We’re releasing a new open-source structure-aware fuzzer for Python pickle files, built to test the security of AI model–loading workflows. Unlike naïve fuzzers that break pickle format immediately, this one mutates opcode structures while preserving syntactic correctness — allowing it to explore real deserialization paths.
Why We Built It
Pickle remains widely used to distribute ML models (PyTorch, sklearn, etc.), and scanners are supposed to catch unsafe reducers before loading. We wanted to know: how effective are these scanners against adversarially modified pickle files?
What We Found
During fuzzing, we discovered multiple zero-day bypasses in tools like:
ModelScan
Fickling
Other pickle-security scanners
All issues were responsibly disclosed and patched.
How the Fuzzer Works
It’s “structure-aware,” meaning it can:
mutate opcodes without invalidating the pickle
preserve stack state & memo indices
generate nested / self-referential graphs
create realistic malicious reducer chains
This allows it to surface detection gaps that signature-based or AST-reconstruction tools often miss.
Why It Matters
Model files are now part of the AI supply chain. A single malicious pickle can lead to RCE or environment compromise. Hardening scanners requires adversarial testing — not just validation that a file parses.
1 comment
[ 7.2 ms ] story [ 171 ms ] threadWhy We Built It
Pickle remains widely used to distribute ML models (PyTorch, sklearn, etc.), and scanners are supposed to catch unsafe reducers before loading. We wanted to know: how effective are these scanners against adversarially modified pickle files?
What We Found
During fuzzing, we discovered multiple zero-day bypasses in tools like:
ModelScan
Fickling
Other pickle-security scanners
All issues were responsibly disclosed and patched.
How the Fuzzer Works
It’s “structure-aware,” meaning it can:
mutate opcodes without invalidating the pickle
preserve stack state & memo indices
generate nested / self-referential graphs
create realistic malicious reducer chains
This allows it to surface detection gaps that signature-based or AST-reconstruction tools often miss.
Why It Matters
Model files are now part of the AI supply chain. A single malicious pickle can lead to RCE or environment compromise. Hardening scanners requires adversarial testing — not just validation that a file parses.
Links
Blog write-up: https://blogs.cisco.com/ai/hardening-pickle-file-scanners
Open-source repo: https://github.com/cisco-ai-defense/pickle-fuzzer
If you’re maintaining scanners, building ML pipelines, or researching model security, we hope this helps expose weaknesses before attackers do.
Happy to answer technical questions.