msProbe Security Statement
System Security Hardening
It is recommended that you enable address space layout randomization (ASLR) (level 2) by running the following commands as user root:
echo 2 > /proc/sys/kernel/randomize_va_space
User Account Recommendations
All tools in this repository are designed to run with minimal permissions. For security reasons, do not use root or other privileged accounts. Always install and execute tools as a regular user.
File Permission Control
-
This tool is a development-phase tool and does not restrict the ownership or permissions of the files it processes. Users need to assign appropriate ownership and permissions based on their usage scenarios and ensure that the content of the files handled by the tool is secure and trustworthy.
-
When providing input files to the tool, it is recommended that the file owner matches the process owner of the tool and that file permissions restrict write access for
groupandothers. The permissions of files written to the drive are managed by users and system administrators. -
Maintain strict permission control during installation and use. For details about the recommended file permission settings, see the following table.
File Permission Reference
| Type | Maximum Linux Permission |
|---|---|
| Home directory | 750 (rwxr-x---) |
| Program files (including scripts and libraries) | 550 (r-xr-x---) |
| Program file directory | 550 (r-xr-x---) |
| Configuration files | 640 (rw-r-----) |
| Configuration file directory | 750 (rwxr-x---) |
| Log files (recorded or archived) | 440 (r--r-----) |
| Log files (being recorded) | 640 (rw-r-----) |
| Log file directory | 750 (rwxr-x---) |
| Debug files | 640 (rw-r-----) |
| Debug file directory | 750 (rwxr-x---) |
| Temporary file directory | 750 (rwxr-x---) |
| Maintenance and upgrade file directory | 770 (rwxrwx---) |
| Service data files | 640 (rw-r-----) |
| Service data file directory | 750 (rwxr-x---) |
| Key components, private keys, certificates, and ciphertext file directory | 700 (rwx------) |
| Key components, private keys, certificates, and ciphertext files | 600 (rw-------) |
| APIs and scripts for encryption and decryption | 500 (r-x------) |
Input Path Security Statement
When providing input to the tool, users should ensure that the content is safe and trustworthy, avoid using symbolic links, and convert all files to real paths before providing them as input to the tool.
Vulnerability Security Statement
The tb-graph-ascend plugin in the development state depends on webpack-dev-server. Version 4.x has been identified with known security vulnerabilities (CVE-2025-30359 and CVE-2025-30360). However, the final build outputs (production environment code/package) do not contain webpack-dev-server or its related code, and this dependency will not be downloaded during your usage. This vulnerability does not affect the security of the final application generated by using this tool, nor will it be downloaded or triggered by end users. However, developers need to ensure the security during the development process.
For details about the vulnerability mechanism, see MindStudio Vulnerability Handling Procedure.
Data Security Statement
Loading and saving data during the use of the tools may involve data risks. Some interfaces (e.g., torch.load) directly or indirectly use the unsafe pickle module, which can introduce security vulnerabilities. For details, see torch.load.
Build Security Statement
msProbe supports building from source. During the build process, the system downloads third-party dependencies, executes shell build scripts, and generates temporary program files and build directories. To reduce security risks, you can perform permission control on files within the source code directory. During the build process, you can modify build scripts as needed to avoid security risks and ensure the security of the build results.
Running Security Statement
-
When the tool loads a dataset that exceeds the memory capacity limit, or when data collection runs too long and generated data fills the available drive space, an error may occur and the process may exit unexpectedly.
-
If an exception occurs during operation, the tool will exit the process and print error messages. This is expected behavior. You are advised to locate the specific cause of the error based on the error prompts, such as by viewing log files or result files generated during the collection and parsing process.
-
msProbe:
Prerequisites: The Python source code of the object to be collected must be readable and executable so that public information such as the public call stack can be obtained.
Application scenario: When you need to analyze the model precision, you can add the
dumpAPI of msProbe to the model training script to collect data during training. After the training is complete, the precision data file is directly output. The data file contains the API data, model structure, and stack information of API calls. This helps you quickly locate the API with precision problems in the model.Risk warning: Using this function will generate precision data locally. You need to protect the related precision data files. Use this function when you need to analyze model precision, and disable it after the analysis is complete.
-
To prevent remote code injection attacks, set the
--trust-remote-codeparameter toFalseif it is used.
Public Network Address Statement
For details, see Public Network Addresses.
Public API Statement
The msProbe project is developed using C++ and Python. The provided external APIs are disclosed in the documentation. Official APIs are only provided as Python APIs. Dynamic libraries do not provide services directly. The exposed APIs are for internal use and user calls are not recommended.
For scripting languages such as Python where source code is released, use the public APIs specified in the documentation. Do not directly call source code APIs that are not explicitly disclosed.
Safe Function Usage
While unsafe functions are not forcibly disabled, you are advised to use their safe variants that explicitly take a buffer length parameter, for example, memset_s and memcpy_s.
Communication Security Hardening
1. TensorBoard plugin for hierarchical model visualization
Background: The hierarchical model visualization plugin (plugins/tb_graph_ascend) is developed and debugged based on TensorBoard. After the plugin is installed, you need to start TensorBoard before using it.
Risk: When TensorBoard is started, you can specify the IP address using --host or bind it to all-zero listening segment using --bind-all. The hierarchical model visualization plugin is only a plugin of TensorBoard and cannot be used to perform security hardening on the TensorBoard service. Therefore, you are advised to ensure that the environment is secure when using the plugin.
Risk mitigation measures: You are advised to use --host=127.0.0.1 or localhost and avoid starting the plugin as the root user. If the TensorBoard service needs to be started on a non-localhost in remote access scenarios, you are advised to ensure the security of the environment and use the network security hardening solution to protect the environment. For example, you can use access control policies such as iptables to restrict the clients that can be used, or use a reverse proxy tool such as Nginx to harden HTTPS.
Communication Matrix
Communication Matrix Information
| No. | Module | Function | Source Device | Source IP Address | Source Port | Destination Device | Destination IP Address | Destination Port (Listening) |
Protocol | Port Description | Port Configuration | Listening Port Configurable (Yes/No) | Authentication Mode | Encryption Mode | Plane | Version | Special Scenarios | Remarks |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | tb_graph_ascend | Communication between the frontend and backend of TensorBoard | Server where the TensorBoard browser is located | IP address of the server where the TensorBoard browser is located | Server where the TensorBoard service is located | IP address of the server where the TensorBoard service is located | 6006 | HTTP | TensorBoard is not within the delivery scope. If TensorBoard is used, ports may be opened. The default port opened by TensorBoard is 6006. You can also specify other ports to be opened. | --port | Yes | Service plane | All | None |
Disclaimer
-
This tool is intended solely for debugging and development. You are responsible for any risks and should carefully review the following information:
- Data processing and deletion: Users are responsible for any data generated while using this tool, including but not limited to dumped data. You are advised to delete such data promptly after use to prevent information leakage.
- Data confidentiality and transmission: Users understand and agree not to share or transmit any data generated by this tool. Neither the tool nor its developers are responsible for any information leaks, data breaches, or other negative consequences.
- User input security: Users are responsible for the security of any commands they enter and for any risks or losses resulting from improper input. The tool and its developers are not liable for issues caused by incorrect command usage.
-
Disclaimer scope: This disclaimer applies to all individuals and entities using this tool. By using the tool, you acknowledge and accept this statement and assume all risks and responsibilities arising from its use. If you do not agree, please stop using the tool immediately.
-
Before using this tool, please read and understand the preceding disclaimer. If you have any questions, contact the developer.