arXiv: What You See Is Not What You Execute: Memory-Based Runtime SBOM Generation for Supply Chain Security

This paper, published on arXiv, introduces a novel approach to software supply chain security called memory-based runtime Software Bill of Materials (SBOM) generation. It addresses a critical gap: traditional SBOMs are static snapshots of what a developer intended to deploy, but they often miss what actually executes in memory due to runtime dependencies, dynamic loading, or obfuscation. The authors demonstrate that attackers can exploit this discrepancy, and their method uses runtime memory analysis to generate a true, executable-level SBOM.

This development directly affects any organization subject to the EU Cyber Resilience Act or the AI Act, particularly software vendors, cloud service providers, and manufacturers of digital products. Sectors with high security requirements—such as finance, healthcare, and critical infrastructure—should pay close attention, as the technique reveals hidden vulnerabilities that static SBOMs miss. Compliance teams in these sectors must now consider whether their current SBOM practices are sufficient.

Compliance teams should immediately review their existing SBOM generation processes to determine if they rely solely on build-time or manifest-based methods. They should pilot runtime SBOM generation for high-risk or externally-facing applications, and update their vulnerability management policies to incorporate runtime evidence. Finally, they should engage with standardisation bodies to ensure this approach aligns with upcoming regulatory requirements for transparency and traceability under the AI Safety framework.