Backdooring Pickles: A decade only made things worse

Presented at DEF CON 30 (2022), Aug. 12, 2022, 1 p.m. (20 minutes).

Eleven years ago, "Sour Pickles" was presented by Marco Slaviero. Python docs already said pickles were insecure at that time. But since then, machine learning frameworks started saving models in pickled formats as well. So, I will show how simple it is to add a backdoor into any pickled object using machine learning models as an example. As well as an example of how to securely save a model to prevent malicious code from being injected into it.


Presenters:

  • ColdwaterQ - Senior Security Engineer at Nvidia
    ColdwaterQ has always been interested in understanding how things work. This led to a career in the security industry and allowed him to be a part of NVIDIA’s AI Red Team where he works currently. He has attended every DEF CON starting in 2012, even if the last two were only remotely, and has returned this year hoping to help give some of what he learned back to the community.

Links:

Similar Presentations: