[Bug] [Vul]: weak use of MD5 hashing in vLLM

[shaoyuyoung]

Your current environment

The output of python collect_env.py

INFO 05-18 14:49:54 [__init__.py:239] Automatically detected platform cuda.
Collecting environment information...
==============================
        System Info
==============================
OS                           : Ubuntu 20.04.6 LTS (x86_64)
GCC version                  : (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Clang version                : 16.0.1
CMake version                : version 3.26.0
Libc version                 : glibc-2.31

==============================
       PyTorch Info
==============================
PyTorch version              : 2.6.0+cu124
Is debug build               : False
CUDA used to build PyTorch   : 12.4
ROCM used to build PyTorch   : N/A

==============================
      Python Environment
==============================
Python version               : 3.12.9 | packaged by Anaconda, Inc. | (main, Feb  6 2025, 18:56:27) [GCC 11.2.0] (64-bit runtime)
Python platform              : Linux-5.4.0-216-generic-x86_64-with-glibc2.31

==============================
       CUDA / GPU Info
==============================
Is CUDA available            : True
CUDA runtime version         : 12.6.68
CUDA_MODULE_LOADING set to   : LAZY
GPU models and configuration : 
GPU 0: Tesla V100-SXM2-32GB
GPU 1: Tesla V100-SXM2-32GB
GPU 2: Tesla V100-SXM2-32GB
GPU 3: Tesla V100-SXM2-32GB

Nvidia driver version        : 550.142
cuDNN version                : Probably one of the following:
/usr/lib/x86_64-linux-gnu/libcudnn.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_adv.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_cnn.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_engines_precompiled.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_engines_runtime_compiled.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_graph.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_heuristic.so.9.6.0
/usr/lib/x86_64-linux-gnu/libcudnn_ops.so.9.6.0
HIP runtime version          : N/A
MIOpen runtime version       : N/A
Is XNNPACK available         : True

==============================
          CPU Info
==============================
Architecture:                       x86_64
CPU op-mode(s):                     32-bit, 64-bit
Byte Order:                         Little Endian
Address sizes:                      40 bits physical, 48 bits virtual
CPU(s):                             20
On-line CPU(s) list:                0-19
Thread(s) per core:                 1
Core(s) per socket:                 20
Socket(s):                          1
NUMA node(s):                       1
Vendor ID:                          GenuineIntel
CPU family:                         6
Model:                              85
Model name:                         Intel(R) Xeon(R) Gold 6248 CPU @ 2.50GHz
Stepping:                           7
CPU MHz:                            2500.000
BogoMIPS:                           5000.00
Hypervisor vendor:                  KVM
Virtualization type:                full
L1d cache:                          640 KiB
L1i cache:                          640 KiB
L2 cache:                           80 MiB
L3 cache:                           16 MiB
NUMA node0 CPU(s):                  0-19
Vulnerability Gather data sampling: Unknown: Dependent on hypervisor status
Vulnerability Itlb multihit:        KVM: Vulnerable
Vulnerability L1tf:                 Mitigation; PTE Inversion
Vulnerability Mds:                  Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Vulnerability Meltdown:             Mitigation; PTI
Vulnerability Mmio stale data:      Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Vulnerability Retbleed:             Mitigation; IBRS
Vulnerability Spec store bypass:    Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:           Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:           Mitigation; IBRS; IBPB conditional; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI SW loop, KVM SW loop
Vulnerability Srbds:                Not affected
Vulnerability Tsx async abort:      Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
Flags:                              fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch topoext cpuid_fault invpcid_single pti ssbd ibrs ibpb fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat umip pku ospke avx512_vnni

==============================
Versions of relevant libraries
==============================
[pip3] numpy==2.2.6
[pip3] nvidia-cublas-cu12==12.4.5.8
[pip3] nvidia-cuda-cupti-cu12==12.4.127
[pip3] nvidia-cuda-nvrtc-cu12==12.4.127
[pip3] nvidia-cuda-runtime-cu12==12.4.127
[pip3] nvidia-cudnn-cu12==9.1.0.70
[pip3] nvidia-cufft-cu12==11.2.1.3
[pip3] nvidia-curand-cu12==10.3.5.147
[pip3] nvidia-cusolver-cu12==11.6.1.9
[pip3] nvidia-cusparse-cu12==12.3.1.170
[pip3] nvidia-cusparselt-cu12==0.6.2
[pip3] nvidia-nccl-cu12==2.21.5
[pip3] nvidia-nvjitlink-cu12==12.4.127
[pip3] nvidia-nvtx-cu12==12.4.127
[pip3] pyzmq==26.4.0
[pip3] torch==2.6.0
[pip3] torchaudio==2.6.0
[pip3] torchvision==0.21.0
[pip3] transformers==4.51.3
[pip3] triton==3.2.0
[conda] numpy                     2.2.6                    pypi_0    pypi
[conda] nvidia-cublas-cu12        12.4.5.8                 pypi_0    pypi
[conda] nvidia-cuda-cupti-cu12    12.4.127                 pypi_0    pypi
[conda] nvidia-cuda-nvrtc-cu12    12.4.127                 pypi_0    pypi
[conda] nvidia-cuda-runtime-cu12  12.4.127                 pypi_0    pypi
[conda] nvidia-cudnn-cu12         9.1.0.70                 pypi_0    pypi
[conda] nvidia-cufft-cu12         11.2.1.3                 pypi_0    pypi
[conda] nvidia-curand-cu12        10.3.5.147               pypi_0    pypi
[conda] nvidia-cusolver-cu12      11.6.1.9                 pypi_0    pypi
[conda] nvidia-cusparse-cu12      12.3.1.170               pypi_0    pypi
[conda] nvidia-cusparselt-cu12    0.6.2                    pypi_0    pypi
[conda] nvidia-nccl-cu12          2.21.5                   pypi_0    pypi
[conda] nvidia-nvjitlink-cu12     12.4.127                 pypi_0    pypi
[conda] nvidia-nvtx-cu12          12.4.127                 pypi_0    pypi
[conda] pyzmq                     26.4.0                   pypi_0    pypi
[conda] torch                     2.6.0                    pypi_0    pypi
[conda] torchaudio                2.6.0                    pypi_0    pypi
[conda] torchvision               0.21.0                   pypi_0    pypi
[conda] transformers              4.51.3                   pypi_0    pypi
[conda] triton                    3.2.0                    pypi_0    pypi

==============================
         vLLM Info
==============================
ROCM Version                 : Could not collect
Neuron SDK Version           : N/A
vLLM Version                 : 0.8.5
vLLM Build Flags:
  CUDA Archs: Not Set; ROCm: Disabled; Neuron: Disabled
GPU Topology:
        GPU0    GPU1    GPU2    GPU3    CPU Affinity    NUMA Affinity   GPU NUMA ID
GPU0     X      NV2     NV2     NV1     0-19    0               N/A
GPU1    NV2      X      NV1     NV2     0-19    0               N/A
GPU2    NV2     NV1      X      NV1     0-19    0               N/A
GPU3    NV1     NV2     NV1      X      0-19    0               N/A

Legend:

  X    = Self
  SYS  = Connection traversing PCIe as well as the SMP interconnect between NUMA nodes (e.g., QPI/UPI)
  NODE = Connection traversing PCIe as well as the interconnect between PCIe Host Bridges within a NUMA node
  PHB  = Connection traversing PCIe as well as a PCIe Host Bridge (typically the CPU)
  PXB  = Connection traversing multiple PCIe bridges (without traversing the PCIe Host Bridge)
  PIX  = Connection traversing at most a single PCIe bridge
  NV#  = Connection traversing a bonded set of # NVLinks

==============================
     Environment Variables
==============================
LD_LIBRARY_PATH=:/usr/local/cuda-12.6/lib64
NCCL_CUMEM_ENABLE=0
PYTORCH_NVML_BASED_CUDA_CHECK=1
TORCHINDUCTOR_COMPILE_THREADS=1
CUDA_MODULE_LOADING=LAZY

🐛 Describe the bug

Related to #17031.
When enabling FIPS, vLLM throws the error ValueError: Model architectures ['OPTForCausalLM'] failed to be inspected. Please check the logs for more details., due to the lack of usedforsecurity=False for MD5 hashing. Previous PRs (#17043 and #15299) have fixed this. But some places still lack this parameter.

vllm/vllm/model_executor/model_loader/neuronx_distributed.py

Lines 146 to 147 in 9ab2c02

	hashed_config = hashlib.md5(
	config.to_json_string().encode('utf-8')).hexdigest()

vllm/vllm/model_executor/model_loader/neuronx_distributed.py

Lines 266 to 267 in 9ab2c02

	hashed_config = hashlib.md5(
	config.to_json_string().encode('utf-8')).hexdigest()

vllm/vllm/model_executor/model_loader/neuronx_distributed.py

Lines 429 to 430 in 9ab2c02

	hashed_config = hashlib.md5(
	config.to_json_string().encode('utf-8')).hexdigest()

Warning
usedforsecurity=False is a "do not explode in FIPS mode" flag to make software FIPS tolerant, not making the code comply with FIPS.

[shaoyuyoung]

I will send a PR to fix this issue.
BTW, I think we can integrate this vulnerability pattern into the CI check?

[tiran]

Quick note from the person that implemented usedforsecurity=False in CPython:

The usedforsecurity=False flag does not make code FIPS compliant. It merely circumvents FIPS compliance checks by switching the code to the non-FIPS enforcing legacy crypto provider. Any occurrence of usedforsecurity=False is a red flag and any abuse is a FIPS compliance issue.

Please don't abuse usedforsecurity=False. It's a quick 'n dirty hack to get you to FIPS tolerance. There are better options than MD5 and SHA1 these days.

[shaoyuyoung]

Hi, @tiran
Thanks for your comment!
However, in such a situation, the code that is written into vLLM consists of many MD5 hashing.
If refactoring the code (I mean replacing MD5 with other hashing algorithms) is very labor-intensive for human beings in vLLM community (?)
BTW, in this case, if MD5 hashing is not used for security, maybe it is a lightweight usage for vLLM?

[shaoyuyoung]

If there are any simple ways of code refactoring here, I am willing to help replace all the unsafe hash algorithms.
I will try to investigate how to use xxhash to replace MD5 hashing in my spare time.
But currently, maybe usedforsecurity=False is the easiest way?

[tiran]

Just to be clear: I'm not asking you to do any FIPS work in your free time. FIPS compliance is time consuming and tedious work. In my opinion upstream Open Source communities should not be burdened with unpaid work for regulatory requirements.

usedforsecurity=False is a valid workaround to make software FIPS tolerant. It's important to understand that it's not the same as FIPS 140-3 compliance. My only ask for now is to not use the phrase "FIPS compliant" here. (A co-worker also calls it the "do not explode in FIPS mode" flag.)

[shaoyuyoung]

Got it!
Do you suggest that we not use usedforsecurity=False in all the md5 hashing?
As several PRs have been merged into the main branch, should we revert all these changes?
Or should we change the description to clarify what usedforsecurity=False is really doing?

[shaoyuyoung]

I have clarified this in both the issue and PR.
Please kindly verify this. :)

[tiran]

I have looked into vLLM's use of usedforsecurity=False. MD5 and SHA1 are used for cache keys and fingerprinting. That is most likely fine and does warrant a revert. It's fine to keep usedforsecurity=False for now. Just don't call it "FIPS compliant", that's all.

I'll discuss the matter internally and talk to @russellb . We are on adjacenced teams.

BTW, I think we can integrate this vulnerability pattern into the CI check?

Ruff and Flake8 have scanners for bad crypto, e.g. https://docs.astral.sh/ruff/rules/suspicious-insecure-hash-usage/ . The rules S303,S304,S305,S323,S324 detect a lot of bad crypto.