TensorRT TopkLastDim serialized-k output suppression PoC

This repository is a benign security research PoC for a Model File Vulnerability in TensorRT engine files.

Files:

  • control-topk-k2.engine
  • topk-k1.engine
  • reproduce.py

Public file URLs:

Tested runtime:

  • TensorRT 11.1.0.106
  • Trigger path: trt.Runtime(...).deserialize_cuda_engine(...), engine.create_execution_context(), then ctx.execute_async_v3(...)
  • GPU used for validation: NVIDIA RTX 4090

Expected behavior:

  • control-topk-k2.engine embeds TopkLastDim with serialized k=2, is_largest=1, axis=-1.
  • topk-k1.engine changes only the serialized k field to 1.
  • Both engines deserialize and execute successfully. The malicious engine keeps the same TensorRT output metadata shapes [2, 2], but only writes the top-1 result per row, leaving the second exposed slot zeroed.

Reproduction:

python reproduce.py --gpu 0

If CUDA libraries are not on the default loader path, set LD_LIBRARY_PATH first. Example from the validation lab:

LD_LIBRARY_PATH=/home/hacnho/.venv-vllm/lib/python3.12/site-packages/nvidia/cu13/lib:$LD_LIBRARY_PATH python reproduce.py --gpu 0

Expected delta:

control values:   [9.0, 7.0, 8.0, 4.0]
control indices:  [1, 3, 2, 1]
malicious values: [9.0, 8.0, 0.0, 0.0]
malicious indices:[1, 2, 0, 0]
same output shapes: true

Scanner results recorded during validation:

  • Hugging Face repository scan: no files with issues when observable
  • modelscan 0.8.8: no issues found; .engine is skipped
  • picklescan 1.0.4: infected files 0, dangerous globals 0
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support