Software supply chain attacks, which exploit the build process or artifacts used in the process of building a software product, are increasingly of concern. To combat these attacks, one must be able to check that every artifact that a software product depends on does not contain vulnerabilities. In this paper, we introduce OmniBOR, (Universal Bill of Receipts) a minimalistic scheme for build tools to create an artifact dependency graph which can be used to track every software artifact incorporated into a built software product. We present the architecture of OmniBOR, the underlying data representations, and two implementations that produce OmniBOR data and embed an OmniBOR Identifier into built software, including a compiler-based approach and one based on tracing the build process. We demonstrate the efficacy of this approach on benchmarks including a Linux distribution for applications such as Common Vulnerabilities and Exposures (CVE) detection and software bill of materials (SBOM) computation.
Cite
@article{arxiv.2402.08980,
title = {OmniBOR: A System for Automatic, Verifiable Artifact Resolution across Software Supply Chains},
author = {Bharathi Seshadri and Yongkui Han and Chris Olson and David Pollak and Vojislav Tomasevic},
journal= {arXiv preprint arXiv:2402.08980},
year = {2024}
}