Principle:Trailofbits Fickling PyTorch Format Identification
| Knowledge Sources | |
|---|---|
| Domains | Security, File_Format, Supply_Chain |
| Last Updated | 2026-02-14 14:00 GMT |
Overview
A classification technique that maps discovered file properties to known PyTorch file format versions, producing an ordered list of possible format interpretations ranked by likelihood.
Description
PyTorch has evolved through multiple serialization formats, and a single file may validly parse as multiple formats (a polyglot). Format Identification uses the boolean properties from file discovery to match against known format signatures:
- TorchScript v1.4: ZIP with data.pkl + constants.pkl + version
- TorchScript v1.3: ZIP with data.pkl + constants.pkl (no version)
- TorchScript v1.0: ZIP with model.json + constants.pkl
- TorchScript v1.1: ZIP with model.json + attributes.pkl
- PyTorch v1.3: ZIP with data.pkl only
- PyTorch v0.1.1: TAR with sys_info, pickle, storages, tensors
- PyTorch v0.1.10: Stacked pickle (valid pickle without ZIP structure)
- PyTorch MAR: Standard ZIP with .py + .json + .pt files
When multiple formats match, the file is a polyglot — it can be validly interpreted differently by different parsers, which is a supply chain security concern.
Usage
Use this principle when you need to understand what type of PyTorch file you're dealing with, especially to detect polyglot conditions that indicate potential supply chain attacks.
Theoretical Basis
# Pseudocode: Rule-based format classification
formats = []
if is_torch_zip:
if has_data_pkl and has_constants_pkl and has_version:
formats.append("TorchScript v1.4")
if has_data_pkl and has_constants_pkl:
formats.append("TorchScript v1.3")
if has_data_pkl:
formats.append("PyTorch v1.3")
if is_valid_pickle:
formats.append("PyTorch v0.1.10")
# len(formats) > 1 means polyglot
The ordering matches PyTorch's own parsing priority, so formats[0] is the most likely interpretation.