Skip to content

Fickling’s new AI/ML pickle file scanner #1407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fickling’s new AI/ML pickle file scanner #1407

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What’s new: Trail of Bits updated Fickling to add an AI/ML-focused pickle scanner that blocks malicious model files at load time by enforcing a strict import allowlist. This targets the pervasive risk of Python pickle usage in ML frameworks and model hubs (e.g., Hugging Face).

Threat model and problem: Pickle-based model formats can lead to remote code execution (RCE) or model swapping during des...

🔧 Technical Details

Attack: abusing ML pickle imports for RCE/model swapping. Craft a pickle that uses a dangerous import so that, upon deserialization, the import executes code or fetches a remote attacker-controlled model. This technique evades deny-list scanners by selecting powerful imports not yet listed, enabling stealthy execution or model replacement at load time.

Defense: fail-closed import allowlisting at unpickle time. Hook the pickle module to a custom Unpickler that allows only a reviewed set of safe imports. On any non-allowlisted import, raise and abort deserialization. Place the hook at process start so every model load is checked, extend the allowlist only for vetted symbols, and prefer non-pickle formats when possible.

🤖 Agent Actions

I explored the repository, reviewed relevant existing pages, and updated the most appropriate one with the new technical content:

Files reviewed (5+):

  • src/generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md
  • src/generic-methodologies-and-resources/python/README.md
  • src/pentesting-web/deserialization/README.md
  • src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
  • src/AI/AI-Models-RCE.md

Decision:

  • The best place to integrate an AI/ML pickle import allowlisting defense (Fickling) is the Keras Model Deserialization RCE and Gadget Hunting page, as it already covers model deserialization risks and mitigations. I added a dedicated subsection describing fail-closed import allowlisting for ML pickles with clear operational guidance and code snippets, tying back to the ML supply-chain threat and complementary to the existing Keras-specific sections.

What I added:

  • A new section “ML pickle import allowlisting for AI/ML models (Fickling)” that:
    • Explains the allowlist-based approach vs. blacklist scanners for ML pickles.
    • Summarizes constraints that “safe” imports must satisfy to avoid pickle exploitation paths.
    • Provides concrete integration code:
      • Activate global hooking: fickling.hook.activate_safe_ml_environment()
      • Deactivate/reactivate hooks
      • Customizing the allowlist via also_allow=[...]
      • Mention of additional runtime guard options (always_check_safety, context manager, load/is_likely_safe).
    • Operational guidance to place hooks at process start and to prefer non-pickle formats (SafeTensors).
    • Notes on the benchmark impact (100% malicious caught, ~99% clean allowed).
  • Updated the References section with:
    • The Trail of Bits blog post URL
    • Fickling README (Securing AI/ML environments)
    • Fickling benchmark
    • Related scanners (Picklescan/ModelScan/model-unpickler)
    • Background on Sleepy Pickle attacks
    • SafeTensors project

Change implemented:

  • Modified file: src/generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md

If you want me to also add a brief cross-reference mention in AI/AI-Models-RCE.md to this new allowlist section (or a short Fickling snippet there), I can add it, but I avoided duplication for now.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: Fickling’s new AI/ML pickle file scanner
bb68042 
- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2025/09/16/ficklings-new-ai/ml-pickle-file-scanner/

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Python -> Keras Model Deserialization Rce And Gadget Hunting (add subsection on ML pickle import allowlisting and Fickling integration)".

Repository Maintenance:

  • MD Files Formatting: 876 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop