Principle:Trailofbits Fickling PyTorch Model Wrapping
| Knowledge Sources | |
|---|---|
| Domains | Security, ML_Safety, File_Format |
| Last Updated | 2026-02-14 14:00 GMT |
Overview
An abstraction layer that validates PyTorch model file format and provides structured access to the embedded pickle data for analysis and manipulation.
Description
PyTorch model files (.pt, .pth) are ZIP archives containing a data.pkl file with the serialized model state, plus tensor storage files. PyTorch Model Wrapping provides a validated entry point to this structure: it identifies the file format (PyTorch v1.3, TorchScript v1.4, etc.), ensures the format is supported, and lazily extracts and parses the data.pkl into a Pickled object for analysis or manipulation.
The wrapper handles format edge cases:
- PyTorch v1.3: Standard ZIP with data.pkl (fully supported)
- TorchScript v1.4: ZIP with data.pkl + constants.pkl + version (experimental support)
- PyTorch v0.1.10: Stacked pickle (not supported; use StackedPickle.load directly)
- Unknown formats: Blocked unless force=True
Usage
Use this principle when you need to inspect or modify the pickle payload inside a PyTorch model file. It is the entry point for the payload injection workflow and for PyTorch-specific safety analysis.
Theoretical Basis
# Pseudocode: Format-aware model access
wrapper = ModelWrapper(path)
formats = wrapper.validate_format() # Identify format, check support
# Lazy extraction of pickle data
pickled = wrapper.pickled # Extracts data.pkl from ZIP, parses to Pickled
# Now pickled can be analyzed, decompiled, or manipulated