Love open source AI and don’t want to get hacked? Use safetensors: …A sensible security update – now signed off via a security audit… AI organizations HuggingFace, EleutherAI, Stability AI, have come together to subsidize a security audit of ‘safetensors’, a software library for safely “saving and loading tensors in the most common frameworks (including PyTorch, TensorFlow, JAX, PaddlePaddle, and NumPy).”
Why they did this: “ The creation of this library was driven by the fact that PyTorch uses pickle under the hood, which is inherently unsafe,” Eleuther writes. “With pickle, it is possible to write a malicious file posing as a model that gives full control of a user’s computer to an attacker without the user’s knowledge, allowing the attacker to steal all their bitcoins. While this vulnerability in pickle is widely known in the computer security world (and is acknowledged in the PyTorch docs), it’s not comm
What the review found: The security review didn’t find any critical security flaws in safetensors, though did identify “some imprecisions in the spec format were detected and fixed”, as well as “some missing validation allowed polyglot files, which was fixed.” Read more: Safetensors audited as really safe and becoming the default (EleutherAI blog) . Check out the full Trail of Bits report here (Trail of Bits, GitHub) . Find out more about Safetensors here (HuggingFace, Safetensors) .
Tony Z. Zhao