--- library_name: tensorrt tags: - security - huntr - tensorrt - efficientnms - tftrt - implicit-batch - proof-of-concept --- # TensorRT EfficientNMS_Implicit_TF_TRT negative-score PoC This repository contains a bounded TensorRT proof-of-concept showing that the TF-TRT compatibility plugin `EfficientNMS_Implicit_TF_TRT` accepts a negative `score_threshold` through its serialized plugin state and preserves that state into a built `.engine` file. Primary artifacts: ```text control.engine neg_score.engine ``` The `control.engine` artifact is built from a valid `EfficientNMS_Implicit_TF_TRT` parameter block with: ```text score_threshold = 0.5 iou_threshold = 0.5 ``` The `neg_score.engine` artifact is built from the same plugin type and shape contract, but with: ```text score_threshold = -0.25 ``` The verifier demonstrates a stable change in per-sample `num_detections`: - control engine: - `all_negative` -> `[0,0,0,0]` - `mixed_scores` -> `[1,0,0,0]` - `all_zero` -> `[0,0,0,0]` - `neg_score.engine`: - `all_negative` -> `[1,1,1,1]` - `mixed_scores` -> `[1,1,1,1]` - `all_zero` -> `[1,1,1,1]` Under the `all_negative` preset, the malicious engine still returns detections even though every candidate score is already negative, and the copied output score buffer preserves the negative values. This is a bounded output-manipulation signal, not a code-execution claim. ## Files - `control.engine` - valid TensorRT engine built from a valid `EfficientNMS_Implicit_TF_TRT` payload - `neg_score.engine` - TensorRT engine built from the same minimal shape contract with `score_threshold=-0.25` - `verify_tftrt_implicit_remote.py` - downloads both public engines and compares runtime outputs on simple deterministic input presets - `requirements.txt` - minimal Python dependency list ## Reproduce Environment requirements: - Linux x86_64 - NVIDIA GPU - TensorRT Python package compatible with the published engines - CUDA runtime available as `libcudart.so` Set up a clean environment: ```bash python3 -m venv /tmp/trt-efficientnms-implicit-poc /tmp/trt-efficientnms-implicit-poc/bin/python -m pip install --upgrade pip /tmp/trt-efficientnms-implicit-poc/bin/python -m pip install -r requirements.txt ``` Run the verifier: ```bash /tmp/trt-efficientnms-implicit-poc/bin/python verify_tftrt_implicit_remote.py ``` Expected result: - both engines download successfully - both engines deserialize and execute - the returned JSON shows: - control `num_detections = [0,0,0,0] / [1,0,0,0] / [0,0,0,0]` - `neg_score` `num_detections = [1,1,1,1] / [1,1,1,1] / [1,1,1,1]` ## Notes - This pack is a benign security research PoC for triage. - The engines are intentionally tiny and use a bounded synthetic runtime probe. - This lane is distinct from the already-submitted `EfficientNMS_Explicit_TF_TRT` branch because the implicit TF-TRT plugin uses a different plugin type and a different legacy input-shape contract.