Upload README.md with huggingface_hub

5ead409 verified about 1 month ago

1.26 kB

license: mit
tags:
  - tensorrt
  - security-research

TensorRT ModelScan Bypass PoC

Security research: TensorRT engine files (.engine/.trt/.mytrtfile) with embedded native plugins bypass ModelScan completely and achieve arbitrary code execution via __attribute__((constructor)) triggered during dlopen() at deserialization time.

For authorized security research only.

Vulnerability Summary

ModelScan does not recognize TensorRT engine files → always SKIPPED
TensorRT plugins_to_serialize embeds native .so into engine files
__attribute__((constructor)) executes on dlopen() BEFORE any TensorRT validation
RCE triggers even with engine_host_code_allowed=False (default safe setting)

Files

malicious_engine.engine — TensorRT engine with embedded malicious plugin
malicious_plugin.cpp — Source code of the malicious plugin
poc_exhaustive.py — Exhaustive verification script (4 tests)

Reproduction

Requires: TensorRT 10.x, CUDA 12.x, GPU with SM 7.0+

import tensorrt as trt
runtime = trt.Runtime(trt.Logger())
# RCE triggers on deserialize — even with default safe settings
with open('malicious_engine.engine', 'rb') as f:
    engine = runtime.deserialize_cuda_engine(f.read())