Scan for Pickle INST opcode #51

mehrinkiani · 2023-10-25T16:01:33Z

Describe the bug
The INST opcode is similar to GLOBAL opcode. Picklescan has recently updated their code to handle INST opcode.
Here is some sample code for injecting malicious code in a pickle file with INST opcode. At the moment, modelscan does not detect INST opcode.

To Reproduce
Steps to reproduce the behavior:

Create a malicious pickle file that has INST opcode:

def initialize_data_file(path: str, data) -> None:    
    with open(path, "wb") as file:
        file.write(data)

initialize_data_file(
        f"malicious-file.pkl",
        b"(S'print(\"Injection running\")'\ni__builtin__\nexec\n.",
    )

Expected behavior
Would be nice to be able to detect INST opcode

Screenshots

Environment (please complete the following information):

OS: macOS 14.0
Modelscan Version : 0.0.0
ML Framework version [e.g. Tensorflow v2.13.0] : Not applicable
Describe the model serialization format that triggered this error: pickle

The text was updated successfully, but these errors were encountered:

mehrinkiani added the bug Something isn't working label Oct 25, 2023

mehrinkiani mentioned this issue Oct 25, 2023

Added scan for INST opcode #52

Merged

seanpmorgan added enhancement New feature or request and removed bug Something isn't working labels Oct 25, 2023

seanpmorgan closed this as completed in #52 Oct 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scan for Pickle INST opcode #51

Scan for Pickle INST opcode #51

mehrinkiani commented Oct 25, 2023

Scan for Pickle INST opcode #51

Scan for Pickle INST opcode #51

Comments

mehrinkiani commented Oct 25, 2023