Skip to content

pickle is a security issue #52596

New issue
New issue
Open
Open
pickle is a security issue#52596
Assignees
malfet
Labels
module: hubmodule: pickleProblems related to pickling of PyTorch objectsmodule: serializationIssues related to serialization (e.g., via pickle, or otherwise) of PyTorch objectstopic: securitytriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module
@KOLANICH

Description

@KOLANICH
KOLANICH
opened on Feb 22, 2021

🚀 Feature

We need to do something with it.

Motivation

Pickle is a security issue that can be used to hide backdoors. Unfortunately lots of projects keep using torch.save and torch.load.

Pitch

  • make pytorch.load use pickle only as a serialization format, use an own virtual machine (https://github.com/CensoredUsername/picklemagic can be helpful) for processing pickle files that will do only allowed operations in pytorch itself in a completely controlled way instead of relying on pickle machinery.
  • replace with ONNX
  • deprecate pytorch.load, pytorch.save
  • remove pytorch.save/make it save into ONNX

Alternatives

  • support pickle via a VM indefinitely.

cc @mruberry @nairbv @NicolasHug @vmoens @jdsgomes @ailzhang

Metadata

Metadata

Assignees

Labels

module: hubmodule: pickleProblems related to pickling of PyTorch objectsmodule: serializationIssues related to serialization (e.g., via pickle, or otherwise) of PyTorch objectstopic: securitytriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions