How Pickle Files Backdoor AI Models
jchandra.comPickle can be made safe. Just limit what the unpickler can call to a fixed list based on what is expected and permitted for the pickle to use.
Nice read !
You could also use joblib format as well.
joblib is not fully secure because it still relies on Pickle internally. The reason it is slightly better in pickle is due to fact that pickle file gets immediately executed when it gets imported whereas joblib doesn’t execute code just by being imported.
ah okay. Didnt know this. I generally use pytorch save models for my workflow.
pytorch save/load still are pickle based models. Its fine for trusted sources but when you start using from untrusted sources then there is always a risk of ACE. If you want to execute it, would suggest to try it in a sandbox env like docker, VM or online notebooks envs or other option is to inspect the model file.
As Open source AI booms, the risk of supply chain attacks also increases.
Cool.