What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security

📅 2026-06-22
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Traditional Software Bill of Materials (SBOM) approaches struggle to accurately capture the components dynamically loaded at runtime in languages like Python, thereby limiting supply chain security and incident response capabilities. This work proposes MEM-SBOM, the first memory forensics–based framework for generating runtime SBOMs without requiring prior instrumentation. By analyzing the in-memory structures of the Python interpreter, bytecode, and package version metadata, MEM-SBOM directly reconstructs the true execution state from process memory. This approach overcomes the limitations of methods relying on static metadata or runtime monitoring, enabling both post-incident forensic analysis and deployment in production environments. Evaluated on 51 real-world Python applications, MEM-SBOM achieves 100% accuracy in component extraction, fully recovers runtime dependencies missed by existing tools, and precisely identifies vulnerable function calls.
📝 Abstract
Modern software development relies heavily on third-party components from public repositories, expanding the software supply chain attack surface. In response to these growing risks, federal initiatives have advanced the Software Bill of Materials (SBOM) as a standardized mechanism for improving transparency by describing software components, dependencies, and their relationships. However, SBOMs built from metadata or filesystem artifacts fail to capture the components loaded and executed at runtime, especially in dynamic ecosystems such as Python. Moreover, generating runtime SBOMs through instrumentation requires monitoring to be deployed in advance and the system to remain observable throughout execution. Such conditions are difficult to satisfy in production environments and incident-response scenarios. Volatile memory, in contrast, provides a reliable source for recovering the actual runtime state of a running application without requiring prior instrumentation. Therefore, this paper presents MEM-SBOM, the first memory forensics framework that generates SBOMs directly from the runtime state of Python applications. It recovers the modules from the interpreter's internal structures, resolves package versions, and analyzes bytecode to build dependency graphs and identify vulnerable functions. We implemented MEM-SBOM as a suite of Volatility 3 plugins and evaluated it against 51 real-world Python applications. It achieves 100% extraction accuracy, identifies Streamlit as the only application that calls the vulnerable routines of the tornado dependency, and recovers all runtime packages missed by existing SBOM tools, providing more accurate dependency graphs and better vulnerability assessment. These capabilities make MEM-SBOM a practical foundation for software supply chain security and incident response by providing a forensically sound runtime view of what is executed on a system.
Problem

Research questions and friction points this paper is trying to address.

Software Bill of Materials
supply chain security
runtime SBOM
memory forensics
Python dependencies
Innovation

Methods, ideas, or system contributions that make the work stand out.

memory forensics
runtime SBOM
software supply chain security
Python bytecode analysis
Volatility
🔎 Similar Papers
No similar papers found.