TensorRT DetectionLayer anchors_cnt suppression proof of concept

This repository contains a bounded research PoC for TensorRT (.engine / .trt / .mytrtfile).

The security question is whether a serialized DetectionLayer_TRT payload can carry an attacker-controlled anchors_cnt value that is inconsistent with the actual anchor input tensor, while the final engine still deserializes and executes normally and silently suppresses detections.

Files

  • control.engine
  • anchors-cnt-4096.engine
  • verify_remote_poc.py
  • requirements.txt

What the files demonstrate

Control:

positive_cls -> [0.5]
mixed_bbox   -> [0.11951626092195511]

Malicious serialized anchors_cnt = 4096:

positive_cls -> [0.0]
mixed_bbox   -> [0.0]

The same suppression was also observed for anchors_cnt = 128.

Verify the public HF artifacts

After unauthenticated download, run:

python verify_remote_poc.py

Expected result:

  • all engines deserialize successfully
  • all engines execute successfully
  • control output is non-zero on detection presets
  • the anchors-cnt-4096.engine output suppresses those detections to zero
  • semantic_suppression_observed is true
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support