hacnho's picture
Upload README.md with huggingface_hub
bd111ef verified
|
Raw
History Blame Contribute Delete
2.98 kB
---
library_name: tensorrt
tags:
- security
- huntr
- tensorrt
- efficientnms
- tftrt
- implicit-batch
- proof-of-concept
---
# TensorRT EfficientNMS_Implicit_TF_TRT negative-score PoC
This repository contains a bounded TensorRT proof-of-concept showing that the
TF-TRT compatibility plugin `EfficientNMS_Implicit_TF_TRT` accepts a negative
`score_threshold` through its serialized plugin state and preserves that state
into a built `.engine` file.
Primary artifacts:
```text
control.engine
neg_score.engine
```
The `control.engine` artifact is built from a valid
`EfficientNMS_Implicit_TF_TRT` parameter block with:
```text
score_threshold = 0.5
iou_threshold = 0.5
```
The `neg_score.engine` artifact is built from the same plugin type and shape
contract, but with:
```text
score_threshold = -0.25
```
The verifier demonstrates a stable change in per-sample `num_detections`:
- control engine:
- `all_negative` -> `[0,0,0,0]`
- `mixed_scores` -> `[1,0,0,0]`
- `all_zero` -> `[0,0,0,0]`
- `neg_score.engine`:
- `all_negative` -> `[1,1,1,1]`
- `mixed_scores` -> `[1,1,1,1]`
- `all_zero` -> `[1,1,1,1]`
Under the `all_negative` preset, the malicious engine still returns detections
even though every candidate score is already negative, and the copied output
score buffer preserves the negative values.
This is a bounded output-manipulation signal, not a code-execution claim.
## Files
- `control.engine`
- valid TensorRT engine built from a valid
`EfficientNMS_Implicit_TF_TRT` payload
- `neg_score.engine`
- TensorRT engine built from the same minimal shape contract with
`score_threshold=-0.25`
- `verify_tftrt_implicit_remote.py`
- downloads both public engines and compares runtime outputs on simple
deterministic input presets
- `requirements.txt`
- minimal Python dependency list
## Reproduce
Environment requirements:
- Linux x86_64
- NVIDIA GPU
- TensorRT Python package compatible with the published engines
- CUDA runtime available as `libcudart.so`
Set up a clean environment:
```bash
python3 -m venv /tmp/trt-efficientnms-implicit-poc
/tmp/trt-efficientnms-implicit-poc/bin/python -m pip install --upgrade pip
/tmp/trt-efficientnms-implicit-poc/bin/python -m pip install -r requirements.txt
```
Run the verifier:
```bash
/tmp/trt-efficientnms-implicit-poc/bin/python verify_tftrt_implicit_remote.py
```
Expected result:
- both engines download successfully
- both engines deserialize and execute
- the returned JSON shows:
- control `num_detections = [0,0,0,0] / [1,0,0,0] / [0,0,0,0]`
- `neg_score` `num_detections = [1,1,1,1] / [1,1,1,1] / [1,1,1,1]`
## Notes
- This pack is a benign security research PoC for triage.
- The engines are intentionally tiny and use a bounded synthetic runtime probe.
- This lane is distinct from the already-submitted
`EfficientNMS_Explicit_TF_TRT` branch because the implicit TF-TRT plugin
uses a different plugin type and a different legacy input-shape contract.