| license: mit | |
| # TensorRT MultiscaleDeformableAttn trigger backdoor PoC | |
| This repository contains a benign proof-of-concept for the Huntr Model File Vulnerability program. | |
| It demonstrates a TensorRT `.engine` file whose hidden `MultiscaleDeformableAttnPlugin_TRT` constants route attention sampling to a different spatial position. Benign runtime input `[7, 7]` produces the same output in both engines. Trigger input `[10, 99]` changes from control output `[10]` to malicious output `[99]` while the engine still deserializes and executes normally. | |
| Files: | |
| - `control_msda_left.engine` | |
| - `malicious_msda_right.engine` | |
| - `probe.py` | |
| - `reproduce.py` | |
| - `requirements.txt` | |
| Reproduction: | |
| ```bash | |
| python reproduce.py --control control_msda_left.engine --malicious malicious_msda_right.engine | |
| modelscan -p malicious_msda_right.engine --show-skipped | |
| ``` | |
| Expected result: | |
| - benign output matches: `[7]` | |
| - trigger output changes: control `[10]`, malicious `[99]` | |
| - `modelscan==0.8.8` reports `No issues found!` and skips the `.engine` file | |