YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
TensorRT VULN-002: Engine File Integrity Bypass - Model Backdoor
Vulnerability
TensorRT .engine files have zero integrity verification. An attacker can silently modify model weights to backdoor inference results. No checksums, signatures, or weight validation exists.
Impact
- Model backdooring: Attacker-controlled inference outputs
- Denial of service: NaN/Inf weights cause all outputs to become NaN silently
- Supply chain attack: Any .engine file can be weaponized offline, no GPU needed
Files
| File | Description |
|---|---|
| vuln002_backdoor_poc.py | Main PoC - tests 7 weight modifications, all accepted silently |
| build_clean_engine.py | Builds a legitimate Conv+ReLU engine for testing |
| clean_model.engine | Legitimate engine file (70,660 bytes) |
| backdoored_model.engine | Same engine with first conv layer weights biased +0.5 |
Reproduction
pip install tensorrt torch numpy
python build_clean_engine.py
python vuln002_backdoor_poc.py
Results
All 7 weight modifications accepted with zero warnings:
- Zeroed weights: max diff 79.59
- All weights = 1.0: max diff 327.94
- Sign-flipped weights: max diff 78.84
- Weights x10: max diff 7880.29
- First layer +0.5 (subtle backdoor): max diff 69.08
- NaN weights: output becomes NaN
- Inf weights: output becomes NaN
File sizes are identical. Only 1,150 / 70,660 bytes modified for the subtle backdoor.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support