Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pickle is insecure and shouldn't be used for distributing models #1468

KOLANICH opened this issue Jun 18, 2019 · 1 comment


None yet
2 participants
Copy link

commented Jun 18, 2019

Describe the problem

pickle is a well-known security issue. Unpickling pickled data from an untrusted source can be dangerous. Also it is a nice place to hide backdoors because source code is readily accesable, including search, but to inspect pickled files one need special tools.

So pickle is a very bad solution for distributing pretrained models. So a way of serializing models without pickling them is needed.

Unfortunately some models, like neural networks, may be a security issue by itself. For example TensorFlow authors say:

TensorFlow models are programs, and need to be treated as such from a security perspective.
TensorFlow itself is not a sandbox. When executing the computation graph, TensorFlow may read and write files, send and receive data over the network, and even spawn additional processes. All these tasks are performed with the permissions of the TensorFlow process. Allowing for this flexibility makes for a powerful machine learning platform, but it has implications for security.
As a general rule: Always execute untrusted models inside a sandbox (e.g., nsjail).
Even if the untrusted party only supplies the serialized computation graph (in form of a GraphDef, SavedModel, or equivalent on-disk format), the set of computation primitives available to TensorFlow is powerful enough that you should assume that the TensorFlow process effectively executes arbitrary code.


This comment has been minimized.

Copy link

commented Jun 18, 2019

I agree, always had problem with pickle. Better to develop a dedicated serialization system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.