Grant / March 2022

Towards a Security-Aware SBOM Framework

Despite persistent and continuous efforts in the cyber-domain to produce software that is resilient to cybersecurity attacks, software security remains an unmatched challenge as attackers sooner or later find a way to breach adopted security measures. Software supply chain attacks are of particular concern to software security. These attacks seek to infect the application source code, its building processes, or its updating mechanism, e.g., by injecting malware into the code. Software vendors are thus often unaware that their apps are infected with malicious code and might decide to proceed to release their apps to the public. They are also unaware of how a security compromised library might affect other libraries. Our initial efforts have been focused on building a dependency library that stores information on which library depends on which other. This is paramount to calculate how a security breach in one library will affect other libraries. Our current goal is to investigate ways how library dependency information can be used to recover from a security breach.