Principle:Trailofbits Fickling Stacked Pickle Parsing
| Knowledge Sources | |
|---|---|
| Domains | Security, Reverse_Engineering, Deserialization |
| Last Updated | 2026-02-14 14:00 GMT |
Overview
A parsing technique for handling files that contain multiple concatenated pickle streams, common in legacy PyTorch formats and adversarial payloads.
Description
A single file can contain multiple pickle streams concatenated together. Each stream is terminated by a STOP opcode, and the next stream begins immediately after. This occurs in:
- PyTorch v0.1.10 format: Stores model as multiple stacked pickle streams
- Adversarial payloads: Attackers may hide malicious code in secondary pickle streams that casual analysis might miss
Stacked Pickle Parsing reads each stream sequentially by calling Pickled.load repeatedly until the input is exhausted, producing a tuple of Pickled objects that can each be analyzed independently.
Usage
Use this principle when analyzing legacy PyTorch files (v0.1.10) or when you suspect a file may contain hidden secondary pickle streams. It is also needed for the decompilation workflow to handle stacked pickles correctly with sequential variable numbering.
Theoretical Basis
# Pseudocode: Iterative stream extraction
pickles = []
while data_remaining:
stream = parse_single_pickle(data) # Reads until STOP opcode
if stream is empty:
break
pickles.append(stream)
# Result: tuple of independent Pickled objects
Each stream in the stack is independent and gets its own Interpreter with a sequential first_variable_id to avoid variable name collisions across streams.