Black Hat Europe 2025 | Pickle Exploitation Techniques And Their Detection Using SaferPickle

Python's pickle format is a security minefield, yet it remains a cornerstone of modern AI/ML and data science workflows. While its dangers are well-known, the effectiveness of existing open-source scanners against sophisticated attacks has remained largely unexamined. In this talk we introduce five novel bypass techniques to defeat popular open-source scanners like Fickling, Modelscan and Picklescan. We will demonstrate how these tools can be tricked into classifying overtly malicious pickles as safe. To combat these threats, we propose SaferPickle, a new open-source library. This library enhances the pickle format's security at runtime through transparent hardening. We will present its robust, multi-layered scanning engine, which integrates behavioral analysis, direct opcode inspection, and an intelligent module resolution system capable of securely reconstructing malicious calls from fragmented code. Finally, we'll share our journey of deploying SaferPickle to protect ML workloads at Google and integrating it as the first-ever pickle scanner in VirusTotal. Attendees will leave with knowledge of bypass techniques, a new open-source tool and experience of how to harden the ML supply chain against one of its most persistent threats. By: George Litvinov | Security Engineer, Google Andrew Johnston | Senior Security Engineer, Google https://ift.tt/rmJUbLh

source https://www.youtube.com/watch?v=hWc1P_yYrkY