TensorRT PriorBox_TRT serialized offset MFV PoC

This repository is a benign security research PoC for Huntr MFV triage. It demonstrates a TensorRT .engine file where serialized PriorBox_TRT plugin state changes the prior-box offset from 0.5 to 0.0. The engine still deserializes and executes, but the generated anchor boxes shift while the output tensor shape stays [1, 2, 48, 1].

Files:

  • control_priorbox.engine: TensorRT 11.1.0.106 control engine with serialized PriorBox_TRT offset=0.5.
  • malicious_offset_zero.engine: same engine with serialized offset patched from 0.5 to 0.0.
  • reproduce.py: runs both engines and compares output shape, execution status, and output values.
  • probe.py: builds the control engine and documents the serialized-field mutation.
  • requirements.txt: tested dependency versions.

Public files:

  • Repo: https://huggingface.co/hacnho/tensorrt-priorbox-offset-bypass-poc
  • Control: https://huggingface.co/hacnho/tensorrt-priorbox-offset-bypass-poc/resolve/main/control_priorbox.engine
  • Malicious: https://huggingface.co/hacnho/tensorrt-priorbox-offset-bypass-poc/resolve/main/malicious_offset_zero.engine
  • Reproducer: https://huggingface.co/hacnho/tensorrt-priorbox-offset-bypass-poc/resolve/main/reproduce.py

Reproduction:

python reproduce.py \
  --control control_priorbox.engine \
  --malicious malicious_offset_zero.engine
modelscan -p malicious_offset_zero.engine --show-skipped

Expected result:

  • TensorRT deserializes and executes both engines.
  • Output shape remains [1, 2, 48, 1].
  • Control output sum is approximately 31.2.
  • Malicious output sum is approximately 19.2.
  • The first generated box changes from [0.125, 0.125, 0.375, 0.375] to [-0.125, -0.125, 0.125, 0.125].
  • modelscan 0.8.8 reports No issues found! and skips the .engine file.

Tested SHA256:

  • control_priorbox.engine: a733215796dbf84c66b41847528d2fa1f303263213e04b5452e7320502d8904d
  • malicious_offset_zero.engine: 7f46d78ec633362f11e00ebf4e0539b7b11e279f3114497b7f10ffe7cbc1ecec
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support