TensorFlow Models as Programs

TensorFlow has its own runtime system that interprets and executes its programs. The programs in TensorFlow are encoded as the computation graphs and stores the parameters separately as checkpoints.
During runtime, TensorFlow executes computation graph with the parameters given. The behavior of the graph may change depending on the change in parameters. TensorFlow is not a sandbox in itself. While executing, TensorFlow may read and write files or send and receive the data over the network. All of these tasks performed are done with the permission of the TensorFlow process. These things make TensorFlow a strong machine learning platform, but it has its own effects on security.

The TensorFlow models are the same as programs and, therefore, need to be taken as such from a TensorFlow security perspective.

Running Untrusted Models 

There is a general saying that an untrusted model should first execute inside a sandbox. There are many possibilities for a model to become untrusted. For instance, if some untrusted party provides Python code required for TensorFlow graphs.

Even if an untrusted party provides a computation graph, there are primitives available in TensorFlow that are powerful enough to prevent and execute the arbitrary code. But it is good to use sandboxes for the same.
TensoFlow Security is determined by the computational graph — whether the user provided checkpoint is safe or not. Generally, creating a computational graph with malicious checkpoints can trigger unusual and unsafe behavior.

Accepting the Untrusted Input

One can design models that are secure by providing the models with the ability to safely process the untrusted inputs assuming that they do not have any bugs.

A great way to analyze how any TensorFlow graph works is through an interpreted programming language such as Python. One can write safe Python code that can easily expose given inputs, but it is easy to write un-secure Python programs. By having a bug in your Python interpreter or a bug in the user library, it can cause damage to secure Python code.

Vulnerabilities in TensorFlow

TensorFlow is a very big complex system that depends on several third-party libraries for its use. Therefore, it is possible for TensorFlow or its libraries to contain vulnerabilities that might trigger unexpected behaviors by providing specific inputs.

The TensorFlow model can perform arbitrary computations that can read or write files or communicate over a network. If the model performs other than these specifications, then that behavior can cause vulnerability. For instance, considering the FileWriter in TensorFlow. Writing files is a usual behavior, but MatMul allowing random binary code execution is a vulnerability.

Reporting a Vulnerability

Now, we will see how to report the vulnerabilities in TensorFlow. We can directly send the reports about any security issues to TensorFlow. The report to this email is delivered to the security team at TensorFlow. The emails acknowledge within 24 hours and provide a detailed response within a week along with the next steps.

Conclusion: TensorFlow Security

Hence, in this TensorFlow security tutorial, you got to know about the security issues in TensorFlow and how vulnerability can cause TensorFlow to behave unexpectedly. Further, you also studied how to deal with untrusted malicious programs and report these to TensorFlow team. At last, we discussed five major issues in the security of TensorFlow. Furthermore, if you have any doubt regarding TensorFlow security, feel free to ask in the comment section.