Hugging Face's logo

noshkas
/
tensorrt-polygraphy-serialized-plugin-ace-poc

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TensorRT Polygraphy Serialized Plugin ACE PoC

This repository contains a benign proof-of-concept TensorRT engine for a Huntr model-file vulnerability report.

The key artifact is model.engine. It is a TensorRT version-compatible serialized engine that carries a serialized native shared library. The library constructor only writes a marker file when the environment variable TRT_PLUGIN_MARKER is set.

Do not run this outside an isolated test environment.

Expected Behavior

Running Polygraphy's normal inspection command against model.engine executes the embedded constructor before TensorRT rejects the intentionally incomplete plugin library:

cd "$RUN_DIR"
python3 -m venv .venv
. .venv/bin/activate
python -m pip install --upgrade pip wheel setuptools
python -m pip install polygraphy==0.49.26 tensorrt-cu12==10.16.1.11 tensorrt-lean-cu12==10.16.1.11

export LD_LIBRARY_PATH="$RUN_DIR/.venv/lib/python3.12/site-packages/tensorrt_lean_libs:${LD_LIBRARY_PATH:-}"
export TRT_PLUGIN_MARKER="$RUN_DIR/marker.txt"
rm -f "$TRT_PLUGIN_MARKER"
polygraphy inspect model "$RUN_DIR/model.engine"
cat "$TRT_PLUGIN_MARKER"

Expected marker:

marker_constructor pid=<pid> time=<timestamp>

Polygraphy may still exit with an inspection/deserialization error similar to:

SymbolAddress for getCreators could not be loaded
Could not deserialize engine. See log for details.

That failure happens after the constructor has already executed.

Why This Matters

Polygraphy enables runtime.engine_host_code_allowed = True before deserializing engine bytes. TensorRT version-compatible engines can serialize plugin shared libraries. Together, this means a model inspection workflow can execute host code embedded in a model file.

This PoC is specifically about Polygraphy's auto-trust behavior during polygraphy inspect model model.engine, not an application that explicitly opts into TensorRT host code execution itself.

Files

  • model.engine - crafted TensorRT engine PoC.
  • trt_serialized_plugin_marker_probe.py - reproducible generator/validator used to create the proof.
  • evidence/ - local proof logs and negative-control outputs.

Engine Hash 

SHA256: 777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758
Size:   111219596 bytes
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support