Brown CS News

Held last month in Taipei, the Association for Computing Machinery Conference on Computer and Communications Security (ACM CCS) brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. This year, Brown CS faculty member Vasileios (Vasilis) Kemerlis and his research group, the Brown Secure Systems Lab, returned home with two honors. Vasilis received a Top Reviewer Award and the group’s paper (“PickleBall: Secure Deserialization of Pickle-based Machine Learning Models”) received one of five Distinguished Artifact Awards. The paper was co-authored by Andreas D. Kellas of Columbia University, Brown CS PhD student Neophytos Christou, Wenxin Jiang of Purdue University, Penghui Li of Columbia University, Laurent Simon of Google, Yaniv David of Technion, James C. Davis of Purdue University, and Junfeng Yang of Columbia University.

The researchers situate their work by explaining that repositories such as the Hugging Face Model Hub facilitate exchanges of machine learning (ML) models, but they face insecurity due to the possibility of bad actors delivering malware through compromised models. 44.9% of popular models on Hugging Face, for example, still use the insecure pickle format. In response, they present PickleBall as a tool for the ML community that offers transparent, safe loading.

“PickleBall,” they explain, “statically analyzes the source code of machine learning libraries and computes custom policies that specify a safe load-time behavior for benign models. It then dynamically enforces these policies during load time as a drop-in replacement for the pickle module. PickleBall generates policies that correctly load 79.8% of benign pickle-based models in our dataset while rejecting 100% of malicious examples in the same dataset. In comparison, evaluated model scanners fail to identify known malicious models, and the state-of-the-art loader loads 22% fewer benign models than PickleBall. PickleBall removes the threat of arbitrary function invocation from malicious pickle-based models, raising the bar for attackers as they have to depend on code reuse techniques.”

Vasilis’s primary interest is in software, hardware, and systems security, with a focus on OS kernel protection, software hardening, and information flow tracking. His recent honors include being a named a Top Reviewer for the ACM Conference on Computer and Communication Security (CCS), a Distinguished Paper Award at the ACM Asia Conference on Computer and Communications Security (ASIACCS), a National Science Foundation (NSF) CAREER Award, being named a Finalist for an Artifacts Competition and Impact Award at the Annual Computer Security Applications Conference (ACSAC), being named an Outstanding Reviewer at the International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), and becoming a Greek Diaspora Fellow at the Institute of International Education in collaboration with the Fulbright Foundation in Greece.

The full list of CCS 2025 award winners is available here.

For more information, click the link that follows to contact Brown CS Communications Manager Jesse C. Polhemus.