AI Supply Chain Attack: How Malicious Pickle Files Backdoor Models (opens in new tab)

(jchandra.com)

4 pointsjchandra1y ago7 comments

7 comments

westurner1y ago

From "Insecurity and Python Pickles" (2024) https://news.ycombinator.com/item?id=39685128 :

> There should be a data-only pickle serialization protocol (that won't serialize or deserialize code).

> How much work would it be to create a pickle protocol that does not exec or eval code?

"Title: Pickle protocol version 6: skipcode pickles" https://discuss.python.org/t/create-a-new-pickle-protocol-ve...

zahlman1y ago

I have to agree with Chris Angelico there:

> Then the obvious question is: Why? Why use pickle? The most likely answer is “because <X> can’t represent what I need to transmit”, but for that to be at all useful to your proposal, you need to show examples that won’t work in well-known safe serializers.

westurner1y ago

Code in packages should be signed.

Code in pickles should also be signed.

I have no need for the pickle module now, but years ago thought there might have been safer way to read data that was already in pickles.

For backwards compatibility, skipcode=False must be the default,

were someone to implement a pickle str parser that doesn't eval code.

JS/ES/TS Map doesn't map to JSON.

jchandraOP1y ago

Pickle still is good for custom objects (JSON loses methods and also order), Graphs & circular refs (JSON breaks), Functions & lambdas (Essential for ML & distributed systems) and is provided out of box.

1 more reply

vivahir2151y ago

You could use https://github.com/trailofbits/fickling for analysis.

j / k navigate · click thread line to collapse

7 comments

westurner1y ago

From "Insecurity and Python Pickles" (2024) https://news.ycombinator.com/item?id=39685128 :

> There should be a data-only pickle serialization protocol (that won't serialize or deserialize code).

> How much work would it be to create a pickle protocol that does not exec or eval code?

"Title: Pickle protocol version 6: skipcode pickles" https://discuss.python.org/t/create-a-new-pickle-protocol-ve...

zahlman1y ago

I have to agree with Chris Angelico there:

westurner1y ago

Code in packages should be signed.

Code in pickles should also be signed.

I have no need for the pickle module now, but years ago thought there might have been safer way to read data that was already in pickles.

For backwards compatibility, skipcode=False must be the default,

were someone to implement a pickle str parser that doesn't eval code.

JS/ES/TS Map doesn't map to JSON.

jchandraOP1y ago

1 more reply

vivahir2151y ago

You could use https://github.com/trailofbits/fickling for analysis.

j / k navigate · click thread line to collapse