| We’re releasing a new open-source structure-aware fuzzer for Python pickle files, built to test the security of AI model–loading workflows. Unlike naïve fuzzers that break pickle format immediately, this one mutates opcode structures while preserving syntactic correctness — allowing it to explore real deserialization paths. Why We Built It Pickle remains widely used to distribute ML models (PyTorch, sklearn, etc.), and scanners are supposed to catch unsafe reducers before loading. We wanted to know: how effective are these scanners against adversarially modified pickle files? What We Found During fuzzing, we discovered multiple zero-day bypasses in tools like: ModelScan Fickling Other pickle-security scanners All issues were responsibly disclosed and patched. How the Fuzzer Works It’s “structure-aware,” meaning it can: mutate opcodes without invalidating the pickle preserve stack state & memo indices generate nested / self-referential graphs create realistic malicious reducer chains This allows it to surface detection gaps that signature-based or AST-reconstruction tools often miss. Why It Matters Model files are now part of the AI supply chain. A single malicious pickle can lead to RCE or environment compromise. Hardening scanners requires adversarial testing — not just validation that a file parses. Links Blog write-up:
https://blogs.cisco.com/ai/hardening-pickle-file-scanners Open-source repo: https://github.com/cisco-ai-defense/pickle-fuzzer If you’re maintaining scanners, building ML pipelines, or researching model security, we hope this helps expose weaknesses before attackers do. Happy to answer technical questions. |