Privacy Preserving Software Bill of Materials

Principal Investigator: Christina Garman

Modern software is generally composed of a number of different libraries and subcomponents. Recent severe vulnerabilities, such as Log4j, have highlighted the necessity of understanding and cataloging all of the components in a system or piece of software. A Software Bill of Materials (or SBoM) is designed to do just this, providing a formal record that enumerates all the components of a given piece of software, along with their respective relationships. While there have been a number of initial recommendations for and deployments of SBoMs, we observe that there is significant potential for privacy concerns in such deployments. SBoMs may relate to proprietary software or subcomponents, and a publicly-accessible SBoM could potentially aid an attacker in discovering vulnerable products in the case of a library exploit. As such, we seek to investigate if a software owner can conceal the contents of an SBoM from a prospective user, while still allowing the user to benefit from the full SBoM feature set. To do this, we introduce the notion of a privacy-preserving SBoM system, and define its desired security properties and necessary components. We then provide a concrete instantiation of such a scheme, building off of ideas from the Private Set Intersection space. To demonstrate our scheme’s practicality, we provide a full end-to-end implementation, including an integration with a real world SBoM system, as well as a series of benchmarks and discussion of real word deployment concerns.

Personnel

Students: Arushi Arora