Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bomfather: An eBPF-based Kernel-level Monitoring Framework for Accurate Identification of Unknown, Unused, and Dynamically Loaded Dependencies in Modern Software Supply Chains

Naveen Srinivasan, Nathan Naveen, Neil Naveen

TL;DR

The paper tackles inaccuracies in dependency tracking within software supply chains by introducing a kernel-level framework that uses eBPF to monitor all file accesses during builds. It computes cryptographic hashes ($SHA-256$) of accessed files and builds content-based Merkle trees, yielding a tamper-evident root ($merkle_root$) that fingerprint-build provenance. This approach captures dynamic, conditional, and runtime dependencies often missed by traditional SBOMs, yielding more accurate SBOMs and Artifact Dependency Graphs. The solution integrates with common development workflows, including compilers, CI/CD pipelines, and containerized environments, enabling independent verification of build-time dependencies and improving vulnerability management and regulatory compliance.

Abstract

Inaccuracies in conventional dependency-tracking methods frequently undermine the security and integrity of modern software supply chains. This paper introduces a kernel-level framework leveraging extended Berkeley Packet Filter (eBPF) to capture software build dependencies transparently in real time. Our approach provides tamper-evident, intrinsic identifiers of build-time dependencies by computing cryptographic hashes of files accessed during compilation and constructing Merkle trees based on the observed file content. In contrast to traditional static analysis, this kernel-level methodology accounts for conditional compilation, dead-code, selective library usage, and dynamic dependencies, yielding more precise Software Bills of Materials (SBOMs) and Artifact Dependency Graphs (ADGs). We illustrate how existing SBOMs may omit dynamically loaded or ephemeral dependencies and discuss how kernel-level tracing can mitigate these omissions. The proposed system enhances trustworthiness in software artifacts by offering independently verifiable, kernel-level evidence of build provenance, thereby reducing supply chain risks and facilitating more accurate vulnerability management.

Bomfather: An eBPF-based Kernel-level Monitoring Framework for Accurate Identification of Unknown, Unused, and Dynamically Loaded Dependencies in Modern Software Supply Chains

TL;DR

The paper tackles inaccuracies in dependency tracking within software supply chains by introducing a kernel-level framework that uses eBPF to monitor all file accesses during builds. It computes cryptographic hashes () of accessed files and builds content-based Merkle trees, yielding a tamper-evident root () that fingerprint-build provenance. This approach captures dynamic, conditional, and runtime dependencies often missed by traditional SBOMs, yielding more accurate SBOMs and Artifact Dependency Graphs. The solution integrates with common development workflows, including compilers, CI/CD pipelines, and containerized environments, enabling independent verification of build-time dependencies and improving vulnerability management and regulatory compliance.

Abstract

Inaccuracies in conventional dependency-tracking methods frequently undermine the security and integrity of modern software supply chains. This paper introduces a kernel-level framework leveraging extended Berkeley Packet Filter (eBPF) to capture software build dependencies transparently in real time. Our approach provides tamper-evident, intrinsic identifiers of build-time dependencies by computing cryptographic hashes of files accessed during compilation and constructing Merkle trees based on the observed file content. In contrast to traditional static analysis, this kernel-level methodology accounts for conditional compilation, dead-code, selective library usage, and dynamic dependencies, yielding more precise Software Bills of Materials (SBOMs) and Artifact Dependency Graphs (ADGs). We illustrate how existing SBOMs may omit dynamically loaded or ephemeral dependencies and discuss how kernel-level tracing can mitigate these omissions. The proposed system enhances trustworthiness in software artifacts by offering independently verifiable, kernel-level evidence of build provenance, thereby reducing supply chain risks and facilitating more accurate vulnerability management.

Paper Structure

This paper contains 16 sections.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Consequences of Incomplete Dependency Tracking
  4. Illustrative Incompleteness of Modern SBOMs
  5. Case Study: Comprehensive SBOM for Go Compiler Build
  6. Our Approach
  7. Kernel-Level Monitoring with eBPF
  8. Real-Time Dependency Tracking and pURL Generation
  9. Content-Based Merkle Tree Generation
  10. Addressing the Trust Problem in SBOMs
  11. Key Benefits
  12. Integration with Existing Development Processes
  13. Compiler and Build-System Compatibility
  14. CI/CD Pipelines and Containerized Environments
  15. Post-Build Packaging and Distribution
  16. ...and 1 more sections