Scan for Pickle INST opcode
mehrinkiani opened this issue · comments
Mehrin Kiani commented
Describe the bug
The INST
opcode is similar to GLOBAL
opcode. Picklescan has recently updated their code to handle INST opcode.
Here is some sample code for injecting malicious code in a pickle file with INST
opcode. At the moment, modelscan does not detect INST
opcode.
To Reproduce
Steps to reproduce the behavior:
- Create a malicious pickle file that has
INST
opcode:
def initialize_data_file(path: str, data) -> None:
with open(path, "wb") as file:
file.write(data)
initialize_data_file(
f"malicious-file.pkl",
b"(S'print(\"Injection running\")'\ni__builtin__\nexec\n.",
)
Expected behavior
Would be nice to be able to detect INST
opcode
Environment (please complete the following information):
- OS: macOS 14.0
- Modelscan Version : 0.0.0
- ML Framework version [e.g. Tensorflow v2.13.0] : Not applicable
- Describe the model serialization format that triggered this error: pickle