TensorRT RPROI_TRT spatialScale output manipulation proof of concept

This repository contains a bounded research PoC for TensorRT (.engine / .trt / .mytrtfile).

The security question is whether a TensorRT engine file can carry a legacy RPROI_TRT plugin state with a malicious spatialScale value and still load and execute normally while changing inference output.

Files

  • control-rproi.engine
  • rproi-spatialscale-negative.engine
  • reproduce.py

What the files demonstrate

Both engines load through:

trt.Runtime(...).deserialize_cuda_engine(...)
engine.create_execution_context()
ctx.execute_async_v3(0)

Both engines use the same minimal network:

scores FLOAT [1,2,2,2]
deltas FLOAT [1,4,2,2]
fmap   FLOAT [1,1,2,2]
iinfo  FLOAT [1,3,1,1]
RPROI_TRT -> rois FLOAT [1,1,300,4], pfmap FLOAT [1,300,1,7,7]

The control engine uses the normal serialized spatialScale = 1/16. The malicious engine uses spatialScale = -1.0.

Observed output summary:

control pfmap:   sum=147210.0, min=0.0, max=40.0
malicious pfmap: sum=147000.0, min=10.0, max=10.0

The ROI box output is unchanged in the minimal case, but the ROI pooled feature map is silently collapsed to a constant value while TensorRT reports successful inference.

Verify the public HF artifacts

Run on a machine with TensorRT 11.1.0.106, CUDA, and an NVIDIA GPU:

python3 reproduce.py --gpu 0

Expected result:

  • both .engine files load successfully
  • both .engine files execute successfully
  • cuda_sync_rc is 0 for both files
  • output_changed is true
  • expected_observed is true

Public scan note

This PoC is centered on trusted TensorRT load/inference behavior, not code execution. It demonstrates deterministic output manipulation embedded in a model file.

After upload, check the public scan API:

https://huggingface.co/api/models/hacnho/tensorrt-rproi-spatialscale-negative-poc/scan

The expected scanner-relevant signal is that the public malicious engine has no reported scanner issue.

Safety note

This is a bounded research PoC:

  • no code execution claim
  • no external callbacks
  • only deterministic output manipulation after a trusted TensorRT engine load
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support