Agenda

PhD defense Luis Soeiro: Assessing the Security of Software Supply Chains

Monday 1 December, 2025, at 14:00 (Paris time) at Télécom Paris

Télécom Paris, 19 place Marguerite Perey F-91120 Palaiseau [getting there], amphi Estaunié and in videoconferencing

Full title: Assessing the Security of Software Supply Chains: Software Bill of Materials, Threat Propagation, and Logical Attack Graphs

Jury

  • Nicolas Belloir, Associate Professor (HDR), Saint‑Cyr Military Academy Coëtquidan, France (Reviewer)
  • Etienne Borde, Associate Professor (senior grade, HDR), University of Canterbury, New Zealand (Reviewer)
  • Christelle Urtado, Professor, Institut Mines‑Télécom, France (Examiner)
  • Joaquin Garcia‑Alfaro, Professor, Télécom SudParis, France (Examiner)
  • Stefano Zacchiroli, Professor, Télécom Paris, France (Thesis Supervisor)
  • Thomas Robert, Associate Professor, Télécom Paris, France (Co‑supervisor)
  • Ivan Gazeau, Research Engineer, EDF R&D, France (Guest)

Abstract

The Software Supply Chain (SSC) is becoming more complex and vulnerable due to the growing diversity of software products and the challenges in tracking their dependencies. The Software Bill of Materials (SBOM), an inventory of components, is proposed as a solution to this complexity. Yet, comprehensive studies on SBOM practices using real-world files are lacking. To facilitate such research, we present the largest SBOM dataset to date, with over 78,000 unique SBOM files deduplicated from more than 94 million public repositories.

To leverage SBOMs effectively, especially at scale,
industry stakeholders need reliable automated tools for their analysis. We perform an empirical analysis of real-world SBOMs to benchmark eight state-of-the-art tools designed for validating and scoring SBOM quality. We establish independent metrics to evaluate the suitability of SBOMs for specific applications and compare tool outputs with our metrics. Our findings indicate that most SBOMs are not adequately prepared for use, and there is significant disagreement among the tools.

Current Software Composition Analysis (SCA) tools, attack trees, and graphs fail to account for the interactions that impact software security within the SSC. We propose a novel method for assessing threat levels in supply chains with the Log Model. This approach identifies the key elements that propagate or are targeted by attacks. A set of rules allows for deducing the threat level of the core elements based on the initial state, SSC interactions, and assumptions about the attackers.

MulVal is a state-of-the-art open-source tool for generating logical attack graphs in networked systems. However, it does not adequately address SSC threat propagation, making it less effective against modern SSC attacks like the XZ compromise and the 3CX double SSC attack. We introduce a new MulVal extension that addresses this limitation, featuring a new set of predicates in MulVal syntax to model SSC interactions and integrate them with existing rules, along with 20 example scenarios and a test-case framework.

All the PhD defenses