We R in a Right Pickle With All These Insecure Serialization Formats
Unknown
Black Hat USA 2024 · Day 1 · Briefing
In this compelling Black Hat USA talk, Casmir Schultz and Tom Bonner from HiddenLayer delve into the persistent and evolving threats posed by insecure deserialization, focusing on two widely used yet often overlooked formats: Python's **Pickle** and R's native serialization. While Pickle's dangers are well-documented, the speakers reveal novel techniques to bypass modern security scanners and introduce a critical, under-scrutinized vulnerability vector within the R ecosystem. The presentation highlights a concerning lack of awareness and robust defenses against these bytecode-based serialization formats, which are increasingly prevalent in machine learning, data science, and inter-process communication.