You might have come across these two popular file extensions when dealing with Stable Diffusion checkpoints or LoRA models. How and where do .ckpt and .safetensors files differ and why should you bother? We’ll talk about safety, speed and convenience and more. Read on for a straightforward and rather interesting answer to this extremely common question!
- The .ckpt Files In Stable Diffusion
- What Exactly Is This Python “Pickle” We’re Talking About?
- Stable Diffusion CKPT Models Safety Issues
- The .safetensors Files In Stable Diffusion
- How To Use .safetensors Model Files In Stable Diffusion WebUI?
- How To Convert .ckpt to .safetensors?
- Is It Safe To Use .ckpt Stable Diffusion Model Files?
The .ckpt Files In Stable Diffusion
The ckpt format is one of many machine learning model checkpoint file formats, that contain all the variables/weights that a trained ML model consists of, with all the respective values associated with them.
In other words, it’s a way of storing the final state of the trained model itself, much like Safetensors that we’re going to cover in a bit.
There are of course many other formats in which you can save your ML models trained using different technologies, but in this article we’re going to focus solely on these two, as these are the formats that Stable Diffusion checkpoints are most commonly stored in.
When you’re downloading your favorite Stable Diffusion models, they are likely to be saved in either the .ckpt or the .safetensors file format.
When a Stable Diffusion model is saved to a ckpt file, all of its trained data is stored within a file with a .ckpt extension, which makes use of so-called “pickles”. Here is where the whole story begins.
Pickles have one major disadvantage. They can be injected with malicious code, which can execute during the unpickling process, for example when loading your model file in Stable Diffusion.
If terms such as “pickling” and “unpickling” seem a little bit funny to you in this context, check out the next paragraph to learn more!
Read on to see how dangerous exactly is using the old .ckpt Stable Diffusion model format, and how to check if you too are affected by this issue.
What Exactly Is This Python “Pickle” We’re Talking About?
If you aren’t a full-time programmer, you might not be familiar with neither the concept of serialization, nor one of the most popular implementations of data serialization in the Python programming language. Worry not, we’re about to explain all this in approximately 1 minute total!
To explain pickles, first we need to first explain what data serialization is all about.
Data serialization is a way of translating a given digital data structure from a format that would be hard to store or transport efficiently in a given environment, to a format that is more convenient for these purposes in said environment. In most cases we’re talking about translating a programming language specific object or data structure to a byte stream, and then going the other way around when the data needs to be put to use. The reverse process and the complement to serialization is called deserialization.
Pickle is a native Python module containing protocols necessary for carrying out the Python specific way of data serialization. When handling data with the pickle module, the serialization process is referred to as “pickling”, and deserialization is denoted as “unpickling”. Isn’t that wacky?
Why would you use pickles in Python? Python pickles have lots of different uses, one of the most simple ones being giving you the ability to quickly and efficiently move data structures between two different Python scripts running on the same system.
How are Python pickles used in Stable Diffusion? One of the Stable Diffusion model file formats – the .ckpt that we already told you about simply makes use of pickles as means of data serialization.
In the official Python documentation, near the pickle module description you will find the following information:
"It is possible to construct malicious pickle data which will execute arbitrary code during unpickling."
This little piece of info is one of the reasons why the .ckpt file format for Stable Diffusion model files has security flaws that have in a relatively short time made it nearly obsolete for storing trained checkpoint weights. More on that in a bit.
If you want to know more about the whole CS concept that the Python pickles are an implementation of, you can learn more about “serialization”, how it works, and when it’s actually needed.
Let’s take a closer look at that and explain the issue with .ckpt files in simple terms!
Stable Diffusion CKPT Models Safety Issues
As we’ve already mentioned, Python pickles have a major security flaw which is even mentioned in the official Python docs (as you can see on the image in the previous paragraph).
The vulnerability that’s being talked about recently quite a lot, is the ability to inject malicious code into the Python pickles. During the unpickling process, the malicious code would be executed, which depending on the payload used could pose various dangers to the end user.
This could for instance happen if a Stable Diffusion user would attempt to load an infected .ckpt model file in his locally hosted SD Automatic1111 WebUI.
How bad is it really? Well, there have been some recorded instances of Stable Diffusion model files in the .ckpt format containing malicious code, although for now no major incidents that have to do with this security flaw have been noted.
All things considered, this is certainly a well known vulnerability which can serve as an attack vector for malicious actors, and thus, according to both common sense and basics of practical cybersecurity, it’s better to seek safer alternatives to using .ckpt files if only it’s possible.
Let’s now take a look at how .ckpt files differ from the .safetensors file format, and what it means for you.
You can read more detailed explanation about dangers that have to do with Python pickles here.
The .safetensors Files In Stable Diffusion
The Safetensors format is a relatively new data serialization format that is being developed by HuggingFace. It has many advantages over the ckpt format, including:
- Faster loading times in various ML applications (on both CPU and GPU).
- Cross-platform compatibility (It’s not specifically designed for Python like Pickle).
- Safety (Does not make use of pickle serialization method which can allow for remote code execution).
The safetensors files by design are not able to execute arbitrary user-added code on model load.
.safetensors models also do load much faster than .ckpt models both on CPU and GPU, so converting your older .ckpt files to the .safetensors format actually makes perfect sense!
The model load speedup on GPU is a result of skipping unnecessary CPU allocations during loading time, and the CPU speed boost has to do with the zero-copy direct mapping approach of the safetensors library.
Here are some speed comparisons between .ckpt and .safetensors models. Check them out too see how much faster we’re talking about. It really is impressive!
How To Use .safetensors Model Files In Stable Diffusion WebUI?
You don’t have to do anything special to make use of .safetensors models in the Automatic1111 WebUI. You simply need to put your downloaded safetensors model into the stable–diffusion-webui/models/Stable–diffusion directory just like you would with a regular .ckpt model, and it will show up in the WebUI checkpoint list after restart.
Then, it will function just as every other SD model would, except that it should load much faster than a .ckpt saved checkpoint would. Consider converting your existing .ckpt models to .safetensors for the extra speed boost on load!
How To Convert .ckpt to .safetensors?
For this purpose you can use the Ckpt2Safetensors Conversion Tool-GUI.
Note that this tool can potentially load pickle files during conversion posing a potential risk to your system. Use it on trusted models only, or execute the tool outside of your local system in an isolated environment as a best practice.
Just load your selected .ckpt files, and click the appropriate Convert button. The program will do the rest for you!
Is It Safe To Use .ckpt Stable Diffusion Model Files?
How can you make sure that a .ckpt model is safe? Well, first thing you should do is to ensure that you’re downloading your models from a trusted source.
There are a few sites that already have very good reputation for sourcing various free and high quality Stable Diffusion models and fine-tunings. Two biggest and most popular of these are Civit.ai and Huggingface.co
Huggingface even have their own on-site security scanner for checking hub uploaded files for known risks and malicious code. It makes use of an automated ClamAV file scan, as well as a custom Pickle import scan.
Mind that even when downloading your desired models form trusted sites, you always should check for vulnerabilities in the .ckpt files before loading them in your instance of Stable Diffusion. How can you do this? Luckily there are some neat scripts for that.
For .ckpt vulnerability scanning, you can use one of the freely available open-source pickle file scanners like the Stable Diffusion Pickle Scanner by zxix, or the Python Pickle Malware Scanner by mmaitre314.
These kind of vulnerability scanners, while not 100% accurate, will be able to hint at possible problems with your downloaded .ckpt files. Use them to your advantage!
You can check this video by Aitrepreneur that will show you how to use these scanners to scan .ckpt files on your system.
Remote code execution on malicious model load is actually a commonly known problem, which in case of this research was shown using a specially crafted proof-of-concept malicious TensorFlow model causing a RCE on a target system on load. Check it out for more information!