The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.
翻译:利用软件更新机制漏洞的SolarWinds攻击事件凸显了组织必须对其软件依赖项及相关潜在漏洞具备更佳可见性的迫切需求,而软件物料清单(SBOM)对于保障软件供应链安全至关重要。根据拜登总统签署的行政命令,SBOM在美国境内已成为强制性要求。该行政命令规定联邦机构采购的所有软件都必须提供SBOM。SBOM的主要应用场景包括漏洞管理与许可证管理。本研究对SBOM的完整性进行了深入系统的调查。我们探究了可用于操纵SBOM数据的不同攻击向量,包括SBOM生命周期中生成阶段与消费阶段存在的缺陷。我们全面调查了四款SBOM消费工具以及七种主流编程语言的SBOM生成流程。系统研究表明:当前消费工具缺乏对依赖项的完整性控制机制;同时生成过程也易受完整性攻击——通过操纵包管理器中的依赖版本号及附加文件,可导致生成错误的SBOM数据。这可能引发软件依赖关系的错误认知,并在SBOM消费过程中忽略潜在漏洞。为缓解这些问题,我们提出了一种融合软件库哈希值去中心化存储的解决方案。