Luis Soeiro presents his work on software supply chains at FPS 2025

December 23, 2025December 23, 2025 By Dylan Massieux Actualités / Eventchain,cyber,cybercni,cybersecurity,PhD,research,software supply chain,SoftwareSecurity,supply,supply chain

The 18th International Symposium on Security Fundamentals and Practice (FPS 2025) was held from November 25 to 27, 2025, atIMT Atlantique in Brest. This annual event brings together researchers and professionals from around the world. The aim is to share knowledge on the security, confidentiality, and resilience of interconnected systems. The 2025 edition placed particular emphasis on innovations based on artificial intelligence, transportation systems, and critical infrastructure. In this way, the symposium promotes scientific exchange and international collaboration.

In this context, Luis Soeiro, a doctoral student at Télécom Paris, presented his paper “Finding Software Supply Chain Attack Paths with Logical Attack Graphs.” His presentation took place during Session 3: “Formal Methods and Automated Analysis for Secure Software Systems.” This session was dedicated to formal methods and automated tools for securing complex software.

The software supply chain: a strategic challenge

Software supply chains (SSCs) are becoming increasingly complex. The proliferation of software products and their dependencies increases the risk of vulnerabilities. To better manage this complexity, the Software Bill of Materials (SBOM) is used. This is a detailed inventory of all software components. However, studies on actual SBOMs remain limited.

To fill this gap, Luis Soeiro and his co-authors have compiled the largest SBOM dataset to date. It includes more than 78,000 unique files from over 94 million public repositories. This database is therefore a valuable tool for research into software supply chain security.

Evaluation of tools and new methods

To effectively leverage SBOMs, the industry needs reliable automated tools. The study analyzes eight state-of-the-art tools for validating and assessing the quality of SBOMs. The results show that the majority of SBOMs are not immediately usable. In addition, existing tools produce divergent results.

To address these limitations, researchers have developed a new method for estimating threats in the software supply chain. This approach identifies key components that propagate or suffer attacks. It is based on a set of rules that take into account vulnerabilities and attacker behavior.

MulVal extension for better attack modeling

The open source MulVal tool, used to generate logical attack graphs, has limitations in propagating SSC threats. To address this, the team has developed an extension to MulVal. It includes new predicates and rules to better represent interactions within supply chains. In addition, this extension includes 20 test scenarios and a comprehensive validation framework. This allows for more effective analysis of modern attacks such as XZ or 3CX.

FPS 2025: a major scientific event

FPS 2025 is an unmissable event for the scientific and professional community. It promotes the dissemination of innovative work, the development of collaborative programs, and exchanges between researchers, students, and professionals. Luis Soeiro’s participation perfectly illustrates this mission. His work combines a theoretical approach with practical applications, supply chain FPS 2025thereby helping to strengthen the security of interconnected systems.