| # TensorRT `.engine` PoC: silent output manipulation via serialized `BatchedNMSDynamic_TRT` state | |
| ## Summary | |
| This repository contains a proof-of-concept TensorRT `.engine` file that silently changes inference outputs after normal model loading. | |
| - `baseline.engine` loads and executes successfully and returns `2` detections on the bundled test input. | |
| - `poc.engine` also loads and executes successfully, but returns `0` detections because the serialized plugin field `scoreThreshold` was patched to `NaN`. | |
| The model interface, input tensors, and host-side API usage are identical in both cases. | |
| ## Files | |
| - `baseline.engine`: clean reference engine | |
| - `poc.engine`: malicious PoC engine | |
| - `manifest.json`: SHA-256 hashes for both engines | |
| - `verification-rerun.json`: verification output from a fresh rerun | |
| - `verify_bounty_poc.py`: reproduction script | |
| ## Reproduction | |
| ```bash | |
| python verify_bounty_poc.py \ | |
| --baseline baseline.engine \ | |
| --candidate poc.engine \ | |
| --mode silent \ | |
| --output-json verification-local.json | |
| ``` | |
| ## Expected Result | |
| - `baseline.engine`: success, `num_detections = 2` | |
| - `poc.engine`: success, `num_detections = 0` | |
| - output tensors differ even though inference completes normally | |
| ## Impact | |
| A malicious TensorRT `.engine` file can embed crafted built-in plugin metadata that loads and runs successfully but silently suppresses inference detections. | |