Columbus is the first vulnerability found in Google’s AI Framwork TensorFlow. This vulnerability allows a malicious TensorFlow model file executes arbitrary code on TensorFlow user’s computer. It’s common case for TensorFlow users to download and use a pretrained model. If a TensorFlow user uses a malicious model file, the user’s computer could be controlled or private data is stole.Columbus works on personal computers, mobile devices, and in the cloud.
Questions & Answers
(1) Am I affected by the vulnerability?
If you are using TensorFlow, yes. Columbus affects all TensorFlow versions.
(2) Can I detect if a TensorFlow model file is malicious?
You can use our online scan tool to check the model file before using it.
(3) Can my antivirus detect or block this attack?
It depends on the malicious code. Your antivirus may detect traditional malicious code behaviour, however, may not for advanced malicious codes.
(4) What can be leaked?
If you use a malicious model file, our proof-of-concept exploits can get control of your computer. Then your sensitive data stored on the computer could be leaked.
(5) Has Columbus been abused in the wild?
We have not seen the case yet.
(6) Is there a workaround/fix?
Although we think this is a secuirty vulnerability, Goolge doesn’t. They consider TensorFlow models as program code, although they acknowledge us that this is a security risk. And there will be an official document to warn users about this issue and a mode security check tool with the help of our team in the subsequent versions of TensorFlow.