# TensorRT Polygraphy Serialized Plugin ACE PoC

This repository contains a benign proof-of-concept TensorRT engine for a Huntr model-file vulnerability report.

The key artifact is `model.engine`. It is a TensorRT version-compatible serialized engine that carries a serialized native shared library. The library constructor only writes a marker file when the environment variable `TRT_PLUGIN_MARKER` is set.

Do not run this outside an isolated test environment.

## Expected Behavior

Running Polygraphy's normal inspection command against `model.engine` executes the embedded constructor before TensorRT rejects the intentionally incomplete plugin library:

```bash
cd "$RUN_DIR"
python3 -m venv .venv
. .venv/bin/activate
python -m pip install --upgrade pip wheel setuptools
python -m pip install polygraphy==0.49.26 tensorrt-cu12==10.16.1.11 tensorrt-lean-cu12==10.16.1.11

export LD_LIBRARY_PATH="$RUN_DIR/.venv/lib/python3.12/site-packages/tensorrt_lean_libs:${LD_LIBRARY_PATH:-}"
export TRT_PLUGIN_MARKER="$RUN_DIR/marker.txt"
rm -f "$TRT_PLUGIN_MARKER"
polygraphy inspect model "$RUN_DIR/model.engine"
cat "$TRT_PLUGIN_MARKER"
```

Expected marker:

```text
marker_constructor pid=<pid> time=<timestamp>
```

Polygraphy may still exit with an inspection/deserialization error similar to:

```text
SymbolAddress for getCreators could not be loaded
Could not deserialize engine. See log for details.
```

That failure happens after the constructor has already executed.

## Why This Matters

Polygraphy enables `runtime.engine_host_code_allowed = True` before deserializing engine bytes. TensorRT version-compatible engines can serialize plugin shared libraries. Together, this means a model inspection workflow can execute host code embedded in a model file.

This PoC is specifically about Polygraphy's auto-trust behavior during `polygraphy inspect model model.engine`, not an application that explicitly opts into TensorRT host code execution itself.

## Files

- `model.engine` - crafted TensorRT engine PoC.
- `trt_serialized_plugin_marker_probe.py` - reproducible generator/validator used to create the proof.
- `evidence/` - local proof logs and negative-control outputs.

## Engine Hash

```text
SHA256: 777cdecefc51699d43862522dd7ea92ec377f2dd9b25d40aa00b72edd74ad758
Size:   111219596 bytes
```