"For Developers: * Never use pickle for untrusted data: This cannot be emphasized enough. * Never assume checkpoint files are safe: Checkpoint deserialization is vulnerable to supply chain attacks. * Always use weights_only=True when using PyTorch's load functions. * Restrict to trusted classes: Restrict deserialization to only trusted classes. * Implement defense in depth: Don't rely on a single security measure. * Consider alternative formats: Safetensors, ONNX, or other secure serialization formats should all be considered."
"For Organizations: * Audit model provenance: Know where your models come from. * Implement model signing: Cryptographically verify model integrity. * Sandbox model loading: Run deserialization in isolated environments. * Regular security audits: Include ML pipelines in security assessments. For the ML Community: * Consider moving away from pickle: The community needs to seriously consider deprecating pickle-based serialization. * Update torch to the latest version: The latest version of torch uses weights_only=True by default."
Developers must never use pickle for untrusted data and must not assume checkpoint files are safe because deserialization can enable supply chain attacks. Use weights_only=True when loading PyTorch checkpoints and restrict deserialization to trusted classes. Implement defense-in-depth and consider safer formats such as safetensors or ONNX. Organizations should audit model provenance, implement cryptographic model signing, sandbox model loading, and include ML pipelines in regular security audits. The ML community should move away from pickle, update torch to secure defaults, develop secure serialization standards, and prioritize security-first framework design.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]