).__init__()
        self.linear = nn.Linear(10, 1)

    def forward(self, x):
        return self.linear(x)
    
if __name__ == "__main__":
    model = SafeModel()

    # save the model
    torch.save(model.state_dict(), "safe_model.pth")

Prepare Malicious Model

This is a malicious model that will generate an output when you load it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from torch import nn
import torch
import os

class MaliciousModel:

    def __reduce__(self):
        print("Reduce called!")  # 應該會印出
        return (os.system, ("echo 'This is a malicious model!' > malicious_output.txt",))
    
if __name__ == "__main__":
    model = MaliciousModel()

    # save the model
    torch.save(model, "malicious_model.pth")

Load model

Torch already has basic protection, so we need to temporarily turn off the weights_only option. After you load the model, you will see a file called malicious_output.txt. This means the malicious behavior has already happened suddenly.

1
2
3
4
5
6
7
import torch

safe_model_path = "safe_model.pth"
malicious_model_path = "malicious_model.pth"

s_model = torch.load(safe_model_path)
m_model = torch.load(malicious_model_path, weights_only=False)

Using modelscan to scan the model

Safe Model

1
modelscan -p safe_model.pth
1
2
3
4
5
6
7
8
9
Scanning /Users/hsiangjenli/Documents/github/mlops-survey/safe_model.pth:safe_model/data.pkl using modelscan.scanners.PickleUnsafeOpScan model scan

--- Summary ---

 No issues found! 🎉

--- Skipped --- 

Total skipped: 7 - run with --show-skipped to see the full list.

Malicious Model

1
modelscan -p malicious_model.pth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Scanning /Users/hsiangjenli/Documents/github/mlops-survey/malicious_model.pth:malicious_model/data.pkl using modelscan.scanners.PickleUnsafeOpScan model scan

--- Summary ---

Total Issues: 1

Total Issues By Severity:

    - LOW: 0
    - MEDIUM: 0
    - HIGH: 0
    - CRITICAL: 1

--- Issues by Severity ---

--- CRITICAL ---

Unsafe operator found:
  - Severity: CRITICAL
  - Description: Use of unsafe operator 'system' from module 'posix'
  - Source: /Users/hsiangjenli/Documents/github/mlops-survey/malicious_model.pth:malicious_model/data.pkl

--- Skipped --- 

Total skipped: 5 - run with --show-skipped to see the full list.

🔁 Recap

  1. Created a safe model and a malicious model (which generates output on load)
  2. Scanned both models using modelscan

🔗 References

[tutorial] A toy example of scanning models

https://hsiangjenli.github.io/blog/tutorial_modelscan_toy_example/

Author

Hsiang-Jen Li & ChatGPT-4o

Posted on

2025-06-14

Updated on

2025-06-14

Licensed under

#

Catalogue

Archives

Recents

×