|
|
--- |
|
|
license: apache-2.0 |
|
|
--- |
|
|
|
|
|
# Model Card for tensorrt-deserialization-poc |
|
|
|
|
|
This repository contains a **Proof-of-Concept (PoC)** demonstrating unsafe deserialization in NVIDIA TensorRT engines (`IRuntime::deserializeCudaEngine`). The PoC triggers a type hash mismatch that may lead to remote code execution or GPU crash. This card documents the PoC, environment, and usage instructions for security research and bug bounty submissions. |
|
|
|
|
|
## Model Details |
|
|
|
|
|
### Model Description |
|
|
|
|
|
- **Developed by:** ZEUS / ATHENA |
|
|
- **Shared by:** ZEUS |
|
|
- **Model type:** Security PoC / Exploit Demonstration |
|
|
- **Language(s) (NLP):** Python |
|
|
- **License:** Apache 2.0 |
|
|
- **Finetuned from model [optional]:** N/A |
|
|
|
|
|
### Model Sources |
|
|
|
|
|
- **Repository:** [tensorrt-deserialization-poc](https://huggingface.co/LilithAdam5/tensorrt-deserialization-poc) |
|
|
- **Paper [optional]:** N/A |
|
|
- **Demo [optional]:** N/A |
|
|
|
|
|
## Uses |
|
|
|
|
|
### Direct Use |
|
|
|
|
|
This PoC is intended for **security researchers and bug bounty programs** to safely reproduce the unsafe deserialization behavior in TensorRT. |
|
|
|
|
|
### Downstream Use |
|
|
|
|
|
- Could be integrated into internal security testing pipelines to validate TensorRT engine safety. |
|
|
- Not intended for production use; execution may crash GPUs or systems if misused. |
|
|
|
|
|
### Out-of-Scope Use |
|
|
|
|
|
- This PoC is **not a machine learning model** and should not be used for training, inference, or production ML pipelines. |
|
|
- Should not be executed on unisolated production environments. |
|
|
|
|
|
## Bias, Risks, and Limitations |
|
|
|
|
|
- **Risks:** Triggering the PoC may crash GPUs or expose unsafe execution paths. |
|
|
- **Limitations:** Only tested with TensorRT 10.13.3.9 on CUDA 13.x and Python 3.13. |
|
|
- Users should run in isolated virtual environments. |
|
|
|
|
|
### Recommendations |
|
|
|
|
|
- Always run in a **sandboxed GPU environment**. |
|
|
- Use the provided safe wrapper for triage and bug bounty submissions. |
|
|
|
|
|
## How to Get Started with the PoC |
|
|
|
|
|
1. Create and activate a Python virtual environment: |
|
|
```bash |
|
|
python3 -m venv lilith_venv |
|
|
source lilith_venv/bin/activate |
|
|
|
|
|
pip install tensorrt |
|
|
python poc_trt_rce.py |
|
|
import tensorrt as trt |
|
|
|
|
|
with open("safe_trt_crash.trt", "rb") as f: |
|
|
engine_data = f.read() |
|
|
|
|
|
runtime = trt.Runtime(trt.Logger(trt.Logger.WARNING)) |
|
|
|
|
|
try: |
|
|
engine = runtime.deserialize_cuda_engine(engine_data) |
|
|
if engine: |
|
|
print("[!] Deserialization succeeded (unexpected)") |
|
|
except Exception as e: |
|
|
print("[TRT] Error during deserialization:", e) |
|
|
Environment Details |
|
|
|
|
|
OS: Ubuntu 22.04 |
|
|
|
|
|
Python: 3.13 |
|
|
|
|
|
CUDA: 13.x |
|
|
|
|
|
TensorRT: 10.13.3.9 |
|
|
|
|
|
Hardware: NVIDIA GPU (for runtime deserialization) |
|
|
|
|
|
Technical Specifications |
|
|
|
|
|
Objective: Demonstrate unsafe deserialization in TensorRT engines for security research. |
|
|
|
|
|
PoC Language: Python |
|
|
|
|
|
Serialized Engine File: safe_trt_crash.trt |
|
|
|
|
|
Citation |
|
|
|
|
|
Use this repository reference when citing in security reports or bug bounty submissions: |
|
|
|
|
|
BibTeX: |
|
|
|
|
|
@misc{LilithAdam5_2025_tensorrt, |
|
|
title={tensorrt-deserialization-poc}, |
|
|
author={ZEUS}, |
|
|
year={2025}, |
|
|
howpublished={Hugging Face Hub}, |
|
|
url={https://huggingface.co/LilithAdam5/tensorrt-deserialization-poc} |
|
|
} |
|
|
|
|
|
|
|
|
APA: |
|
|
ZEUS. (2025). tensorrt-deserialization-poc. Hugging Face Hub. https://huggingface.co/LilithAdam5/tensorrt-deserialization-poc |
|
|
|
|
|
Model Card Authors |
|
|
|
|
|
ZEUS |
|
|
|
|
|
ATHENA |
|
|
|
|
|
Model Card Contact |
|
|
|
|
|
Email: [optional] |
|
|
|
|
|
GitHub / Hugging Face: LilithAdam5 |
|
|
|
