| license: mit | |
| tags: | |
| - tensorrt | |
| - security-research | |
| # TensorRT ModelScan Bypass PoC | |
| Security research: TensorRT engine files (.engine/.trt/.mytrtfile) with embedded native | |
| plugins bypass ModelScan completely and achieve arbitrary code execution via | |
| `__attribute__((constructor))` triggered during `dlopen()` at deserialization time. | |
| **For authorized security research only.** | |
| ## Vulnerability Summary | |
| - ModelScan does not recognize TensorRT engine files β always SKIPPED | |
| - TensorRT `plugins_to_serialize` embeds native .so into engine files | |
| - `__attribute__((constructor))` executes on `dlopen()` BEFORE any TensorRT validation | |
| - RCE triggers even with `engine_host_code_allowed=False` (default safe setting) | |
| ## Files | |
| - `malicious_engine.engine` β TensorRT engine with embedded malicious plugin | |
| - `malicious_plugin.cpp` β Source code of the malicious plugin | |
| - `poc_exhaustive.py` β Exhaustive verification script (4 tests) | |
| ## Reproduction | |
| Requires: TensorRT 10.x, CUDA 12.x, GPU with SM 7.0+ | |
| ```python | |
| import tensorrt as trt | |
| runtime = trt.Runtime(trt.Logger()) | |
| # RCE triggers on deserialize β even with default safe settings | |
| with open('malicious_engine.engine', 'rb') as f: | |
| engine = runtime.deserialize_cuda_engine(f.read()) | |