Hugging Face's logo

Hironabe333
/
onnx-external-data-checksum-gap-poc

ONNX
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ONNX external_data checksum gap β€” PoC

Overview

ONNX TensorProto.external_data supports a checksum key (SHA-256 hex digest) describing the external tensor data file. In observed ONNX 1.21.0 and ONNX Runtime 1.23.2 behavior, onnx.checker.check_model(full_check=True) and onnxruntime.InferenceSession do not verify this checksum field.

A model can embed the checksum of benign external weights in model.onnx while the referenced model.data contains adversarial weights. The model passes full checker validation and the runtime produces adversarial inference output without any warning or error.

Environment

  • Python 3.10.12
  • onnx 1.21.0
  • onnxruntime 1.23.2
  • numpy 1.26.4
  • Platform: Linux aarch64

Reproduce 

pip install onnx onnxruntime numpy
python3 create_onnx.py ./
python3 inspect_onnx.py model.onnx
python3 reproduce.py model.onnx

Key Observation

model.onnx TensorProto.external_data fields:

key value
location model.data
offset 0
length 4
checksum e00e5eb9444182f352323374ef4e08ebcb784725fdd4fd612d7730540b3e0c8c

The embedded checksum is the SHA-256 of model_benign.data (float32(1.0)). The actual model.data file contains float32(999.0) with a different SHA-256.

Results 

CHECKSUM_FIELD_PRESENT=True
EMBEDDED_CHECKSUM=e00e5eb9...  (SHA-256 of benign float32(1.0))
ACTUAL_DATA_CHECKSUM=b438fd3a...  (adversarial float32(999.0))
CHECKSUM_MISMATCH=True
CHECKER_FULL_CHECK=PASS          ← mismatch not detected
RUNTIME_OUTPUT=999.0000          ← adversarial external data consumed
WARNING_EMITTED=False
OUTPUT_FLIP_CONFIRMED=True

Files

File Description SHA-256
model.onnx ONNX model with benign checksum in external_data d72c06f0...
model.data External data (adversarial, float32(999.0)) b438fd3a...
model_benign.data Benign external data (float32(1.0)) e00e5eb9...
model_adversarial.data Adversarial external data (float32(999.0)) b438fd3a...
create_onnx.py Creates all artifacts ff77f9e0...
inspect_onnx.py Extracts checksum, runs checker, reports mismatch b3f814c5...
reproduce.py Runs runtime, confirms adversarial output 54912eab...
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support