Skip to main content

A static analyzer and interpreter for Python pickle data

Project description

Fickling

Fickling image

Fickling is a decompiler, static analyzer, and bytecode rewriter for Python pickle object serializations. You can use fickling to detect, analyze, reverse engineer, or even create malicious pickle or pickle-based files, including PyTorch files.

Fickling can be used both as a python library and a CLI.

Installation

Fickling has been tested on Python 3.8 through Python 3.11 and has very few dependencies. Both the library and command line utility can be installed through pip:

python -m pip install fickling

PyTorch is an optional dependency of Fickling. Therefore, in order to use Fickling's pytorch and polyglot modules, you should run:

python -m pip install fickling[torch]

Malicious file detection

Fickling can seamlessly be integrated into your codebase to detect and halt the loading of malicious files at runtime.

Below we show the different ways you can use fickling to enforce safety checks on pickle files. Under the hood, it hooks the pickle library to add safety checks so that loading a pickle file raises an UnsafeFileError exception if malicious content is detected in the file.

Option 1 (recommended): check safety of all pickle files loaded

# This enforces safety checks every time pickle.load() is used
fickling.always_check_safety()

# Attempt to load an unsafe file now raises an exception  
with open("file.pkl", "rb") as f:
    try:
        pickle.load(f)
    except fickling.UnsafeFileError:
        print("Unsafe file!")

Option 2: use a context manager

with fickling.check_safety():
    # All pickle files loaded within the context manager are checked for safety
    try:
        with open("file.pkl", "rb") as f:
            pickle.load("file.pkl")
    except fickling.UnsafeFileError:
        print("Unsafe file!")

# Files loaded outside of context manager are NOT checked
pickle.load("file.pkl")

Option 3: check and load a single file

# Use fickling.load() in place of pickle.load() to check safety and load a single pickle file 
try:
    fickling.load("file.pkl")
except fickling.UnsafeFileError as e:
    print("Unsafe file!")

Option 4: only check pickle file safety without loading

# Perform a safety check on a pickle file without loading it
if not fickling.is_likely_safe("file.pkl"):
    print("Unsafe file!")

Accessing the safety analysis results

You can access the details of fickling's safety analysis from within the raised exception:

>>> try:
...     fickling.load("unsafe.pkl")
... except fickling.UnsafeFileError as e:
...     print(e.info)

{
    "severity": "OVERTLY_MALICIOUS",
    "analysis": "Call to `eval(b'[5, 6, 7, 8]')` is almost certainly evidence of a malicious pickle file. Variable `_var0` is assigned value `eval(b'[5, 6, 7, 8]')` but unused afterward; this is suspicious and indicative of a malicious pickle file",
    "detailed_results": {
        "AnalysisResult": {
            "OvertlyBadEval": "eval(b'[5, 6, 7, 8]')",
            "UnusedVariables": [
                "_var0",
                "eval(b'[5, 6, 7, 8]')"
            ]
        }
    }
}

If you are using another language than Python, you can still use fickling's CLI to safety-check pickle files:

fickling --check-safety -p pickled.data

Advanced usage

Trace pickle execution

Fickling's CLI allows to safely trace the execution of the Pickle virtual machine without exercising any malicious code:

fickling --trace file.pkl

Pickle code injection

Fickling allows to inject arbitrary code in a pickle file that will run every time the file is loaded

fickling --inject "print('Malicious')" file.pkl

Pickle decompilation

Fickling can be used to decompile a pickle file for further analysis

>>> import ast, pickle
>>> from fickling.fickle import Pickled
>>> fickled_object = Pickled.load(pickle.dumps([1, 2, 3, 4]))
>>> print(ast.dump(fickled_object.ast, indent=4))
Module(
    body=[
        Assign(
            targets=[
                Name(id='result', ctx=Store())],
            value=List(
                elts=[
                    Constant(value=1),
                    Constant(value=2),
                    Constant(value=3),
                    Constant(value=4)],
                ctx=Load()))],
    type_ignores=[])

PyTorch polyglots

PyTorch contains multiple file formats with which one can make polyglot files, which are files that can be validly interpreted as more than one file format. Fickling supports identifying, inspecting, and creating polyglots with the following PyTorch file formats:

  • PyTorch v0.1.1: Tar file with sys_info, pickle, storages, and tensors
  • PyTorch v0.1.10: Stacked pickle files
  • TorchScript v1.0: ZIP file with model.json
  • TorchScript v1.1: ZIP file with model.json and attributes.pkl
  • TorchScript v1.3: ZIP file with data.pkl and constants.pkl
  • TorchScript v1.4: ZIP file with data.pkl, constants.pkl, and version set at 2 or higher (2 pickle files and a folder)
  • PyTorch v1.3: ZIP file containing data.pkl (1 pickle file)
  • PyTorch model archive format[ZIP]: ZIP file that includes Python code files and pickle files
>> import torch
>> import torchvision.models as models
>> from fickling.pytorch import PyTorchModelWrapper
>> model = models.mobilenet_v2()
>> torch.save(model, "mobilenet.pth")
>> fickled_model = PyTorchModelWrapper("mobilenet.pth")
>> print(fickled_model.formats)
Your file is most likely of this format:  PyTorch v1.3 
['PyTorch v1.3']

Check out our examples to learn more about using fickling!

More information

Pickled Python objects are in fact bytecode that is interpreted by a stack-based virtual machine built into Python called the "Pickle Machine". Fickling can take pickled data streams and decompile them into human-readable Python code that, when executed, will deserialize to the original serialized object. This is made possible by Fickling’s custom implementation of the PM. Fickling is safe to run on potentially malicious files because its PM symbolically executes code rather than overtly executing it.

The authors do not prescribe any meaning to the “F” in Fickling; it could stand for “fickle,” … or something else. Divining its meaning is a personal journey in discretion and is left as an exercise to the reader.

Learn more about fickling in our blog post and DEF CON AI Village 2021 talk.

Contact

If you'd like to file a bug report or feature request, please use our issues page. Feel free to contact us or reach out in Empire Hacking for help using or extending fickling.

License

This utility was developed by Trail of Bits. It is licensed under the GNU Lesser General Public License v3.0. Contact us if you're looking for an exception to the terms.

© 2021, Trail of Bits.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fickling-0.1.3.tar.gz (32.8 kB view details)

Uploaded Source

Built Distribution

fickling-0.1.3-py3-none-any.whl (34.5 kB view details)

Uploaded Python 3

File details

Details for the file fickling-0.1.3.tar.gz.

File metadata

  • Download URL: fickling-0.1.3.tar.gz
  • Upload date:
  • Size: 32.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.0.0 CPython/3.12.2

File hashes

Hashes for fickling-0.1.3.tar.gz
Algorithm Hash digest
SHA256 606b3153ad4b2c0338930d08a739f7f10a560f996e0bd3a4b46544417254b0d0
MD5 c2cc8f475d10e6b1ad4e063afe585e17
BLAKE2b-256 7081c12ae44e1e53b4673f713025da48df4fa91aff9630b2019d418b39638876

See more details on using hashes here.

File details

Details for the file fickling-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: fickling-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 34.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.0.0 CPython/3.12.2

File hashes

Hashes for fickling-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 c7ad5885cd97f8c693cf7824fdbcf9d103dbacbce36546e5a031805a7261bb74
MD5 9c7826ac1c26083a855b3ed216d5196d
BLAKE2b-256 fda3cbd89b49fb571b8c054fbf9e9085955368fcb1c178fbb12166ffc7f53a54

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page