You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md
+55-2Lines changed: 55 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -207,6 +207,53 @@ Repeat tests across codebases and formats (.keras vs legacy HDF5) to uncover reg
207
207
- Consider running deserialization in a sandboxed, least-privileged environment without network egress and with restricted filesystem access.
208
208
- Enforce allowlists/signatures for model sources and integrity checking where possible.
209
209
210
+
## ML pickle import allowlisting for AI/ML models (Fickling)
211
+
212
+
Many AI/ML model formats (PyTorch .pt/.pth/.ckpt, joblib/scikit-learn, older TensorFlow artifacts, etc.) embed Python pickle data. Attackers routinely abuse pickle GLOBAL imports and object constructors to achieve RCE or model swapping during load. Blacklist-based scanners often miss novel or unlisted dangerous imports.
213
+
214
+
A practical fail-closed defense is to hook Python’s pickle deserializer and only allow a reviewed set of harmless ML-related imports during unpickling. Trail of Bits’ Fickling implements this policy and ships a curated ML import allowlist built from thousands of public Hugging Face pickles.
215
+
216
+
Security model for “safe” imports (intuitions distilled from research and practice): imported symbols used by a pickle must simultaneously:
217
+
- Not execute code or cause execution (no compiled/source code objects, shelling out, hooks, etc.)
218
+
- Not get/set arbitrary attributes or items
219
+
- Not import or obtain references to other Python objects from the pickle VM
220
+
- Not trigger any secondary deserializers (e.g., marshal, nested pickle), even indirectly
221
+
222
+
Enable Fickling’s protections as early as possible in process startup so that any pickle loads performed by frameworks (torch.load, joblib.load, etc.) are checked:
223
+
224
+
```python
225
+
import fickling
226
+
# Sets global hooks on the stdlib pickle module
227
+
fickling.hook.activate_safe_ml_environment()
228
+
```
229
+
230
+
Operational tips:
231
+
- You can temporarily disable/re-enable the hooks where needed:
232
+
233
+
```python
234
+
fickling.hook.deactivate_safe_ml_environment()
235
+
# ... load fully trusted files only ...
236
+
fickling.hook.activate_safe_ml_environment()
237
+
```
238
+
239
+
- If a known-good model is blocked, extend the allowlist for your environment after reviewing the symbols:
- Fickling also exposes generic runtime guards if you prefer more granular control:
249
+
- fickling.always_check_safety() to enforce checks for all pickle.load()
250
+
- with fickling.check_safety(): for scoped enforcement
251
+
- fickling.load(path) / fickling.is_likely_safe(path) for one-off checks
252
+
253
+
- Prefer non-pickle model formats when possible (e.g., SafeTensors). If you must accept pickle, run loaders under least privilege without network egress and enforce the allowlist.
254
+
255
+
This allowlist-first strategy demonstrably blocks common ML pickle exploit paths while keeping compatibility high. In ToB’s benchmark, Fickling flagged 100% of synthetic malicious files and allowed ~99% of clean files from top Hugging Face repos.
256
+
210
257
## References
211
258
212
259
-[Hunting Vulnerabilities in Keras Model Deserialization (huntr blog)](https://blog.huntr.com/hunting-vulnerabilities-in-keras-model-deserialization)
@@ -215,5 +262,11 @@ Repeat tests across codebases and formats (.keras vs legacy HDF5) to uncover reg
215
262
-[CVE-2025-1550 – Keras arbitrary module import (≤ 3.8)](https://nvd.nist.gov/vuln/detail/CVE-2025-1550)
0 commit comments