Research project: Adversarial SBOM detection

[prabhu]

Idea

As organizations and regulatory bodies increasingly mandate automated Software Bill of Materials (SBOM) submissions for compliance and risk management, the need for adversarial SBOM detection systems has become critical. Malicious actors could potentially exploit vulnerabilities in SBOM generation pipelines (including tools like cdxgen), injecting falsified or incomplete component data to evade regulatory scrutiny or mask vulnerabilities in critical infrastructure, such as medical devices and automotive systems. Fake SBOMs might omit high-risk dependencies or misrepresent component versions, undermining vulnerability assessments and exposing supply chains to attacks. To counter this, advanced detection frameworks could leverage a pipeline of tools and machine learning (ML) to analyze SBOM evidence consistency, compare components based on techniques such as clustering, and flag anomalies in dependency graphs.

Candidate selection

This research project might be suitable for an undergraduate or master's student. Knowledge of programming and machine learning is beneficial.

Funding

A small pool of funding is available from AppThreat and sponsors. After the initial phase, additional grant opportunities may be available.

How to apply?

Please send an email to Prabhu at prabhu @ appthreat .dev with bullet points outlining how you would approach this problem and your availability in the coming months.

[prabhu]

Have submitted this proposal to NLNet, since we are ahead with cdx1. Wish us good luck!