Principle:Trailofbits Fickling Static Safety Analysis
| Knowledge Sources | |
|---|---|
| Domains | Security, Static_Analysis, Deserialization |
| Last Updated | 2026-02-14 14:00 GMT |
Overview
A multi-pass static analysis framework that examines pickle files for dangerous patterns by running a suite of analysis checks against the decompiled AST representation, without executing the pickle.
Description
Static Safety Analysis orchestrates multiple independent analysis passes over a parsed pickle file. Each pass examines a different aspect of the pickle's behavior:
- Structural checks: Duplicate PROTO opcodes, misplaced PROTO, invalid opcodes, interpretation errors
- Import analysis: Non-standard imports, unsafe module imports (os, subprocess, builtins), ML-specific unsafe imports
- Call analysis: Calls to exec, eval, compile, open, and other dangerous functions
- Variable analysis: Unused variable assignments that may indicate hidden payloads
Each pass yields AnalysisResult objects with a Severity level. The framework collects all results into an AnalysisResults container for aggregate assessment.
This approach is fundamentally static — it examines the pickle bytecode without executing it, making it safe to run on untrusted files.
Usage
Use this principle when you need to assess the safety of a pickle file before deciding whether to load it. It is the recommended approach for scanning pickle files in CI/CD pipelines, model registries, and upload validation.
Theoretical Basis
The analysis framework follows the visitor pattern over the decompiled AST:
# Pseudocode: Multi-pass analysis
results = []
for analysis_pass in [
DuplicateProtoAnalysis,
NonStandardImports,
UnsafeImports,
BadCalls,
OvertlyBadEvals,
UnusedVariables,
# ... more passes
]:
for result in analysis_pass.analyze(context):
results.append(result)
overall_severity = max(r.severity for r in results)
Analysis passes are auto-registered via __init_subclass__, so defining a new Analysis subclass automatically adds it to the default analyzer.