MLASTG-TEST-MODEL-005: Model Integrity Verification¶
Control Reference¶
- MLASVS-MODEL-007: Model Versioning
- MLASVS-MODEL-008: Model Signing
- MLASVS-MODEL-014: Secure Model Serialization
- MLASVS-MODEL-015: Model Rollback Capability
- MLASVS-MODEL-030: Model Provenance Attestation (L2)
Severity¶
Medium (L1) / High (L2)
Overview¶
Model integrity controls ensure that deployed ML models are authentic, untampered, properly versioned, and can be rapidly rolled back if compromised. A model that lacks integrity verification can be silently replaced with a backdoored or degraded version without detection. This test verifies versioning, signing, serialization safety, rollback capability, and provenance attestation.
Prerequisites¶
| Requirement | Details |
|---|---|
| Tools | sha256sum, openssl, ModelScan (pip install modelscan) |
| Access | Model registry, artifact store, deployment pipeline configuration |
| Documentation | Model versioning policy, signing key management, rollback procedures |
Step-by-Step Procedure¶
Step 1: Verify Model Versioning¶
- Review the model registry for version history.
- Verify that each model version has immutable version identifiers, timestamp of creation, training data hash, code commit hash, and author identity.
- Verify that model artifacts are never overwritten (append-only).
- Pass condition: Complete version history exists for all production models with required metadata.
- Fail condition: Versions are missing, overwritten, or lack required metadata.
Step 2: Verify Model Signing¶
- Check that model files are cryptographically signed (e.g., using GPG or Sigstore/Cosign).
- Attempt to deploy an unsigned model and verify it is rejected.
- Pass condition: All production models are signed; unsigned models are rejected at deployment.
- Fail condition: Models can be deployed without signing, or signature verification is not enforced.
Step 3: Verify Hash Verification at Load¶
- Review model loading code for hash verification implementation.
- Tamper with a model file (e.g., add a null byte) and verify detection.
- Pass condition: Hash verification is enforced at load time; tampered files are rejected.
- Fail condition: Models can be loaded without integrity verification.
Step 4: Verify Safe Serialization¶
- Scan all model files for unsafe serialization patterns using tools like
modelscan. - Check for Pickle
__reduce__exploits or arbitrary code execution patterns. - Verify that SafeTensors format is preferred over Pickle for PyTorch models.
- Pass condition: No unsafe serialization detected; SafeTensors used where possible.
- Fail condition: Pickle files with
__reduce__patterns are found, or SafeTensors is not used for new models.
Step 5: Verify Rollback Capability¶
- Identify the last three production model versions in the registry.
- Execute a rollback to the previous version in a staging environment.
- Measure rollback completion time against the documented Recovery Time Objective (RTO).
- Pass condition: Rollback completes within the documented Recovery Time Objective (RTO).
- Fail condition: Rollback fails, is not documented, or exceeds RTO.
Step 6: Verify Model Provenance Attestation (L2)¶
- Verify that each production model has a provenance attestation document including origin, training data provenance chain, environment, process, and cryptographic chain of custody.
- Pass condition: Complete provenance attestation exists for all production models.
- Fail condition: Any production model lacks provenance documentation.
Expected Result¶
| Level | Expected Outcome |
|---|---|
| L1 | Model versioning complete; models signed; hash verification at load; safe serialization used; rollback tested. |
| L2 | All L1 controls met; model provenance attestation documented; complete chain of custody maintained. |
Evidence Requirements¶
- Model registry version history screenshot or export
- Model signing verification results
- Hash verification code review evidence
- ModelScan output for all model files
- Rollback test results with completion time
- (L2) Model provenance attestation documents
Remediation Guidance¶
If model signing is absent: 1. Integrate Sigstore or GPG signing into the CI/CD pipeline post-training. 2. Add signature verification as a pre-deployment check. 3. Reject unsigned model artifacts in the model registry.
If hash verification is missing: 1. Implement hash verification in the model loading code. 2. Store expected hashes in the model registry alongside the artifact. 3. Add hash verification as a CI/CD gate.
If rollback is not possible: 1. Maintain at least 3 previous production model versions in the registry. 2. Document and test rollback procedures quarterly. 3. Define and enforce Recovery Time Objective (RTO) for model rollback.
References¶
- MITRE ATLAS: AML.TA0006 - Persistence (Model Registry Manipulation)
- MITRE ATLAS: AML.TA0002 - Initial Access (Supply Chain Compromise)
- MLASWE: MLASWE-0009 (Supply Chain Compromise)