Trustworthy and Confidential SBOM Exchange
This addresses the problem of protecting confidential software metadata for enterprise and regulated software vendors while maintaining transparency for security purposes.
The paper tackles the tension between transparency and confidentiality in Software Bills of Materials (SBOMs) by proposing Petra, an SBOM exchange system that uses selective encryption to enable redacted SBOM distribution and search, resulting in less than 1 extra KB per SBOM and at most 1% performance overhead during queries.
Software Bills of Materials (SBOMs) have become a regulatory requirement for improving software supply chain security and trust by means of transparency regarding components that make up software artifacts. However, enterprise and regulated software vendors commonly wish to restrict who can view confidential software metadata recorded in their SBOMs due to intellectual property or security vulnerability information. To address this tension between transparency and confidentiality, we propose Petra, an SBOM exchange system that empowers software vendors to interoperably compose and distribute redacted SBOM data using selective encryption. Petra enables software consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Petra leverages a format-agnostic, tamper-evident SBOM representation to generate efficient and confidentiality-preserving integrity proofs, allowing interested parties to cryptographically audit and establish trust in redacted SBOMs. Exchanging redacted SBOMs in our Petra prototype requires less than 1 extra KB per SBOM, and SBOM decryption accounts for at most 1% of the performance overhead during an SBOM query