Trust in Software Supply Chains: Blockchain-Enabled SBOM and the AIBOM Future

TL;DR

This paper proposes a blockchain-based architecture for secure, verifiable, and flexible sharing of SBOMs and introduces the concept of AIBOM to address AI system transparency in critical infrastructure.

Contribution

It introduces a blockchain-enabled SBOM sharing mechanism with verifiable credentials and extends SBOM to AI systems as AIBOM, enhancing security and transparency.

Findings

Feasibility of blockchain-based SBOM sharing demonstrated.

Enhanced security and flexibility in SBOM disclosure.

AIBOM concept broadens SBOM scope to AI systems.

Abstract

The robustness of critical infrastructure systems is contingent upon the integrity and transparency of their software supply chains. A Software Bill of Materials (SBOM) is pivotal in this regard, offering an exhaustive inventory of components and dependencies crucial to software development. However, prevalent challenges in SBOM sharing, such as data tampering risks and vendors' reluctance to fully disclose sensitive information, significantly hinder its effective implementation. These challenges pose a notable threat to the security of critical infrastructure and systems where transparency and trust are paramount, underscoring the need for a more secure and flexible mechanism for SBOM sharing. To bridge the gap, this study introduces a blockchain-empowered architecture for SBOM sharing, leveraging verifiable credentials to allow for selective disclosure. This strategy not only heightens security but also offers flexibility. Furthermore, this paper broadens the remit of SBOM to encompass AI systems, thereby coining the term AI Bill of Materials (AIBOM). The advent of AI and its application in critical infrastructure necessitates a nuanced understanding of AI software components, including their origins and interdependencies. The evaluation of our solution indicates the feasibility and flexibility of the proposed SBOM sharing mechanism, positing a solution for safeguarding (AI) software supply chains, which is essential for the resilience and reliability of modern critical infrastructure systems.