Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add model signing as a sandbox project #347

Merged
merged 2 commits into from
Aug 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn
| gittuf | https://github.com/gittuf/gittuf | TBD | Supply Chain Integrity WG | [Sandbox](process/project-lifecycle-documents/gittuf_sandbox_stage.md) |
| OpenVEX | https://github.com/openvex | [Meeting Notes](https://docs.google.com/document/d/1C-L0JDx5O35TjXb6dcyL6ioc5xWUCkdR5kEbZ1uVQto/edit) | Vulnerability Disclosures WG | [Sandbox](process/project-lifecycle-documents/openvex_for_sandbox_stage.md) |
| OSV Schema | https://github.com/ossf/osv-schema | [Meeting Notes](https://docs.google.com/document/d/1jzqhW9SK9QRA39fQz0RiAkvpRWB0xztt1TAFJEseTlA/edit?usp=sharing) | Vulnerability Disclosures WG | TBD |
| Model signing | TBD (to be created) | [Meeting Notes](https://docs.google.com/document/d/18oAsfhfKJurH-YTUFe520CAZS3lkORX1WnZmBv4Llkc/edit) | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/model_signing_sandbox_stage.md) |
| Package Analysis | https://github.com/ossf/package-analysis | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
| Package Feeds | https://github.com/ossf/package-feeds | [Meeting Notes](https://docs.google.com/document/d/1GFslP6elYCx27TUitdigDr1gsOItYkL0Vq7hTB9y4Lo/edit) | Securing Critical Projects WG | TBD |
| Protobom | https://github.com/bom-squad/protobom | [Meeting Notes](https://docs.google.com/document/d/1bz2BBImzSnLRiBLrA5GehQ0ckW3Vs7Gmtt8R-Olm0QY/edit) | Security Tooling WG | [Sandbox](process/project-lifecycle-documents/protobom_sandbox_stage.md) |
Expand Down
105 changes: 105 additions & 0 deletions process/project-lifecycle-documents/model_signing_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
## Application for creating a new project at Sandbox stage

### List of project maintainers

The project has 4 maintainers from 3 different organizations:

* Laurent Simon, Google, @laurentsimon
* Daniel Major, NVidia,
* Eoin Wickens, HiddenLayer, @EWickens
* Mihai Maruseac, Google, @mihaimaruseac

### Mission of the project

The project must be aligned with the OpenSSF mission and either be a novel
approach for existing areas, address an unfulfilled need, or be initial code
needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF
projects collaborate with the existing project rather than seek a new project.

> Create a cryptographic signing specification for artificial intelligence and
> machine learning models, addressing challenges such as very large models that
> can be used separately, and the signing of multiple disparate file formats
> held within a directory. This specification may have wider applicability to
> signing directories of multiple arbitrary file formats. This specification may
> later be proposed as a formal standard.

#### Specific Goals Include:

* Develop standards for efficient hashing of large models
* Develop standards for efficient verification of integrity of models that
contain multiple formats in the same place
* Develop standards for efficient verification of integrity of models at
inference time.

To achieve these goals, we work on developing
https://github.com/sigstore/model-transparency library as an OSS standard for ML
models signing and verification. The aim of this project is to guide the
`model-transparency` development and help in standardizing hashing,
verification, and deployment (e.g., model signature format).

#### Non-Goals Include:

* Developing a new model format
* Handling security of ML outputs
mihaimaruseac marked this conversation as resolved.
Show resolved Hide resolved
* Asserting and verifying any properties related to the ML lifecycle, including
but not limited to: data bias, data quality, security of the training
pipeline, potential misuses of the model.

The project's goal are only related to the integrity of the model bytes.
Anything outside of this is out of scope.

### OpenSSF Mission Alignment

We believe our mission aligns with the OpenSSF mission in the following ways:

> make it easier to sustainably secure the development, maintenance, and
> consumption of the open source software

The model signing project aims to reduce the complexity of signing and verifying
the integrity of models, making it easier to be adopted by the industry at
large.

> fostering collaboration

The library is developed by a cohort of independent companies working together
to solve common problems. The goal is to integrate the library with most tools
that ML practitioners use, to uplift the entire ecosystem.

> establishing best practices

The model signing library must be strongly tested. It should define standards
for efficiently hashing and verifying integrity of models.

### AI/ML Security WG Alignment

This project started in parallel with the AI/ML Security WG. During one meeting
of the WG, it was decided to spin up a SIG for model signing
(https://github.com/ossf/ai-ml-security/issues/10). Since the output of this SIG
is in code for this library and associated standards and specs, we need to make
this a project.

### IP policy and licensing due diligence

When contributing an existing Project to the OpenSSF, the contribution must
undergo license and IP due diligence by the Linux Foundation (LF).

* Yes:
* Library code under
[`model_transparency`](https://github.com/sigstore/model-transparency) is
part of Sigstore, which is already an OpenSSF (thus, LF) member
* Standardization work, etc. will occur under a new repository to be created
under OpenSSF

### Project References

The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.

| Reference | URL |
|--------------------|-----|
mihaimaruseac marked this conversation as resolved.
Show resolved Hide resolved
| Main Repository | TODO |
| Meeting Agenda | https://docs.google.com/document/d/18oAsfhfKJurH-YTUFe520CAZS3lkORX1WnZmBv4Llkc/edit#heading=h.etrsjlz02gla |
| Contributing guide | TODO |
| Security.md | TODO |
| Roadmap | TODO |
| Demos | TODO |
| Other | TODO |