Fickling’s new AI/ML pickle file scanner #1407
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
What’s new: Trail of Bits updated Fickling to add an AI/ML-focused pickle scanner that blocks malicious model files at load time by enforcing a strict import allowlist. This targets the pervasive risk of Python pickle usage in ML frameworks and model hubs (e.g., Hugging Face).
Threat model and problem: Pickle-based model formats can lead to remote code execution (RCE) or model swapping during des...
🔧 Technical Details
Attack: abusing ML pickle imports for RCE/model swapping. Craft a pickle that uses a dangerous import so that, upon deserialization, the import executes code or fetches a remote attacker-controlled model. This technique evades deny-list scanners by selecting powerful imports not yet listed, enabling stealthy execution or model replacement at load time.
Defense: fail-closed import allowlisting at unpickle time. Hook the
pickle
module to a custom Unpickler that allows only a reviewed set of safe imports. On any non-allowlisted import, raise and abort deserialization. Place the hook at process start so every model load is checked, extend the allowlist only for vetted symbols, and prefer non-pickle formats when possible.🤖 Agent Actions
I explored the repository, reviewed relevant existing pages, and updated the most appropriate one with the new technical content:
Files reviewed (5+):
Decision:
What I added:
Change implemented:
If you want me to also add a brief cross-reference mention in AI/AI-Models-RCE.md to this new allowlist section (or a short Fickling snippet there), I can add it, but I avoided duplication for now.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup