LLM05: Supply Chain Vulnerabilities (Models, Plugins, Datasets)
Description
LLM applications depend on numerous artifacts—pretrained weights, fine-tune checkpoints, retrieval datasets, embeddings, plugins, packages, and containers. A single compromised component can introduce backdoors, exfiltrate data, or swap models at runtime.
Keywords: ML supply chain, model integrity, plugin security, SBOM, artifact signing, dependency confusion.
Examples/Proof
- Artifact integrity
- Compare model/checkpoint hashes (SHA256) against expected values. Drift indicates tampering or version mismatch.
- Malicious plugin behavior
- Run plugins behind a proxy and inspect unexpected egress (e.g., posting prompts/keys externally).
- Dependency confusion
- Detect unpinned versions or public registry resolution for internal package names.
Detection and Monitoring
- SBOM and attestation
- Generate SBOMs for models/plugins/containers; require provenance (SLSA, in-toto) for build artifacts.
- Behavior analytics
- Alert on plugin/library egress to non-allow-listed domains or unusual destinations.
Remediation
- Verified, pinned artifacts
- Lock versions; verify signatures/hashes; store artifacts in private registries/buckets.
- Harden CI/CD
- Sign releases; use reproducible builds; protect secrets and runners; enable branch protection.
- Runtime policy
- Enforce egress allow-lists; restrict plugin scopes; monitor with network and syscall policies.
Prevention Checklist
- SBOMs and artifact signatures verified in CI
- Private registries/buckets; version pinning and lockfiles
- Egress allow-lists and plugin scope restrictions enforced