Software Bills of Materials (SBOMs) have become a regulatory requirement for improving software supply chain security and trust by means of transparency regarding components that make up software artifacts. However, enterprise and regulated software vendors commonly wish to restrict who can view confidential software metadata recorded in their SBOMs due to intellectual property or security vulnerability information. To address this tension between transparency and confidentiality, we propose Petra, an SBOM exchange system that empowers software vendors to interoperably compose and distribute redacted SBOM data using selective encryption. Petra enables software consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Petra leverages a format-agnostic, tamper-evident SBOM representation to generate efficient and confidentiality-preserving integrity proofs, allowing interested parties to cryptographically audit and establish trust in redacted SBOMs. Exchanging redacted SBOMs in our Petra prototype requires less than 1 extra KB per SBOM, and SBOM decryption accounts for at most 1% of the performance overhead during an SBOM query.
翻译:软件物料清单已成为通过提高软件制品组成组件的透明度来增强软件供应链安全性与可信度的监管要求。然而,企业及受监管的软件供应商通常因知识产权或安全漏洞信息考虑,希望限制可查看其SBOM中记录的机密软件元数据的对象。为解决透明度与保密性之间的这一矛盾,我们提出Petra——一种SBOM交换系统,使软件供应商能够通过选择性加密技术,以可互操作的方式组合和分发脱敏的SBOM数据。Petra允许软件消费者在脱敏的SBOM中搜索特定安全问题的答案,而无需披露其未获授权访问的信息。该系统采用格式无关、防篡改的SBOM表示方法,生成高效且保密的完整性证明,使相关方能够通过密码学方式审计脱敏的SBOM并建立信任。在我们的Petra原型中,交换脱敏的SBOM每个仅需增加不足1KB的额外开销,且SBOM解密在查询过程中产生的性能开销至多占1%。