| # TensorRT Polygraphy Serialized Plugin ACE PoC |
|
|
| This repository contains a benign proof-of-concept TensorRT engine for a Huntr model-file vulnerability report. |
|
|
| The key artifact is `model.engine`. It is a TensorRT version-compatible serialized engine that carries a serialized native shared library. The library constructor only writes a marker file when the environment variable `TRT_PLUGIN_MARKER` is set. |
|
|
| Do not run this outside an isolated test environment. |
|
|
| ## Expected Behavior |
|
|
| Running Polygraphy's normal inspection command against `model.engine` executes the embedded constructor before TensorRT rejects the intentionally incomplete plugin library: |
|
|
| ```bash |
| cd "$RUN_DIR" |
| python3 -m venv .venv |
| . .venv/bin/activate |
| python -m pip install --upgrade pip wheel setuptools |
| python -m pip install polygraphy==0.49.26 tensorrt-cu12==10.16.1.11 tensorrt-lean-cu12==10.16.1.11 |
| |
| export LD_LIBRARY_PATH="$RUN_DIR/.venv/lib/python3.12/site-packages/tensorrt_lean_libs:${LD_LIBRARY_PATH:-}" |
| export TRT_PLUGIN_MARKER="$RUN_DIR/marker.txt" |
| rm -f "$TRT_PLUGIN_MARKER" |
| polygraphy inspect model "$RUN_DIR/model.engine" |
| cat "$TRT_PLUGIN_MARKER" |
| ``` |
|
|
| Expected marker: |
|
|
| ```text |
| marker_constructor pid=<pid> time=<timestamp> |
| ``` |
|
|
| Polygraphy may still exit with an inspection/deserialization error similar to: |
|
|
| ```text |
| SymbolAddress for getCreators could not be loaded |
| Could not deserialize engine. See log for details. |
| ``` |
|
|
| That failure happens after the constructor has already executed. |
|
|
| ## Why This Matters |
|
|
| Polygraphy enables `runtime.engine_host_code_allowed = True` before deserializing engine bytes. TensorRT version-compatible engines can serialize plugin shared libraries. Together, this means a model inspection workflow can execute host code embedded in a model file. |
|
|
| This PoC is specifically about Polygraphy's auto-trust behavior during `polygraphy inspect model model.engine`, not an application that explicitly opts into TensorRT host code execution itself. |
|
|
| ## Files |
|
|
| - `model.engine` - crafted TensorRT engine PoC. |
| - `trt_serialized_plugin_marker_probe.py` - reproducible generator/validator used to create the proof. |
| - `evidence/` - local proof logs and negative-control outputs. |
|
|
| ## Engine Hash |
|
|
| ```text |
| SHA256: 777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758 |
| Size: 111219596 bytes |
| ``` |
|
|
