卡西米尔·舒尔茨与汤姆·博纳_所有这些不安全的序列化格式让我们陷入困境.pdf

1、#BHUSA BlackHatEventsWe R in a right pickle with all these We R in a right pickle with all these insecure serialization formatsinsecure serialization formatsSpeaker(s):Kasimir Schulz&Tom Bonner#BHUSA BlackHatEventsIntroductionKasimir SchulzPrincipal Security Researcher at HiddenLayerlinkedin/in/kasi

2、mir-schulzSocials:abraxus7331Tom BonnerVP of Research at HiddenLayerlinkedin/in/thomas-j-bonnerSocials:thomas_bonner#BHUSA BlackHatEventsIntroduction Weve been investigating machine learning libraries and file formats Theres a huge problem with deserialization of“untrusted”data Were going to focus o

3、n Pickle and R,but its by no means limited to these formats#BHUSA BlackHatEventsWhy pickle?Its been done!-Marco Slaviero,Sour Pickles in 2011 13 years,many new python versions,a major lack of awareness and several pickle updates later#BHUSA BlackHatEventsWhy pickle?Still the big red warning Pickle u

4、sed for ML models,IPC,RPC,etc.More vulns than ever Mythic/CobaltStrike/Metasploit Anti-malware scanners are getting in on the act Cat and mouse game#BHUSA BlackHatEventsPickle recap Stack based virtual machine processing byte code Interleaves instructions and data Has a stack and memo(like registers

5、)Code exec via GLOBAL,STACK_GLOBAL,INST,and REDUCE opcodes#BHUSA BlackHatEventsPickle recapimport pickleclass Eval:def _reduce_(self):return eval,(fprint(pwnd!),)pickle.loads(pickle.dumps(Eval()_reduce_ returns callable+args tuple to reconstruct the object 0:x80 PROTO 4 2:x95 FRAME 42 11:x8c SHORT_B

6、INUNICODE builtins 21:x94 MEMOIZE (as 0)22:x8c SHORT_BINUNICODE eval 28:x94 MEMOIZE (as 1)29:x93 STACK_GLOBAL 30:x94 MEMOIZE (as 2)31:x8c SHORT_BINUNICODE print(pwnd!)47:x94 MEMOIZE (as 3)48:x85 TUPLE1 49:x94 MEMOIZE (as 4)50:R REDUCE 51:x94 MEMOIZE (as 5)52:.STOPhighest protocol among opcodes=4#BHU