Machine Learning Models Have a Supply Chain Problem

TL;DR

This paper highlights the supply chain risks associated with open machine learning models, such as malicious replacements and data poisoning, and proposes using Sigstore to enhance transparency and security in model distribution.

Contribution

It identifies key supply chain vulnerabilities in open ML ecosystems and explores applying Sigstore for model signing and dataset verification to mitigate these risks.

Findings

Open ML models face significant supply chain threats.

Sigstore can be adapted to improve transparency in ML model sharing.

Model signing and dataset verification can reduce malicious attacks.

Abstract

Powerful machine learning (ML) models are now readily available online, which creates exciting possibilities for users who lack the deep technical expertise or substantial computing resources needed to develop them. On the other hand, this type of open ecosystem comes with many risks. In this paper, we argue that the current ecosystem for open ML models contains significant supply-chain risks, some of which have been exploited already in real attacks. These include an attacker replacing a model with something malicious (e.g., malware), or a model being trained using a vulnerable version of a framework or on restricted or poisoned data. We then explore how Sigstore, a solution designed to bring transparency to open-source software supply chains, can be used to bring transparency to open ML models, in terms of enabling model publishers to sign their models and prove properties about the datasets they use.