Oleksandr Bezdieniezhnykh
13 KiB
Security Concerns and Edge Cases Research
System: GPS-denied UAV visual navigation — Python backend (FastAPI, PyTorch, OpenCV, GTSAM, JWT auth, SSE streaming)
Date: March 14, 2026
Topic 1: PyTorch Model Loading Security
1.1 Security Risks of Loading PyTorch Model Weights from Google Drive
| Risk | Description | Confidence |
|---|---|---|
| Supply chain compromise | Google Drive links can be hijacked, shared publicly, or replaced with malicious files. Authors' accounts may be compromised. | High |
| No integrity verification | Unlike torch.hub, Google Drive downloads typically lack built-in checksum validation. |
High |
| Pickle-based RCE | .pth files use Python pickle; deserialization can execute arbitrary code. |
High |
| LiteSAM-specific | LiteSAM weights are hosted by paper authors on Google Drive — not an official PyTorch/Hugging Face registry. Trust boundary is weaker than torch.hub. | Medium |
Sources: OWASP ML06:2023 AI Supply Chain Attacks; CVE-2025-32434; CVE-2026-24747; Vulert, GitHub PyTorch advisories.
1.2 Is torch.load(weights_only=True) Sufficient?
No. Multiple CVEs show weights_only=True can still be bypassed:
| CVE | Date | Severity | Description |
|---|---|---|---|
| CVE-2025-32434 | Apr 17, 2025 | Critical | RCE possible even with weights_only=True in PyTorch ≤2.5.1. Patched in 2.6.0. |
| CVE-2026-24747 | 2026 | High (CVSS 8.8) | Memory corruption in weights_only unpickler; malicious .pth can cause heap corruption and arbitrary code execution. Patched in 2.10.0. |
Recommendation: Use PyTorch 2.10.0+ and treat weights_only=True as a defense-in-depth measure, not a guarantee.
Sources: GitHub GHSA-53q9-r3pm-6pq6; Vulert CVE-2025-32434, CVE-2026-24747; TheHackerWire.
1.3 Can Pickle-Based PyTorch Weights Contain Malicious Code?
Yes. Pickle was designed to serialize Python objects and their behavior, not just data. A malicious pickle can:
- Execute arbitrary code during deserialization
- Steal data, install malware, or run remote commands
- Trigger RCE without user interaction beyond loading the file
safetensors format eliminates this by design: it stores only numerical tensors and metadata (JSON header + binary data), with no executable code path.
Sources: Hugging Face safetensors security audit; Suhaib Notes; DEV Community safetensors article.
1.4 Recommended Approach for Verifying Model Weight Integrity
| Approach | Implementation | Notes |
|---|---|---|
| SHA256 checksums | Compute hash after download; compare to known-good value before torch.load(). |
PyTorch Vision uses checksums in filenames; torch.hub.download_url_to_file supports check_hash. |
| Digital signatures | Sign weight files with GPG/Ed25519; verify before load. | OWASP recommends verifying package integrity through digital signatures. |
| Safetensors format | Prefer .safetensors over .pth when available. |
No code execution; Trail of Bits audited; Hugging Face default. |
| Vendor pinning | Pin exact URLs and hashes for LiteSAM, SuperPoint, LightGlue, DINOv2. | Document expected hashes in config; fail fast on mismatch. |
LiteSAM-specific: Add a manifest (e.g., litesam_weights.sha256) with expected SHA256; verify before loading. If authors provide safetensors, prefer that.
Sources: PyTorch Vision PR #7219; torch.hub docs; OWASP ML06:2023.
1.5 Recent CVEs Related to PyTorch Model Loading (2024–2026)
| CVE | Date | Affected | Fix | Summary |
|---|---|---|---|---|
| CVE-2025-32434 | Apr 2025 | PyTorch ≤2.5.1 | 2.6.0 | RCE via torch.load(weights_only=True) bypass |
| CVE-2026-24747 | 2026 | Before 2.10.0 | 2.10.0 | Memory corruption in weights_only unpickler |
| CVE-2025-1889 | Mar 2025 | PickleScan ≤0.0.21 | 0.0.22 | PickleScan misses malicious files with non-standard extensions |
| CVE-2025-1945 | Oct 2025 | PickleScan <0.0.23 | 0.0.23 | ZIP header bit manipulation evades PickleScan (CVSS 9.8) |
Sources: GitHub advisories; Vulert; NVD.
Topic 2: GTSAM iSAM2 Edge Cases
2.1 Drift Accumulation with Many Consecutive VO-Only Frames
| Finding | Description | Confidence |
|---|---|---|
| Drift accumulates | With only VO constraints (BetweenFactorPose2) and no satellite anchors, iSAM2 propagates VO error. No absolute reference to correct drift. | High |
| Probabilistic correction | A 2024 drift-correction module (arXiv:2404.10140) treats SLAM positions as random variables and corrects using geo-spatial priors; ~10× drift reduction over long traverses. | Medium |
| iSAM2 design | iSAM2 is incremental; it does not inherently limit drift. Drift correction depends on loop closures or anchors. | High |
Recommendation: Implement drift thresholds (as in your Segment Manager); trigger segment splits when VO-only chain exceeds a confidence/error bound. Use satellite anchors as soon as available.
Sources: Kaess et al. iSAM2 paper (2012); arXiv:2404.10140; GTSAM docs.
2.2 iSAM2 with Very Long Chains (3000+ Frames)
| Finding | Description | Confidence |
|---|---|---|
| Scalability | iSAM2 uses Bayes tree + fluid relinearization; designed for online SLAM without periodic batch steps. | High |
| Efficiency | Variable reordering and sparse updates keep cost bounded; used on ground, aerial, underwater robots. | High |
| Legacy iSAM | Original iSAM had slowdowns on dense datasets with many loop closures; iSAM2 improves this. | Medium |
| Memory | No explicit 3000-frame benchmarks found; Bayes tree growth is sublinear but non-trivial. Recommend profiling. | Low |
Sources: GTSAM iSAM2 docs; Kaess et al. 2012; MIT iSAM comparison page.
2.3 Backward Correction When Satellite Anchor Arrives After Many VO-Only Frames
| Finding | Description | Confidence |
|---|---|---|
| Loop closure behavior | iSAM2 supports backward correction via loop closures. Adding a PriorFactorPose2 (satellite anchor) acts like a loop closure to the anchor frame. | High |
| Propagation | The Bayes tree propagates the correction through the graph; all frames between anchor and current estimate are updated. | High |
| Quality | Correction quality depends on anchor noise model and VO chain quality. Large drift may require strong anchor noise to pull trajectory; weak noise may under-correct. | Medium |
Recommendation: Tune PriorFactorPose2 noise to reflect satellite matching uncertainty. Consider multiple anchors if available.
Sources: GTSAM Pose2ISAM2Example; GTSAM docs; Pose2ISAM2Example.py.
2.4 Edge Cases Where iSAM2.update() Can Fail or Produce Garbage
| Edge Case | Description | Source |
|---|---|---|
| Type mismatch | Mixing Pose3 and Rot3 (or other type mismatches) across factors → ValuesIncorrectType exception. |
GTSAM #103 |
| Double free / corruption | isam.update() can trigger "double free or corruption (out)" during linearization, especially with IMU factors. Platform-specific (e.g., GTSAM 4.1.1, Ubuntu 20.04). |
GTSAM #1189 |
| IndeterminantLinearSystemException | Certain factor configurations (e.g., multiple plane factors) can produce singular/indeterminate linear systems. Removing one factor can allow convergence. | GTSAM #561 |
| Poor initial estimates | Bad initial values can cause divergence or slow convergence. | General |
Recommendation: Wrap isam.update() in try/except; validate factor types and initial estimates; test with IMU-like factors if used; consider GTSAM version upgrades.
Sources: borglab/gtsam#103, #1189, #561.
2.5 Pose2 Noise Model Tuning for Visual Odometry
| Approach | Description | Confidence |
|---|---|---|
| Diagonal sigmas | Standard: noiseModel.Diagonal.Sigmas(Point3(sigma_x, sigma_y, sigma_theta)). Example: (0.2, 0.2, 0.1). |
High |
| Sensor-derived | Tune from encoder noise, gyro drift, or VO accuracy (e.g., from SuperPoint+LightGlue/LiteSAM covariance if available). | High |
| Learning-based | VIO-DualProNet, covariance recovery from deep VO — noise varies with conditions; fixed sigmas can be suboptimal. | Medium |
| Heteroscedasticity | VO error is not constant; consider adaptive or learned covariance for production. | Medium |
Recommendation: Start with diagonal sigmas from VO residual statistics; refine via ablation. Document sigma choices in config.
Sources: GTSAM Pose2SLAMExample; GTSAM by Example; arXiv:2308.11228, 2403.13170, 2007.14943.
Topic 3: Segment Reconnection Edge Cases
3.1 Reconnection Order for 5+ Disconnected Segments
| Strategy | Description | Confidence |
|---|---|---|
| Global loop closure | Position-independent methods (e.g., visual place recognition) can reconnect maps from different sessions without shared reference. | High |
| Graph-based | Build undirected graph of segments; use trajectory matching cost minimization (e.g., Hungarian algorithm) to associate segments. SWIFTraj achieved ~0.99 F1 on vehicle trajectory connection. | Medium |
| Robust loop processing | LEMON-Mapping: outlier rejection + recall strategies for valid loops; spatial BA + pose graph optimization to propagate accuracy. | Medium |
| Invalid merge detection | Compare incoming data with merged scans to detect perceptual aliasing; undo invalid merges. | Medium |
Recommendation: Order reconnection by anchor confidence and temporal proximity; validate each merge before committing.
Sources: arXiv:2407.15305, 2505.10018, 2211.03423; SWIFTraj (arXiv:2602.21954).
3.2 Two FLOATING Segments Anchored Near Each Other — Connection Validation
| Approach | Description | Confidence |
|---|---|---|
| Geometric consistency | Constellation-based map merging: check geometric consistency of landmark constellations; high confidence required for merge. | High |
| Visual verification | Re-run matching between segment endpoints; require strong feature overlap and pose consistency. | Medium |
| Uncertainty propagation | Use landmark uncertainty from local SLAM; reject merges if combined uncertainty exceeds threshold. | Medium |
| Temporal/spatial prior | If segments are from same flight, use time ordering and approximate location to constrain candidate pairs. | Medium |
Recommendation: Do not merge solely on proximity. Require: (1) satellite match confidence above threshold, (2) geometric consistency between segment endpoints, (3) optional visual re-verification.
Sources: arXiv:1809.09646 (constellation-based merging); SegMap; PLVS.
3.3 All Segments Remain FLOATING — Outdated Satellite Imagery
| Finding | Description | Confidence |
|---|---|---|
| Temporal degradation | Outdated imagery degrades feature matching; urban/natural changes cause mismatches. | High |
| Mitigations | Oblique-robust methods, multi-stage (coarse + fine) matching, OpenStreetMap + satellite fusion, cross-modal (SAR + optical) matching. | Medium |
| Fallback | If no satellite match: segments stay FLOATING; output relative trajectory only. User manual anchors (POST /jobs/{id}/anchor) become critical. | High |
Recommendation: (1) Support multiple satellite providers and tile vintages; (2) expose FLOATING status clearly in API/UI; (3) encourage manual anchors when automatic matching fails; (4) consider alternative references (e.g., OSM, DEM) for coarse alignment.
Sources: IEEE 8793558; MDPI oblique-robust; Springer Applied Geomatics; MDPI OpenStreetMap fusion.
Summary Recommendations
PyTorch Model Loading
- Use PyTorch 2.10.0+.
- Add SHA256 verification for all model weights, especially LiteSAM from Google Drive.
- Prefer safetensors where available; document and pin checksums for pickle-based weights.
- Isolate model loading (e.g., subprocess, restricted permissions) if loading from untrusted sources.
GTSAM iSAM2
- Implement drift thresholds and segment splitting for long VO-only chains.
- Tune PriorFactorPose2 and BetweenFactorPose2 noise from VO/satellite statistics.
- Wrap
isam.update()with error handling for IndeterminantLinearSystemException and memory errors. - Profile memory/CPU for 3000+ frame trajectories.
Segment Reconnection
- Use geometric + visual validation before merging nearby anchored segments.
- Define reconnection order (e.g., by anchor confidence, temporal order).
- Handle FLOATING-only scenarios: clear API/UI status, manual anchor support, multi-provider satellite tiles.