{"id":16402,"date":"2025-12-12T12:16:25","date_gmt":"2025-12-12T12:16:25","guid":{"rendered":"https:\/\/dmsretail.com\/RetailNews\/breaking-the-jar-hardening-pickle-file-scanners-with-structure-aware-fuzzing\/"},"modified":"2025-12-12T12:16:25","modified_gmt":"2025-12-12T12:16:25","slug":"breaking-the-jar-hardening-pickle-file-scanners-with-structure-aware-fuzzing","status":"publish","type":"post","link":"https:\/\/dmsretail.com\/RetailNews\/breaking-the-jar-hardening-pickle-file-scanners-with-structure-aware-fuzzing\/","title":{"rendered":"Breaking the Jar: Hardening Pickle File Scanners with Structure-Aware Fuzzing"},"content":{"rendered":"

\"Retail<\/a><\/p>
\n<\/p>\n

\n

Artificial intelligence and machine learning (AI\/ML) models are increasingly shared across organizations, fine-tuned, and deployed in production systems. Cisco\u2019s AI Defense offering includes a model file scanning tool designed to help organizations detect and mitigate risks in AI supply chains by verifying their integrity, scanning for malicious payloads, and ensuring compliance before deployment. Strengthening our ability to detect and neutralize these threats is critical for safeguarding both AI model integrity and operational security.<\/p>\n

Python pickle files comprise a large share of ML model files, but they introduce significant security risk because pickles can execute arbitrary code when loaded, even a single untrusted file can compromise an entire inference environment. The security risk is compounded by the open and accessible nature of model files in the AI developer ecosystem, where users can download and execute model files from public repositories with minimal verification of their safety. In an attempt to remediate the concern, developers have created security scanners like ModelScan, fickling, and picklescan to detect malicious pickle files before they\u2019re loaded. As security tool developers ourselves, we know that ensuring these tools are robust requires continuous testing and validation.<\/p>\n

That\u2019s harder to accomplish than it sounds. The problem is that many of the issues filed against pickle security tools involve detection bypasses (i.e., methods used by attackers to evade analysis). These adversarial samples exploit edge cases in scanner logic, and manual test creation can\u2019t match the breadth needed to surface all possible edge cases.<\/p>\n

Today, we\u2019re unveiling and open sourcing pickle-fuzzer, a structure-aware fuzzer that generates adversarial pickle files to test scanner robustness. At Cisco, we\u2019re committed to uplifting the ML community and advancing AI security for everyone. Securing the AI supply chain is a critical part of this mission, ensuring that every model, dependency, and artifact in the ecosystem can be trusted. By openly sharing tools like pickle-fuzzer, we aim to strengthen the entire ecosystem of AI security defenses. When we find and fix these issues collaboratively, everyone who relies on pickle scanners benefits. Our team believes the best way to improve AI security is through collaboration. This means openly sharing tools, testing approaches, and vulnerability findings across the ecosystem.<\/p>\n

Building robustness from within<\/strong><\/h2>\n

When developing AI Defense\u2019s model file scanning tool, one of our goals was to ensure that its pickle scanner could withstand real-world adversarial inputs. Traditional testing methods, such as using known malicious samples or carefully crafted test cases, only validate against threats we already understand. But attackers rarely follow known patterns. They probe the unknown, exploiting edge cases, malformed structures, and obscure opcode combinations that typical scanners were never designed to handle.<\/p>\n

To truly harden our system, we needed a way to automatically explore the entire landscape of possible pickle files, including the strange, malformed, and deliberately adversarial ones. That\u2019s when we decided to build a fuzzer!<\/p>\n

Building pickle-fuzzer<\/strong><\/h2>\n

Fuzzing is a software testing technique that involves generating random inputs to determine if they crash or cause other unexpected behavior in the target program. Originating in the late 1980s at the University of Wisconsin-Madison, fuzzing has become a proven technique for hardening software. For simple file formats, random byte mutations often suffice to find bugs. But pickle isn\u2019t a simple format. It\u2019s a stack-based virtual machine with 100+ opcodes across six protocol versions (0-5), plus a memo dictionary for tracking object references. Naive fuzzing approaches that flip random bits will produce mostly invalid pickle files that will fail validation during parsing, before exercising any interesting code paths.<\/p>\n

The challenge was finding a middle ground. We could hand-craft test cases, but that\u2019s exactly what we were trying to move beyond: it\u2019s slow, limited by our imagination, and can\u2019t easily explore the full input space. We could use traditional mutation-based fuzzing on existing pickle files, but mutations that don\u2019t understand pickle semantics would likely break the structural constraints and fail early. We needed an approach that understood pickle\u2019s internal state constraints. That left us with structure-aware fuzzing.<\/p>\n

Structure-aware fuzzing generates pickle files that respect the format\u2019s rules:<\/p>\n