The checks here seem pretty minimal[1]. I'd recommend taking a look at fickling (FD: former employer) for a more general approach to pickle decompilation/analysis[2].
[1]: https://github.com/Lab700xOrg/aisbom/blob/main/aisbom/safety...
The checks here seem pretty minimal[1]. I'd recommend taking a look at fickling (FD: former employer) for a more general approach to pickle decompilation/analysis[2].
[1]: https://github.com/Lab700xOrg/aisbom/blob/main/aisbom/safety...
Thanks for the link! fickling is excellent work (and definitely the gold standard for deep analysis). The goal with AIsbom was to build something lightweight enough to run in a fast CI/CD loop that creates a standard inventory (CycloneDX SBOM) alongside the security check. We are definitely looking at fickling's symbolic execution approach for inspiration on how to make our safety.py module more robust against obfuscation.
I know this sounds weird: "symbolic execution" of pickle VM cannot be slow right? We are talking about just a few thousands instructions here and you don't need "symbolic execution" per se, just write a custom interpreter and run it. That would take less than 10ms for any given PyTorch file (excluding disk loading).
Agree. Writing a pickle interpreter is not particularly challenging. I did that in Swift to help load PyTorch checkpoint https://github.com/liuliu/swift-fickling without these pitfalls.