Your PyTorch Model File Can Execute Arbitrary Code — Here's How I Built a Scanner to Detect It
A recent article highlights the security risks associated with loading PyTorch model files, which can execute arbitrary code due to the pickle serialization format. The author developed a scanner to detect malicious pickles that could lead to remote code execution. Recommendations for safer practices include using cryptographic signing and SafeTensors to mitigate these risks.
- ▪PyTorch model files can execute arbitrary Python code when loaded, posing significant security risks.
- ▪The author created a tool called Model-Supply-Chain-Auditor to detect dangerous patterns in pickle bytecode.
- ▪Proactive defenses include cryptographic signing of model files to ensure their integrity before loading.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3939181) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Pooja Kiran Posted on May 19 Your PyTorch Model File Can Execute Arbitrary Code — Here's How I Built a Scanner to Detect It #python #security #machinelearning #pytorch Every time you run torch.load("model.pt"), you're executing arbitrary Python code. Not "could theoretically execute" — actually executing. The pickle format that PyTorch uses for serialization has a built-in code execution mechanism, and it's trivial to exploit. I built a tool to detect this. Here's what I learned.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
