Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions

• URL: http://arxiv.org/abs/2412.05138v2
• Date: Mon, 09 Dec 2024 14:52:37 GMT
• Title: Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions
• Authors: Can Ozkan, Xinhai Zou, Dave Singelee,
• Abstract summary: The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. This work presents an in-depth and systematic investigation into the integrity of SBOMs.
• Score: 0.0
• License:
• Abstract: The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.

Related papers

• VMGuard: Reputation-Based Incentive Mechanism for Poisoning Attack Detection in Vehicular Metaverse [52.57251742991769]
  vehicular Metaverse guard (VMGuard) protects vehicular Metaverse systems from data poisoning attacks. VMGuard implements a reputation-based incentive mechanism to assess the trustworthiness of participating SIoT devices. Our system ensures that reliable SIoT devices, previously missclassified, are not barred from participating in future rounds of the market.
  arXiv  Detail & Related papers  (2024-12-05T17:08:20Z)
• AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents [84.96249955105777]
  LLM agents may pose a greater risk if misused, but their robustness remains underexplored. We propose a new benchmark called AgentHarm to facilitate research on LLM agent misuse. We find leading LLMs are surprisingly compliant with malicious agent requests without jailbreaking.
  arXiv  Detail & Related papers  (2024-10-11T17:39:22Z)
• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• SBOM Generation Tools in the Python Ecosystem: an In-Detail Analysis [2.828503885204035]
  We analyze four popular SBOM generation tools using the CycloneDX standard. We highlight issues related to dependency versions, metadata files, remote dependencies, and optional dependencies. We identify a systematic issue with the lack of standards for metadata in the PyPI ecosystem.
  arXiv  Detail & Related papers  (2024-09-02T12:48:10Z)
• A Landscape Study of Open Source and Proprietary Tools for Software Bill of Materials (SBOM) [3.1190983209295076]
  Software Bill of Materials (SBOM) is a repository that inventories all third-party components and dependencies used in an application. Recent supply chain breaches underscore the urgent need to enhance software security and vulnerability risks. This research paper conducts an empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM.
  arXiv  Detail & Related papers  (2024-02-17T00:36:20Z)
• Automating SBOM Generation with Zero-Shot Semantic Similarity [2.169562514302842]
  A Software-Bill-of-Materials (SBOM) is a comprehensive inventory detailing a software application's components and dependencies. We propose an automated method for generating SBOMs to prevent disastrous supply-chain attacks. Our test results are compelling, demonstrating the model's strong performance in the zero-shot classification task.
  arXiv  Detail & Related papers  (2024-02-03T18:14:13Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Trust in Software Supply Chains: Blockchain-Enabled SBOM and the AIBOM Future [28.67753149592534]
  This study introduces a blockchain-empowered architecture for SBOM sharing, leveraging verifiable credentials to allow for selective disclosure. This paper broadens the remit of SBOM to encompass AI systems, thereby coining the term AI Bill of Materials (AIBOM)
  arXiv  Detail & Related papers  (2023-07-05T07:56:48Z)
• Analyzing Maintenance Activities of Software Libraries [65.268245109828]
  Industrial applications heavily integrate open-source software libraries nowadays. I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)
• On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
  We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
  arXiv  Detail & Related papers  (2023-06-08T20:14:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.