Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VeriSBOM: Secure and Verifiable SBOM Sharing Via Zero-Knowledge Proofs

Gianpietro Castiglione, Shahriar Ebrahimi, Narges Khakpour

TL;DR

VeriSBOM is presented, a trustless, selectively disclosed SBOM framework that provides cryptographic verifiability of SBOMs using zero-knowledge proofs and enables scalable, privacy-preserving, and verifiable SBOM sharing and validation.

Abstract

A Software Bill of Materials (SBOM) is a key component for the transparency of software supply chain; it is a structured inventory of the components, dependencies, and associated metadata of a software artifact. However, an SBOM often contain sensitive information that organizations are unwilling to disclose in full to anyone, for two main concerns: technological risks deriving from exposing proprietary dependencies or unpatched vulnerabilities, and business risks, deriving from exposing architectural strategies. Therefore, delivering a plaintext SBOM may result in the disruption of the intellectual property of a company. To address this, we present VeriSBOM, a trustless, selectively disclosed SBOM framework that provides cryptographic verifiability of SBOMs using zero-knowledge proofs. Within VeriSBOM, third parties can validate specific statements about a delivered software. Respectively, VeriSBOM allows independent third parties to verify if a software contains authentic dependencies distributed by official package managers and that the same dependencies satisfy rigorous policy constraints such as the absence of vulnerable dependencies or the adherence with specific licenses models. VeriSBOM leverages a scalable vector commitment scheme together with folding-based proof aggregation to produce succinct zero-knowledge proofs that attest to security and compliance properties while preserving confidentiality. Crucially, the verification process requires no trust in the SBOM publisher beyond the soundness of the underlying primitives, and third parties can independently check proofs against the public cryptographic commitments. We implement VeriSBOM, analyze its security, and evaluate its performance on real-world package registries. The results show that our method enables scalable, privacy-preserving, and verifiable SBOM sharing and validation.

VeriSBOM: Secure and Verifiable SBOM Sharing Via Zero-Knowledge Proofs

TL;DR

VeriSBOM is presented, a trustless, selectively disclosed SBOM framework that provides cryptographic verifiability of SBOMs using zero-knowledge proofs and enables scalable, privacy-preserving, and verifiable SBOM sharing and validation.

Abstract

A Software Bill of Materials (SBOM) is a key component for the transparency of software supply chain; it is a structured inventory of the components, dependencies, and associated metadata of a software artifact. However, an SBOM often contain sensitive information that organizations are unwilling to disclose in full to anyone, for two main concerns: technological risks deriving from exposing proprietary dependencies or unpatched vulnerabilities, and business risks, deriving from exposing architectural strategies. Therefore, delivering a plaintext SBOM may result in the disruption of the intellectual property of a company. To address this, we present VeriSBOM, a trustless, selectively disclosed SBOM framework that provides cryptographic verifiability of SBOMs using zero-knowledge proofs. Within VeriSBOM, third parties can validate specific statements about a delivered software. Respectively, VeriSBOM allows independent third parties to verify if a software contains authentic dependencies distributed by official package managers and that the same dependencies satisfy rigorous policy constraints such as the absence of vulnerable dependencies or the adherence with specific licenses models. VeriSBOM leverages a scalable vector commitment scheme together with folding-based proof aggregation to produce succinct zero-knowledge proofs that attest to security and compliance properties while preserving confidentiality. Crucially, the verification process requires no trust in the SBOM publisher beyond the soundness of the underlying primitives, and third parties can independently check proofs against the public cryptographic commitments. We implement VeriSBOM, analyze its security, and evaluate its performance on real-world package registries. The results show that our method enables scalable, privacy-preserving, and verifiable SBOM sharing and validation.
Paper Structure (49 sections, 3 theorems, 9 equations, 10 figures, 3 tables, 1 algorithm)

This paper contains 49 sections, 3 theorems, 9 equations, 10 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Challenges.
  3. Solution.
  4. Contributions.
  5. Related Work
  6. SBOM Security
  7. Detecting Malicious Packages
  8. Security of Software Production Process
  9. Cryptography for Software Supply Chain
  10. Preliminaries
  11. Vector Commitment Schemes
  12. Zero-Knowledge Proof Systems
  13. Folding Schemes
  14. An Overview of VeriSBOM
  15. Threat Model
  16. ...and 34 more sections

Key Result

Theorem 1

$\mathcal{A}$ cannot open a leaf at index $idx$ to a value $v'$ different from $v$, as the originally committed value.

Figures (10)

  • Figure 1: Proposed commitment method for package manager
  • Figure 2: High-level overview of our method. In practice, a single entity may assume multiple roles.
  • Figure 3: When at step k a new package is retrieved from the SBOM, the proof is generated from the results of the previous step k-1. The results of step k are then employed for the step k+1, hence for the next package. In each step, the proof is built considering the public roots.
  • Figure 4: Hierarchical propagation of policy constraints. The diagram illustrates how a local policy violation ($\mathcal{L}=0$) in a dependency ($P_A$) within a specific policy constraint propagates among other constraints, resulting in a non-compliant root package ($P_R$).
  • Figure 5: Comparison of SBOM visibility: software vendor view (left) vs. verifier view (right) after VeriSBOM application.
  • ...and 5 more figures

Theorems & Definitions (9)

  • Definition 3.1
  • Definition 5.1
  • Definition 5.2
  • Theorem 1: Package Tree Position-Binding
  • proof : Proof Sketch
  • Theorem 2: Soundness of Dual-Tree Verification
  • proof : Proof Sketch
  • Theorem 3: Root Binding Accountability
  • proof