|
| 1 | +Security Considerations |
| 2 | +======================= |
| 3 | + |
| 4 | +Overview |
| 5 | +-------- |
| 6 | + |
| 7 | +NVIDIA Model Optimizer (ModelOpt) is a library used to optimize ML models and |
| 8 | +may load and process user-provided artifacts (models, weights, configs, |
| 9 | +calibration data) and their dependencies. Secure deployment depends on how you |
| 10 | +source artifacts, validate inputs, and harden the environment where ModelOpt |
| 11 | +runs. |
| 12 | + |
| 13 | +What to Be Aware Of |
| 14 | +------------------- |
| 15 | + |
| 16 | +**Untrusted model and data inputs** |
| 17 | + |
| 18 | +- Models, weights, configs and data may be malicious or corrupted. |
| 19 | + |
| 20 | +**Deserialization and code-execution risks** |
| 21 | + |
| 22 | +- Unsafe deserialization can lead to arbitrary code execution if fed untrusted |
| 23 | + inputs. |
| 24 | +- Avoid using serialization formats/settings that can deserialize arbitrary |
| 25 | + objects. |
| 26 | + |
| 27 | +**Input validation and resource exhaustion** |
| 28 | + |
| 29 | +- Large or malformed inputs can trigger crashes or excessive CPU/GPU/memory use. |
| 30 | +- Missing size/type checks can increase DoS risk. |
| 31 | + |
| 32 | +**Data in transit and at rest** |
| 33 | + |
| 34 | +- If fetching models or dependencies over the network, insecure transport can |
| 35 | + enable tampering. |
| 36 | +- Stored artifacts, logs, and caches may contain sensitive data. |
| 37 | + |
| 38 | +**Logging and observability** |
| 39 | + |
| 40 | +- Logs may inadvertently contain sensitive inputs, paths, tokens, or proprietary |
| 41 | + model details. |
| 42 | +- Overly verbose logs can leak operational and security-relevant information. |
| 43 | + |
| 44 | +**Supply chain and third-party components** |
| 45 | + |
| 46 | +- Dependencies may include known vulnerabilities or be compromised. |
| 47 | +- Third-party plugins/components loaded at runtime may not have the same |
| 48 | + security assurances. |
| 49 | + |
| 50 | +Example Security Approaches |
| 51 | +--------------------------- |
| 52 | + |
| 53 | +**Artifact integrity** |
| 54 | + |
| 55 | +- Only load artifacts from trusted sources. |
| 56 | +- Prefer signed artifacts; verify signatures before loading. |
| 57 | + |
| 58 | +**Safe parsing and deserialization** |
| 59 | + |
| 60 | +- Prefer safer storage formats (avoid object deserialization for untrusted |
| 61 | + inputs). |
| 62 | +- Avoid ``pickle``, ``torch.load()`` with untrusted weights, or YAML |
| 63 | + ``unsafe_load``. |
| 64 | +- Treat any unverified artifact as untrusted and block/guard its loading. |
| 65 | + |
| 66 | +**Hardening and least privilege** |
| 67 | + |
| 68 | +- Run with least privilege and isolate workloads. |
| 69 | + |
| 70 | +**Data protection** |
| 71 | + |
| 72 | +- Encrypt sensitive data at rest; use TLS 1.3 for data in transit. |
| 73 | +- Never hardcode or log credentials. |
| 74 | + |
| 75 | +**Resilience** |
| 76 | + |
| 77 | +- Validate inputs and enforce limits (file size, timeouts, quotas,..). |
| 78 | +- Keep OS, containers, and dependencies patched; scan for known vulnerabilities. |
0 commit comments