English

Automatic Bill of Materials

Cryptography and Security 2023-10-17 v1

Abstract

Ensuring the security of software supply chains requires reliable identification of upstream dependencies. We present the Automatic Bill of Materials, or ABOM, a technique for embedding dependency metadata in binaries at compile time. Rather than relying on developers to explicitly enumerate dependency names and versions, ABOM embeds a hash of each distinct input source code file into the binary emitted by a compiler. Hashes are stored in Compressed Bloom Filters, highly space-efficient probabilistic data structures, which enable querying for the presence of dependencies without the possibility of false negatives. If leveraged across the ecosystem, ABOMs provide a zero-touch, backwards-compatible, drop-in solution for fast supply chain attack detection in real-world, language-independent software.

Keywords

Cite

@article{arxiv.2310.09742,
  title  = {Automatic Bill of Materials},
  author = {Nicholas Boucher and Ross Anderson},
  journal= {arXiv preprint arXiv:2310.09742},
  year   = {2023}
}
R2 v1 2026-06-28T12:50:53.956Z