P

pickle

Asar

🔧🔗https://github.com/electron/asar Simple extensive tar-like archive format with indexing

Swift Fickling

🔧🔗https://github.com/liuliu/swift-fickling This is inspired by work from Trail of Bits on Fickling. Many Stable Diffusion models are published in pickle format. Pickle format has been traditionally tied to a Python installation. This limitation exists also because pickle has the liberty to call into any Python function they want and allows you to override certain part of serialization (i.e. using external files and serialize only so-called persistent_id).

As such, there are also security implications on deserializing untrusted pickle format per https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/.

swift-fickling while taking name from Fickling doesn't do static analyze or decompilation yet. It simply read the pickle opcodes, execute them on a Swift implemented pickle VM within the context you provided. Thus, we side-stepped the security implications by silencing outside function calls unless you explicitly providing them.

This turns out to be just enough to deserialize PyTorch based pickle files without Python installation.