Primary Investigator:
Santiago Torres-Arias

Project Members
Zeren Li, Santiago Torres-Arias, Alexander Avilez, Terry Dine

Software Bills of Materials (SBOMs) are widely used to document the components, dependencies, and metadata of software artifacts in modern software supply chains. However, SBOMs are declarative and static: they describe what software claims to contain, but provide no mechanism for verifying whether a distributed binary actually corresponds to those claims at runtime. As a result, users must trust that the binary they receive matches the components, versions, patches, and build configurations recorded in the SBOM. We present PMC-SBOM, a framework that augments conventional SBOMs with runtime behavioral evidence derived from hardware performance counters. PMC-SBOM learns function-level execution signatures from hardware event traces and uses machine learning to identify security-relevant functions and infer their implementation characteristics, including software version, patch level, and compilation options. These runtime observations allow users to assess whether the executing software is consistent with SBOM claims without requiring access to proprietary source code. Experiments on OpenSSL and wolfSSL demonstrate that PMC-SBOM can accurately identify functions and distinguish version- and configuration-dependent implementations across diverse build settings. By introducing runtime identification into the SBOM ecosystem, PMC-SBOM provides a complementary mechanism for increasing transparency and trust in software supply chains.