Backdooring Pickles: A decade only made things worse

Presented at DEF CON 30 (2022), Aug. 12, 2022, 1 p.m. (20 minutes)

Eleven years ago, "Sour Pickles" was presented by Marco Slaviero. Python docs already said pickles were insecure at that time. But since then, machine learning frameworks started saving models in pickled formats as well. So, I will show how simple it is to add a backdoor into any pickled object using machine learning models as an example. As well as an example of how to securely save a model to prevent malicious code from being injected into it.

Presenters:

• ColdwaterQ - Senior Security Engineer at Nvidia
  ColdwaterQ has always been interested in understanding how things work. This led to a career in the security industry and allowed him to be a part of NVIDIA’s AI Red Team where he works currently. He has attended every DEF CON starting in 2012, even if the last two were only remotely, and has returned this year hoping to help give some of what he learned back to the community.

Links:

• https://forum.defcon.org/node/241825
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - ColdwaterQ - Backdooring Pickles - A decade only made things worse.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - ColdwaterQ - Backdooring Pickles - A decade only made things worse.srt (subtitles)
• https://www.youtube.com/watch?v=lECEXFtVjig

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / No Need to Teach New Tricks to Old Malware: Winning an Evasion Challenge with XOR-based Adversarial
• Black Hat Asia 2019 / The Cost of Learning from the Best: How Prior Knowledge Weakens the Security of Deep Neural Networks
• The Eleventh HOPE (2016) / Hacking Machine Learning Algorithms