Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions

The SolarWinds attack, which exploited weaknesses in a software update mechanism, highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them. The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM must be provided for all software purchased by federal agencies. In this paper, we present an in-depth and systematic investigation of the trust that can be put into the output of SBOMs. Our research reveals that the SBOM generation process across popular programming languages is susceptible to stealthy manipulation by malicious insiders, leading to significant supply chain insecurities. We then investigated the tools used to consume SBOMs, examining their capability to detect and handle manipulated or compromised SBOM data. To address these security issues, we analyze the use of public repositories for software libraries to validate the integrity of dependencies and demonstrate the feasibility of our proof-of-concept implementation. We further evaluate an alternative, decentralized approach based on blockchain.