Li Zhou

Student

KAUST

Li Zhou is a PhD student at KAUST’s SENTRY Center. His research focuses on applying machine learning to cybersecurity challenges, with interests in vulnerability detection, reverse engineering, and IoT security.

Speaker sessions

Chain of Trustless: How Flawed SBOMs Broke Supply Chain Security

The Software Bill of Materials (SBOM) is used as a foundational tool for software supply chain visibility, yet it can also be used as a tool for deception. Recently, several security tools and papers have conducted vulnerability assessment research based on SBOM, but with a critically flawed practice that allows attackers to deliberately hide malicious dependencies in plain sight.This talk begins with an attack. We will demonstrate the exact techniques used to make a malicious dependency invisible to modern SBOM tools that follow this broken methodology, turning a trusted inventory into a security blind spot.Then, we show the first line of defense. By enforcing the use of definitive lock files, we can close this attack vector and generate a more accurate SBOM. Problem solved? Not even close. The second part of this talk reveals the deeper, architectural flaw: even a "perfect" lock-file-based SBOM is crippled by false positives since it works in the wrong granularity for vulnerability detection, making it impractical to distinguish a vulnerability hidden in the software versus tons of false positives reported by downstream tools. This flood of noise makes effective vulnerability management practically infeasible.Finally, we will present a set of software development best practices to harden the supply chain and, crucially, detail a specific migration path for legacy projects to adopt better dependency management. By demonstrating these attacks and their realistic mitigations, we aim to raise awareness and equip the community with the essential tactics needed to reduce risk in a broken ecosystem.