Automatic Bill of Materials

• URL: http://arxiv.org/abs/2310.09742v1
• Date: Sun, 15 Oct 2023 05:48:11 GMT
• Title: Automatic Bill of Materials
• Authors: Nicholas Boucher, Ross Anderson,
• Abstract summary: ABOM embeds a hash of each distinct input source code file into the binary emitted by a compiler. If leveraged across the ecosystem, ABOMs provide a zero-touch, backwards-compatible, drop-in solution for fast supply chain attack detection.
• Score: 5.14387789987357
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: Ensuring the security of software supply chains requires reliable identification of upstream dependencies. We present the Automatic Bill of Materials, or ABOM, a technique for embedding dependency metadata in binaries at compile time. Rather than relying on developers to explicitly enumerate dependency names and versions, ABOM embeds a hash of each distinct input source code file into the binary emitted by a compiler. Hashes are stored in Compressed Bloom Filters, highly space-efficient probabilistic data structures, which enable querying for the presence of dependencies without the possibility of false negatives. If leveraged across the ecosystem, ABOMs provide a zero-touch, backwards-compatible, drop-in solution for fast supply chain attack detection in real-world, language-independent software.

Related papers

• ReF Decompile: Relabeling and Function Call Enhanced Decompile [50.86228893636785]
  The goal of decompilation is to convert compiled low-level code (e.g., assembly code) back into high-level programming languages. This task supports various reverse engineering applications, such as vulnerability identification, malware analysis, and legacy software migration.
  arXiv  Detail & Related papers  (2025-02-17T12:38:57Z)
• Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions [0.0]
  The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. This work presents an in-depth and systematic investigation into the integrity of SBOMs.
  arXiv  Detail & Related papers  (2024-12-06T15:52:12Z)
• SBOM Generation Tools in the Python Ecosystem: an In-Detail Analysis [2.828503885204035]
  We analyze four popular SBOM generation tools using the CycloneDX standard. We highlight issues related to dependency versions, metadata files, remote dependencies, and optional dependencies. We identify a systematic issue with the lack of standards for metadata in the PyPI ecosystem.
  arXiv  Detail & Related papers  (2024-09-02T12:48:10Z)
• Automating SBOM Generation with Zero-Shot Semantic Similarity [2.169562514302842]
  A Software-Bill-of-Materials (SBOM) is a comprehensive inventory detailing a software application's components and dependencies. We propose an automated method for generating SBOMs to prevent disastrous supply-chain attacks. Our test results are compelling, demonstrating the model's strong performance in the zero-shot classification task.
  arXiv  Detail & Related papers  (2024-02-03T18:14:13Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
  A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
  arXiv  Detail & Related papers  (2023-12-31T14:53:51Z)
• Analyzing Maintenance Activities of Software Libraries [65.268245109828]
  Industrial applications heavily integrate open-source software libraries nowadays. I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)
• On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
  We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
  arXiv  Detail & Related papers  (2023-06-08T20:14:46Z)
• Precise Zero-Shot Dense Retrieval without Relevance Labels [60.457378374671656]
  Hypothetical Document Embeddings(HyDE) is a zero-shot dense retrieval system. We show that HyDE significantly outperforms the state-of-the-art unsupervised dense retriever Contriever.
  arXiv  Detail & Related papers  (2022-12-20T18:09:52Z)
• Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers [8.716427214870459]
  We study the extent to which the output of off-the-shelf static code analyzers can be used as a source of features to represent commits in Machine Learning (ML) applications. We investigate how such features can be used to construct embeddings and train ML models to automatically identify source code commits that contain vulnerability fixes. We find that the combination of our method with commit2vec represents a tangible improvement over the state of the art in the automatic identification of commits that fix vulnerabilities.
  arXiv  Detail & Related papers  (2021-05-07T15:57:17Z)
• pyBART: Evidence-based Syntactic Transformations for IE [52.93947844555369]
  We present pyBART, an easy-to-use open-source Python library for converting English UD trees to Enhanced UD graphs or to our representation. When evaluated in a pattern-based relation extraction scenario, our representation results in higher extraction scores than Enhanced UD, while requiring fewer patterns.
  arXiv  Detail & Related papers  (2020-05-04T07:38:34Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.