European Commission supports asvin’s Distributed Software Bill of Materials for Internet of Things

We are very delighted to announce that asvin’s Distributed Software Bill of Material (D-SBOM) proposal has been accepted for funding under the TRUBLO 2nd open call. TruBlo is an EU-funded innovation project and part of the Next Generation Internet (NGI) initiative. The D-SBOM is a 15 months long research project. It aims to increase trust and security of IoT devices by documenting each software package and libraries used in their firmware and additionally facilitate the information in a secure distributed ledger to all relevant partners.

Introduction

In complex IoT products, such as connected vehicles, the original equipment manufacturers (OEM) are unable to build an entire software bill of material as information from component suppliers is missing or outdated. By that, industry is failing on risk management and mitigation of cyberattacks as they have no overview of vulnerabilities on the software deployed in the connected product. Adding over the air updates to such products is rising the need for a better documentation of software installed. The change towards more dynamic software supply chains and software processed can’t be achieved with the existing legacy systems in an affordable, reliable, secure, and regulatory compliant way.

Distrusted Software Bill of Materials are a novel approach to manage these challenges. By use of Blockchain technologies an ecosystem of suppliers can commit and exchange information of software used in connected components. The process of commitment is secured by blockchain protocols, and the information stored is trusted by the census mechanism. Information will be additionally stored by encryption methods for distributed computing to avoid the unauthorized access on security and IP relevant information. By that, the entire software supplier ecosystem can easily commit information about software in use of specific components and define the security and access level of information shared with other suppliers and the OEM

Organization

The innovation project will be organized and executed strictly under SCRUM framework. There will be a dedicated SCRUM master to overlook and manage the project using sprints. Each sprint will begin with planning and end with review and retrospect. Each scrum event will be tightly monitored to minimize product and sprint backlogs. Moreover the project has been divided in two phases. In the first phase D-SBOM architecture and system design will be prepared and validated with industry stakeholders. The development and implementation will take place in second phase. Furthermore, each phase is fine grained with tasks, objectives, deliverables and milestones.

Value Addition to TRUBLO

D-SBOM will add value to the TRUBLO project by:
– Implementing a strong industrial demonstration of distrusted ledger / blockchain technologies and implement trust layers across software supply chain ecosystems e.g. in automotive and vehicle industry.
– Approve D-SBOM with stakeholder from industry: 1-tier supplier and OEM and present the results on industrial events as e.g. ARENA 2036.
– Publish the results as Open-Source libraries and showcase the implantation to partners from blockchain ecosystem and projects: Alastria, Ethereum Foundation, Hyperledger & Crypto valley Switzerland
– Building a Proof of Concept (PoC) of D-SBOM using Alastria Network B for a showcase in Distributed Software Bill of Materials for connected Vehicles
– Validation of the DLT architecture in the Alastria infrastructure
– Approval of PoC by testing with suppliers and OEMs from automotive industry

Further Resources