Black Hat Presentation Highlights Security Risks in Python's Pickle Serialization and Introduces Safer Pickle Tool

The Black Hat presentation titled Deal With It explores security risks in Python’s pickle serialization format, widely used in AI/ML and data science for sharing datasets. Presenters George Litvinov and Andrew Johnston, both Google security engineers, demonstrate how unpickling untrusted files enables arbitrary code execution via the reduce opcode, which can invoke functions like os.system. They evaluate open-source pickle scanners, revealing bypass techniques such as invalid opcodes, nested pickles, and string reconstruction to evade detection. Their tool, Safer Pickle, addresses these gaps with a two-tiered architecture—emulating calls with dummy modules and performing opcode-level analysis—while allowing customizable allow/deny lists. The tool achieves ~10 MB/s scanning speed and integrates with VirusTotal, though the presenters emphasize that pickle remains inherently unsafe, recommending alternatives like safe tensors. Key takeaways include tailoring security solutions to specific environments and avoiding over-permissive allow lists. The project is open-source on GitHub under Google/safer-pickle.