TensorRT .engine PoC: silent output manipulation via serialized BatchedNMSDynamic_TRT state
Summary
This repository contains a proof-of-concept TensorRT .engine file that silently changes inference outputs after normal model loading.
baseline.engineloads and executes successfully and returns2detections on the bundled test input.poc.enginealso loads and executes successfully, but returns0detections because the serialized plugin fieldscoreThresholdwas patched toNaN.
The model interface, input tensors, and host-side API usage are identical in both cases.
Files
baseline.engine: clean reference enginepoc.engine: malicious PoC enginemanifest.json: SHA-256 hashes for both enginesverification-rerun.json: verification output from a fresh rerunverify_bounty_poc.py: reproduction script
Reproduction
python verify_bounty_poc.py \
--baseline baseline.engine \
--candidate poc.engine \
--mode silent \
--output-json verification-local.json
Expected Result
baseline.engine: success,num_detections = 2poc.engine: success,num_detections = 0- output tensors differ even though inference completes normally
Impact
A malicious TensorRT .engine file can embed crafted built-in plugin metadata that loads and runs successfully but silently suppresses inference detections.