English

OmniBOR: A System for Automatic, Verifiable Artifact Resolution across Software Supply Chains

Software Engineering 2024-02-15 v1 Cryptography and Security

Abstract

Software supply chain attacks, which exploit the build process or artifacts used in the process of building a software product, are increasingly of concern. To combat these attacks, one must be able to check that every artifact that a software product depends on does not contain vulnerabilities. In this paper, we introduce OmniBOR, (Universal Bill of Receipts) a minimalistic scheme for build tools to create an artifact dependency graph which can be used to track every software artifact incorporated into a built software product. We present the architecture of OmniBOR, the underlying data representations, and two implementations that produce OmniBOR data and embed an OmniBOR Identifier into built software, including a compiler-based approach and one based on tracing the build process. We demonstrate the efficacy of this approach on benchmarks including a Linux distribution for applications such as Common Vulnerabilities and Exposures (CVE) detection and software bill of materials (SBOM) computation.

Cite

@article{arxiv.2402.08980,
  title  = {OmniBOR: A System for Automatic, Verifiable Artifact Resolution across Software Supply Chains},
  author = {Bharathi Seshadri and Yongkui Han and Chris Olson and David Pollak and Vojislav Tomasevic},
  journal= {arXiv preprint arXiv:2402.08980},
  year   = {2024}
}
R2 v1 2026-06-28T14:48:08.875Z