Trustworthy and Confidential SBOM Exchange

TL;DR

Petra addresses the tension between SBOM transparency and confidentiality in software supply chains by introducing a format-agnostic exchange framework that combines an SBOM tree representation, selective redaction via CP-ABE with per-node AES keys, and Merkle-based integrity proofs. It provides a complete protocol stack for redaction setup, generation, distribution, consumption/verification, and redistribution, and implements a prototype with performance and storage evaluations showing practical overheads and interoperability advantages over existing approaches like Protobom. The work delivers cryptographic guarantees for semantic confidentiality, sameness, and non-equivocation while enabling composable SBOM distribution across organizational boundaries, with potential to improve regulatory oversight and enterprise security practices. Its integration with existing tooling and emphasis on auditability position Petra as a practical building block for secure and trusted software supply chain transparency.

Abstract

Software Bills of Materials (SBOMs) have become a regulatory requirement for improving software supply chain security and trust by means of transparency regarding components that make up software artifacts. However, enterprise and regulated software vendors commonly wish to restrict who can view confidential software metadata recorded in their SBOMs due to intellectual property or security vulnerability information. To address this tension between transparency and confidentiality, we propose Petra, an SBOM exchange system that empowers software vendors to interoperably compose and distribute redacted SBOM data using selective encryption. Petra enables software consumers to search redacted SBOMs for answers to specific security questions without revealing information they are not authorized to access. Petra leverages a format-agnostic, tamper-evident SBOM representation to generate efficient and confidentiality-preserving integrity proofs, allowing interested parties to cryptographically audit and establish trust in redacted SBOMs. Exchanging redacted SBOMs in our Petra prototype requires less than 1 extra KB per SBOM, and SBOM decryption accounts for at most 1% of the performance overhead during an SBOM query.

Figures (9)

• Figure 1: Abstract SBOM exchange system. A generator creates redacted SBOMs according to producers policies', which are then redistributed along artifacts to other producers or consumers through the redistribution chain. We omitted distributors for simplicity.
• Figure 2: The Petra SBOM tree is an efficient representation of an (a) SBOM that preserves relational information between dependencies and their metadata. This representation also allows Petra to (b) selectively redact and (c) integrity check SBOMs within a single data structure.
• Figure 3: In Petra, a central KMS generates their redaction and/or signing keys. A producer sends the artifact and its redaction policy to a generator, which returns both the pre-redaction plaintext SBOM and the redacted SBOM for cryptographic sameness verification. Consumers fetch the artifact and redacted SBOM from distributors, obtain their decryption key from the KMS, and decrypt only authorized fields.
• Figure 4: Petra Access tree. Two subtrees are used, one for properties tied to identities and roles, and a second one providing a time-bound vector.
• Figure 5: Encryption Overhead for Intellectual Property policy: Decryption overhead matches encryption overhead, with an average deviation of 120.05 ms.