Hugging Face's logo

treforbenbow
/
tensorrt-ace-poc-embedded-plugin

Model card Files
xet
 Community
tensorrt-ace-poc-embedded-plugin
File size: 2,963 Bytes
091ca1a
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# TensorRT ACE PoC — Arbitrary Code Execution via Embedded Plugin DLL

## Vulnerability Summary

TensorRT `.engine` files support embedding plugin shared libraries via `plugins_to_serialize`. When such an engine is deserialized with `deserialize_cuda_engine()`, TensorRT **unconditionally** extracts the embedded DLL to a temp file and loads it via `LoadLibrary()` / `dlopen()`. This triggers native code execution (e.g., `DllMain` on Windows, `__attribute__((constructor))` on Linux).

**The `engine_host_code_allowed` security flag (which defaults to `False`) does NOT prevent this.** The flag only gates lean runtime loading, not embedded plugin libraries.

## Affected

- **Product:** NVIDIA TensorRT
- **Tested Version:** 10.15.1.29
- **File Format:** `.engine` / `.trt` / `.plan`
- **API:** `IRuntime::deserializeCudaEngine()` / `trt.Runtime.deserialize_cuda_engine()`

## Files

| File | Description |
|------|-------------|
| `malicious_model.engine` | Pre-built malicious engine file containing embedded DLL |
| `malicious_plugin.cpp` | Source code for the malicious plugin DLL |
| `malicious_plugin.dll` | Compiled malicious plugin (Windows x64) |
| `build_malicious_engine.py` | Script to build the malicious engine from scratch |
| `load_malicious_engine.py` | Script to demonstrate ACE by loading the engine |

## Reproduction Steps

### Quick Test (use pre-built engine)

```bash
# Requires: pip install tensorrt (tested with 10.15.1.29)
python load_malicious_engine.py
# Check for PWNED.txt — if it exists, ACE was achieved
```

### Build From Scratch

1. Compile the malicious plugin DLL (Windows/MSVC):
   ```
   cl /nologo /EHsc /LD /Fe:malicious_plugin.dll malicious_plugin.cpp /link user32.lib kernel32.lib
   ```

2. Build the malicious engine:
   ```
   python build_malicious_engine.py
   ```

3. Test ACE:
   ```
   python load_malicious_engine.py
   ```

## What Happens

1. `load_malicious_engine.py` creates a TensorRT runtime with `engine_host_code_allowed = False` (default)
2. It calls `runtime.deserialize_cuda_engine(engine_data)`
3. TensorRT extracts the embedded DLL to `%TEMP%\pluginLibrary_*.dll`
4. TensorRT calls `LoadLibrary()` on the extracted DLL
5. `DllMain` executes, creating `PWNED.txt` as proof of arbitrary code execution
6. Deserialization itself fails (no valid plugin creators), but **the code already ran**

## Key Evidence from TensorRT Logs

```
[TRT] [V] Local registry attempting to deserialize library from memory
[TRT] [V] Created temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll
[TRT] [V] Loaded temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll
```

This occurs even with `engine_host_code_allowed = False`.

## Impact

- Arbitrary native code execution in any process that loads an untrusted `.engine` file
- No existing scanner (ModelScan, etc.) detects this
- Supply chain attack via malicious models on HuggingFace, model registries, etc.