Skip to main content

Security scanner detecting Python Pickle files performing suspicious actions

Project description

Python Pickle Malware Scanner

PyPI Test

Security scanner detecting Python Pickle files performing suspicious actions.

For more generic model scanning, Protect AI's modelscan is now available to scan not only Pickle files but also PyTorch, TensorFlow, and Keras.

Getting started

Scan a malicious model on Hugging Face:

pip install picklescan
picklescan --huggingface ykilcher/totally-harmless-model

The scanner reports that the Pickle is calling eval() to execute arbitrary code:

https://huggingface.co/ykilcher/totally-harmless-model/resolve/main/pytorch_model.bin:archive/data.pkl: global import '__builtin__ eval' FOUND
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1
Dangerous globals: 1

The scanner can also load Pickles from local files, directories, URLs, and zip archives (a-la PyTorch):

picklescan --path downloads/pytorch_model.bin
picklescan --path downloads
picklescan --url https://huggingface.co/sshleifer/tiny-distilbert-base-cased-distilled-squad/resolve/main/pytorch_model.bin

To scan Numpy's .npy files, pip install the numpy package first.

The scanner exit status codes are (a-la ClamAV):

  • 0: scan did not find malware
  • 1: scan found malware
  • 2: scan failed

Develop

Create and activate the conda environment (miniconda is sufficient):

conda env create -f conda.yaml
conda activate picklescan

Install the package in editable mode to develop and test:

python3 -m pip install -e .

Edit with VS Code:

code .

Run unit tests:

pytest tests

Run manual tests:

  • Local PyTorch (zip) file
mkdir downloads
wget -O downloads/pytorch_model.bin https://huggingface.co/ykilcher/totally-harmless-model/resolve/main/pytorch_model.bin
picklescan -l DEBUG -p downloads/pytorch_model.bin
  • Remote PyTorch (zip) URL
picklescan -l DEBUG -u https://huggingface.co/prajjwal1/bert-tiny/resolve/main/pytorch_model.bin

Lint the code:

black src tests
flake8 src tests --count --show-source

Publish the package to PyPI: bump the package version in setup.cfg and create a GitHub release. This triggers the publish workflow.

Alternative manual steps to publish the package:

python3 -m pip install --upgrade pip
python3 -m pip install --upgrade build
python3 -m build
python3 -m twine upload dist/*

Test the package: bump the version of picklescan in conda.test.yaml and run

conda env remove -n picklescan-test
conda env create -f conda.test.yaml
conda activate picklescan-test
picklescan --huggingface ykilcher/totally-harmless-model

Tested on Linux 5.10.102.1-microsoft-standard-WSL2 x86_64 (WSL2).

References

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

picklescan-0.0.26.tar.gz (26.4 kB view details)

Uploaded Source

Built Distribution

picklescan-0.0.26-py3-none-any.whl (20.5 kB view details)

Uploaded Python 3

File details

Details for the file picklescan-0.0.26.tar.gz.

File metadata

  • Download URL: picklescan-0.0.26.tar.gz
  • Upload date:
  • Size: 26.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.9.21

File hashes

Hashes for picklescan-0.0.26.tar.gz
Algorithm Hash digest
SHA256 dd78976151024f0a6c617dcb2c31e45441e9e95727db14282482b3750e34ccc5
MD5 22baa0043131a2471f26bab50174b508
BLAKE2b-256 eac2f691daf63545b43d786d403dca7966d358adb6f93a42bb85db8db4729e47

See more details on using hashes here.

File details

Details for the file picklescan-0.0.26-py3-none-any.whl.

File metadata

  • Download URL: picklescan-0.0.26-py3-none-any.whl
  • Upload date:
  • Size: 20.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.9.21

File hashes

Hashes for picklescan-0.0.26-py3-none-any.whl
Algorithm Hash digest
SHA256 54e4c75228b87283b03347dda113328e5d90caa0193c484895cf4130d72dd53c
MD5 89cad6888b37bbe80b9cb5d63cefeeea
BLAKE2b-256 df1e88cdc39e6055df6cdecb8b74b582093979d213dfc65a142819719444ae3a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page