The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.

翻译：利用软件更新机制漏洞的SolarWinds攻击事件凸显了组织必须更好地掌握其软件依赖项及相关潜在漏洞的迫切需求，而软件物料清单（SBOM）对于确保软件供应链安全至关重要。根据拜登总统发布的行政命令，SBOM在美国境内的采用已成为强制性要求。该行政命令规定联邦机构采购的所有软件都必须提供SBOM。SBOM的主要应用场景包括漏洞管理和许可证管理。本研究对SBOM的完整性进行了深入系统的调查。我们探讨了可被利用来操纵SBOM数据的不同攻击向量，包括SBOM生命周期中生成阶段和消费阶段存在的缺陷。我们全面调查了四种SBOM消费工具以及七种主流编程语言的SBOM生成过程。系统研究表明，现有消费工具缺乏对依赖项的完整性控制机制。同样地，通过操纵包管理器中的依赖版本号和附加文件，生成过程也容易遭受完整性攻击，从而导致生成错误的SBOM数据。这可能使软件依赖关系分析产生偏差，并在SBOM消费过程中忽略潜在漏洞。为缓解这些问题，我们提出了一种整合软件库哈希值去中心化存储的解决方案。