Black Hat Europe 2025 | Pickle Exploitation Techniques And Their Detection Using SaferPickle
Python’s pickle format is a security minefield, yet it remains a cornerstone of modern AI/ML and data science workflows. While its dangers are well-known, the effectiveness of existing open-source scanners against sophisticated attacks has remained largely unexamined.
In this talk we introduce five novel bypass techniques to defeat popular open-source scanners like Fickling, Modelscan and Picklescan. We will demonstrate how these tools can be tricked into classifying overtly malicious pickles as safe.
To combat these threats, we propose SaferPickle, a new open-source library. This library enhances the pickle format’s security at runtime through transparent hardening. We will present its robust, multi-layered scanning engine, which integrates behavioral analysis, direct opcode inspection, and an intelligent module resolution system capable of securely reconstructing malicious calls from fragmented code.
Finally, we’ll share our journey of deploying SaferPickle to protect ML workloads at Google and integrating it as the first-ever pickle scanner in VirusTotal. Attendees will leave with
knowledge of bypass techniques, a new open-source tool and experience of how to harden the ML supply chain against one of its most persistent threats.
By:
George Litvinov | Security Engineer, Google
Andrew Johnston | Senior Security Engineer, Google
https://blackhat.com/eu-25/briefings/schedule/?#dill-with-it-pickle-exploitation-techniques-and-their-detection-using-saferpickle-49138Black HatRead More