Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond

Vadim Safronov, Ionut Bostan, Nicholas Allott, Andrew Martin

TL;DR

UniBOM tackles the security of complex IoT software stacks by unifying binary, filesystem, and source-code analysis into an end-to-end SBOM workflow. It integrates Binwalk, Syft, CCScanner, and Grype, adds AI-driven memory-safety vulnerability classification, and provides a web GUI for visualizing vulnerability histories and risk. Through large-scale firmware and OS-code evaluations, UniBOM demonstrates superior vulnerability detection compared with existing SBOM tools, particularly for non-package-managed C/C++ dependencies. The work advances SBOM-driven security for IoT and broader software ecosystems and is released as open source for integration into real-world workflows. Future directions include AIBOM integration and enhanced operational deployment within security pipelines.

Abstract

Modern networked systems rely on complex software stacks, which often conceal vulnerabilities arising from intricate interdependencies. A Software Bill of Materials (SBOM) is effective for identifying dependencies and mitigating security risks. However, existing SBOM solutions lack precision, particularly in binary analysis and non-package-managed languages like C/C++. This paper introduces UniBOM, an advanced tool for SBOM generation, analysis, and visualisation, designed to enhance the security accountability of networked systems. UniBOM integrates binary, filesystem, and source code analysis, enabling fine-grained vulnerability detection and risk management. Key features include historical CPE tracking, AI-based vulnerability classification by severity and memory safety, and support for non-package-managed C/C++ dependencies. UniBOM's effectiveness is demonstrated through a comparative vulnerability analysis of 258 wireless router firmware binaries and the source code of four popular IoT operating systems, highlighting its superior detection capabilities compared to other widely used SBOM generation and analysis tools. Packaged for open-source distribution, UniBOM offers an end-to-end unified analysis and visualisation solution, advancing SBOM-driven security management for dependable networked systems and broader software.

UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond

TL;DR

UniBOM tackles the security of complex IoT software stacks by unifying binary, filesystem, and source-code analysis into an end-to-end SBOM workflow. It integrates Binwalk, Syft, CCScanner, and Grype, adds AI-driven memory-safety vulnerability classification, and provides a web GUI for visualizing vulnerability histories and risk. Through large-scale firmware and OS-code evaluations, UniBOM demonstrates superior vulnerability detection compared with existing SBOM tools, particularly for non-package-managed C/C++ dependencies. The work advances SBOM-driven security for IoT and broader software ecosystems and is released as open source for integration into real-world workflows. Future directions include AIBOM integration and enhanced operational deployment within security pipelines.

Abstract

Modern networked systems rely on complex software stacks, which often conceal vulnerabilities arising from intricate interdependencies. A Software Bill of Materials (SBOM) is effective for identifying dependencies and mitigating security risks. However, existing SBOM solutions lack precision, particularly in binary analysis and non-package-managed languages like C/C++. This paper introduces UniBOM, an advanced tool for SBOM generation, analysis, and visualisation, designed to enhance the security accountability of networked systems. UniBOM integrates binary, filesystem, and source code analysis, enabling fine-grained vulnerability detection and risk management. Key features include historical CPE tracking, AI-based vulnerability classification by severity and memory safety, and support for non-package-managed C/C++ dependencies. UniBOM's effectiveness is demonstrated through a comparative vulnerability analysis of 258 wireless router firmware binaries and the source code of four popular IoT operating systems, highlighting its superior detection capabilities compared to other widely used SBOM generation and analysis tools. Packaged for open-source distribution, UniBOM offers an end-to-end unified analysis and visualisation solution, advancing SBOM-driven security management for dependable networked systems and broader software.

Paper Structure

This paper contains 15 sections, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Software Bill of Materials
  3. Related Work
  4. UniBOM Architecture
  5. Usage Overview
  6. Binary Extraction
  7. SBOM Generation
  8. Extended Analysis and Comparison Features
  9. Evaluation
  10. IoT Binary Firmware Analysis
  11. IoT OS Source Code Analysis
  12. Web GUI Overview
  13. Visualising Firmware Vulnerability Status
  14. Historical Analysis: Understanding Vulnerability Trends
  15. Conclusion

Figures (4)

  • Figure 1: Radial representation of CPE, CVE, and CWE relationships for Busybox 1.33.2.
  • Figure 2: UniBOM architectural pipeline.
  • Figure 3: UniBOM GUI screenshot: firmware vulnerability status.
  • Figure 4: UniBOM GUI screenshot: historical analysis for OpenSSL 1.1.1n.