Cyber Rosetta Stone for True Software Supply Chain Security
The SBOM Challenge
A Software Bill of Materials (SBOM) is a self-certified process designed to validate the software supply chain. When properly implemented, it enhances visibility, traceability, and vulnerability management, helping organizations mitigate risks from cyber threats, foreign adversaries, and software supply chain attacks.
SBOMs have become a key requirement for:
- Federal Government agencies
- NATO and allied defense organizations
- Critical infrastructure operators (energy, telecom, healthcare)
- Multinational corporations securing their software supply chain
The Hidden Gaps in SBOMs
Traditional SBOMs are built from source code and build processes, not from the final binaries in production. This leads to critical blind spots, including:
- Missing dynamically loaded components & runtime dependencies
- Copy/pasted code that isn’t tracked
- Embedded firmware with unknown origins
And since traditional SBOMs rely on vendor self-attestation, end users cannot independently validate that the delivered binary matches the associated SBOM.
URSA’s Solution: The Cyber Rosetta Stone
URSA has developed a breakthrough capability—a cyber Rosetta Stone that analyzes binaries at the function level across architectures, without needing source code or build metadata. Unlike traditional SBOMs, URSA works from what’s actually running in your environment, not what was claimed.
- Analyze what’s actually running in your environment
- Identify risks across the entire supply chain—beyond vendor claims
- Uncover hidden dependencies and embedded components
Whether you’re securing mission-critical government systems, critical infrastructure, or corporate software, URSA provides a verified, independent view of your software supply chain—giving you true visibility and control.
Technical Details
Product Name: TBD
Technical Readiness Level:
4 with formal methods, 6 without formal methods
Description:
Given a binary, finds (with function-level granularity) components which have similar functionality in one or more binaries in a corpus.
Benefit:
Finds vulnerabilities in software supply chains at scale pre-deployment, independent of architectures and build process in existing ecosystems.
Key points:
- Acts on binaries – does not require source code or build process.
- Architecture-independent. More than nine architectures supported.
- Considers multiple characteristics of a component. Characteristics are extensible and adaptable to new toolchains, coding styles and research.
- Works with URSA or user-provided corpuses. Current corpuses under development malware, embedded firmware, open source projects, developer tools, components with known vulnerabilities, and country-of-origin-specific components.
Typical output: Matched list of components from the user’s binary and components from the target corpuses. Each match is scored as to the quality of the match.
Delivery: Primary interface is an API library. Supports cloud or on-premises SAAS platform, as well as plugins to reverse engineering tools such as Binary Ninja, Ghidra, and IDA Pro.
Technology: Every software function has unique traits—shaped by its development environment, architecture, origin, and author—that act like digital DNA. URSA captures these traits to build a genetic profile for each function, enabling precise comparisons across large data sets, much like genetic analysis in biology.
Future: Use formal methods to determine exact matches, identify possible authors or entities (attribution), identify toolchains.
Use cases: software supply chain, IP theft, vulnerability assessment, exploit development
“This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.”