DBOM — Decision Bill of Material

… works!

What is DBOM?

A DBOM (Decision Bill of Materials) is a digital document that traces all the steps that led to a decision made by an AI system. Just as its ancestor, the SBOM (Software Bill Of Materials), the DBOM helps to understand the role of components in a moere and more complex software world. Any DBOM is cryptographically signed and meant to be used in combination with Confidential Computing, in order to guarantee its integrity.

Features

Thoroughly document high-risk (AI) decisions: A DBOM can enforce documentation requirements. Just as software developers are often required to provide an SBOM, AI service providers can use DBOM to comply to the strict regulation of high-risk AI use-cases.
Tamper-proof: Using Confidential Computing, it is possible to generate a DBOM on cloud infrastructure without risking manipulations by the infrastructure provider or an inside attacker.
Effective Forensics: While the DBOM alone can not prevent dangerous AI decisions, it can be used to trace back potential causes and to clearly attribute responsability.
Ready for tooling:The DBOM provides a unified interface, which we plan to use for automated analysis. A DBOM is hard to understand for a human, but ready for automated reasoning.
Traces impact:Just as an SBOM allows to trace the impact of a vulnerable dependency, DBOM allows to trace manipulated or biased datasets, outdated training tools and more.

More Material

White paper Live Demo

Team

DBOM is a project of the Center for Perspicuous Computing (CPEC), a Transregional Collaborative Research Centre, financed by the Deutsche Forschungsgemeinschaft and carried out together by the Saarland University and the Dresden University of Technology. The DBOM team members are:

Prof. Holger Hermanns
Prof. Christof Fetzer
Dr. Hanwei Zhang
Dr.-Ing. Andreas Schmidt
Dipl.-Inf. Julius Wenzel
Dr. phil. Sarah Sterz

Glossary

Confidential Computing: is a hardware technology, where the CPU shields and encrypts the living memory during runtime, thus protecting against attackers with full system access.
High-Risk AI application: TODO: What is the EU definition again?
SBOM: is the short form of Software Bill of Materials. It is an electronic document that lists all the components of a software: dependencies, build system etc. Providing an SBOM has become mandatory in some security-critical contexts.

Fine Print

Acknowledgements Legal