A static analyzer and interpreter for Python pickle data
Project description
Fickling
Fickling is a decompiler, static analyzer, and bytecode rewriter for Python pickle object serializations.
Pickled Python objects are in fact bytecode that is interpreted by a stack-based virtual machine built into Python called the "Pickle Machine". Fickling can take pickled data streams and decompile them into human-readable Python code that, when executed, will deserialize to the original serialized object.
The authors do not prescribe any meaning to the “F” in Fickling; it could stand for “fickle,” … or something else. Divining its meaning is a personal journey in discretion and is left as an exercise to the reader.
Learn more about it in our blog post and DEF CON 2021 talk.
Installation
Fickling has been tested on Python 3.6 through Python 3.9 and has very few dependencies. It can be installed through pip:
python -m pip install fickling
This installs both the library and the command line utility.
Usage
Fickling can be run programmatically:
>>> import ast
>>> import pickle
>>> from fickling.pickle import Pickled
>>> print(ast.dump(Pickled.load(pickle.dumps([1, 2, 3, 4])).ast, indent=4))
Module(
body=[
Assign(
targets=[
Name(id='result', ctx=Store())],
value=List(
elts=[
Constant(value=1),
Constant(value=2),
Constant(value=3),
Constant(value=4)],
ctx=Load()))])
Fickling can also be run as a command line utility:
$ fickling pickled.data
result = [1, 2, 3, 4]
This is of course a simple example. However, Python pickle bytecode can run
arbitrary Python commands (such as exec or os.system) so it is a security
risk to unpickle untrusted data. You can test for common patterns of
malicious pickle files with the --check-safety option:
$ fickling --check-safety pickled.data
Warning: Fickling failed to detect any overtly unsafe code, but the pickle file may still be unsafe.
Do not unpickle this file if it is from an untrusted source!
You can also safely trace the execution of the Pickle virtual machine without
exercising any malicious code with the --trace option.
Finally, you can inject arbitrary Python code that will be run on unpickling
into an existing pickle file with the --inject option.
License
This utility was developed by Trail of Bits. It is licensed under the GNU Lesser General Public License v3.0. Contact us if you're looking for an exception to the terms.
© 2021, Trail of Bits.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file fickling-0.0.6.tar.gz.
File metadata
- Download URL: fickling-0.0.6.tar.gz
- Upload date:
- Size: 20.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.1 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a4134aed7a01712c66a35933f2b7f00571daebc931cedf0bf5e7452ffd5b8f29 |
|
| MD5 | c5779c75d0ff9825d445842fe59d0bd7 |
|
| BLAKE2b-256 | da743f410fafe71e7c4b1113c368b507e26c7c4562e7e41af799b6193aa466d6 |
File details
Details for the file fickling-0.0.6-py3-none-any.whl.
File metadata
- Download URL: fickling-0.0.6-py3-none-any.whl
- Upload date:
- Size: 21.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.1 CPython/3.11.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cb70d7947e8d6d86d7345bd033ed3d10a616a07fdcbee276f6b12937f344e64d |
|
| MD5 | d436ce8ea8da8c07f8e6c5855e5ed75c |
|
| BLAKE2b-256 | d373c824ea42d2f39aa008376791a6b07c8de934680cf1790be1d821e2118f39 |
