Distributed SUIT Architecture Model

In the existing SUIT architecture, firmware images and manifest files are stored in the firmware servers, which deploy the firmware images based on the traditional server-client model. However, in the server-client model, servers may endure excessive network traffic and overload because of the centralized architecture. As the number of IoT devices is rapidly increasing, the servers will be overwhelming to handle the requests from the IoT devices all around the world. Also, a server is a high-value target for adversaries since the server takes charge of data management. In the server-client model, the firmware consumers are unable to download the latest firmware image if the authors disappeared. In this draft, we propose a distributed firmware update architecture by applying blockchain to the existing SUIT architecture. The proposed distributed SUIT architecture decentralizes the requests from the IoT devices, prevents targeting attacks, and provides sustainable updates even after an author disappears.

The existing SUIT update architecture is as follows:

| Firmware | |<---------------| | | | | Server | | | Author | | | | | | | | | | +----------+ | +-----------+ | | +----------+ +-----------+ | /-------+-------\ /-----------\ / v \ / \ | +------------+ | / \ | | Firmware | | | | / | Consumer | \ Device / +--------+ \ | +------------+ | Management | | | | / | |<----\---------------/---> | Status | \ ` | Device | ` | | Tracker| | / +------------+ \ / | | \ \ / | +--------+ | \ / \ / \ / \ / \ Network / | Device | , Operator , \ Operator / \ / | | | | \ / \ / '-----------‘ '----------------’ ]]> The existing SUIT architecture can cause failures and targeting attacks due to the centralized server-client model. The author's continued service offer is not guaranteed. The company and its servers may disappear due to an attacker's cyber-attack or funding problems. In the worst case, all author nodes managed by the author may not function properly. At this point, devices that have not been updated with the latest firmware before the author disappears can no longer update the firmware. The existing SUIT architecture cannot solve author disappearing issues. If the firmware update does not complete properly, the client may not be able to use the newly provided service or the security patch and be exposed to the cyber-attack easily.

In the firmware update architecture based on server-client model, the firmware consumers request the firmware server to download the latest version of the firmware. However, the traditional server-client method adopted in the existing SUIT architecture can cause several problems in network traffic, data security and firmware update persistence. In the server-client model, data is dependently managed by the server in a centralized structure. Since many clients request one server, this centralized structure causes excessive overhead when excessive network traffic occurs and may cause a situation in which requests are not properly processed. In addition, when an attacker attacks a server, it is impossible to use all data managed by the server, so an attack targeting the server may occur.

As shown in Figure 2, the authors upload the manifest files and firmware images to the blockchain network in the proposed firmware update architecture. The IoT devices download the manifest files and firmware images through the blockchain network. When an IoT device requests upload, the retrieval nodes retrieve the firmware images that were stored as chunks in a distributed file system and deliver the manifest file and firmware image after the device verified.

TBA.

This document presents no IANA considerations.