treforbenbow
/

tensorrt-ace-poc-embedded-plugin

Model card Files Files and versions

xet

Community

treforbenbow commited on Mar 3

Commit

091ca1a

verified ·

1 Parent(s): ad5ecdd

Upload README.md with huggingface_hub

Browse files

Files changed (1) hide show

README.md +76 -0

README.md ADDED Viewed

	@@ -0,0 +1,76 @@

+# TensorRT ACE PoC — Arbitrary Code Execution via Embedded Plugin DLL
+## Vulnerability Summary
+TensorRT `.engine` files support embedding plugin shared libraries via `plugins_to_serialize`. When such an engine is deserialized with `deserialize_cuda_engine()`, TensorRT **unconditionally** extracts the embedded DLL to a temp file and loads it via `LoadLibrary()` / `dlopen()`. This triggers native code execution (e.g., `DllMain` on Windows, `__attribute__((constructor))` on Linux).
+**The `engine_host_code_allowed` security flag (which defaults to `False`) does NOT prevent this.** The flag only gates lean runtime loading, not embedded plugin libraries.
+## Affected
+- **Product:** NVIDIA TensorRT
+- **Tested Version:** 10.15.1.29
+- **File Format:** `.engine` / `.trt` / `.plan`
+- **API:** `IRuntime::deserializeCudaEngine()` / `trt.Runtime.deserialize_cuda_engine()`
+## Files
+| File | Description |
+|------|-------------|
+| `malicious_model.engine` | Pre-built malicious engine file containing embedded DLL |
+| `malicious_plugin.cpp` | Source code for the malicious plugin DLL |
+| `malicious_plugin.dll` | Compiled malicious plugin (Windows x64) |
+| `build_malicious_engine.py` | Script to build the malicious engine from scratch |
+| `load_malicious_engine.py` | Script to demonstrate ACE by loading the engine |
+## Reproduction Steps
+### Quick Test (use pre-built engine)
+```bash
+# Requires: pip install tensorrt (tested with 10.15.1.29)
+python load_malicious_engine.py
+# Check for PWNED.txt — if it exists, ACE was achieved
+```
+### Build From Scratch
+1. Compile the malicious plugin DLL (Windows/MSVC):
+   ```
+   cl /nologo /EHsc /LD /Fe:malicious_plugin.dll malicious_plugin.cpp /link user32.lib kernel32.lib
+   ```
+2. Build the malicious engine:
+   ```
+   python build_malicious_engine.py
+   ```
+3. Test ACE:
+   ```
+   python load_malicious_engine.py
+   ```
+## What Happens
+1. `load_malicious_engine.py` creates a TensorRT runtime with `engine_host_code_allowed = False` (default)
+2. It calls `runtime.deserialize_cuda_engine(engine_data)`
+3. TensorRT extracts the embedded DLL to `%TEMP%\pluginLibrary_*.dll`
+4. TensorRT calls `LoadLibrary()` on the extracted DLL
+5. `DllMain` executes, creating `PWNED.txt` as proof of arbitrary code execution
+6. Deserialization itself fails (no valid plugin creators), but **the code already ran**
+## Key Evidence from TensorRT Logs
+```
+[TRT] [V] Local registry attempting to deserialize library from memory
+[TRT] [V] Created temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll
+[TRT] [V] Loaded temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll
+```
+This occurs even with `engine_host_code_allowed = False`.
+## Impact
+- Arbitrary native code execution in any process that loads an untrusted `.engine` file
+- No existing scanner (ModelScan, etc.) detects this
+- Supply chain attack via malicious models on HuggingFace, model registries, etc.