Distributed Software Bill of Materials


IoT is suffering from increasing cybersecurity problems caused by software vulnerabilities. In 2020 the malware infection of IoT devices raised 100%, causing 33% of malicious activities in networks, and vulnerable software is the main reason for this mess.

Software stacks in IoT are often built upon software supply chains, including multiple sources. Users need a clear picture of all software installed to improve IoT device security. This goal will be reached through a Software-Bill-of-Materials, which documents all installed software. However, many IoT products such as connected cars are built-in highly complex supply chains with n-tier suppliers. The software base will continuously change by over the air updates. Current centralized systems for a bill of material cannot map the requirements towards security and confidentially needed for trusted data exchange: centralized architectures are less flexible and a single point of failure. The result is a lack of information and trust in provided data.

D-SBOM (Distributed Software Bills of Material) will provide a solution in complex IoT software supply chains to document all the software used in IoT devices and distribute this information in a secure and trusted way towards all users and actors. With D-SBOM, IoT vendors can keep track of the software installed on IoT devices and their origin. The information will enable operators to continuously monitor IoT devices on known software vulnerabilities (CVE) and plan their risk mitigation as updating or isolating devices. Using blockchain and DLT, D-SBOM will provide a novel solution, which is more secure and advanced than existing centralized models:

  1. centralized ledgers
  2. Immutable storage of information, protected from manipulation by cyberattacks
  3. Increased trust by consensus mechanism in the software supply chain
  4. Protocols using open-source stacks of Hyperledger and Ethereum Foundation

All results will be published under an open-source license and presented on major industrial events such as ARENA 20362 to attract industrial companies and enterprises on using D-SBOM.


Sven Rahlfs is an experienced senior project manager, researcher and co-Founder of asvin GmbH. He has worked actively in IoT security research projects as IoTCrawler (H2020 ), KATANA (H2020), MITASSIST (Bmbf), PoisonIvy (State BW) and as a freelance expert for Enterprises as BOSCH, PORSCHE, WHIRLPOOL and many more. He commits to the asvin project open source libraries on GitHub (github.com/Asvin-io). Sven is a certified SCRUM Master and skilled project manager for agile software projects.

Rohit Bohara is the CTO of asvin and an experienced blockchain and IoT expert. He has worked actively in IoT security research projects as IoTCrawler (H2020), KATANA (H2020), MITASSIST (Bmbf), PoisonIvy (State BW), Fed4Fire, Fed4Fire+ and contributing to Open Source Projects as FENTEC functional encryption(GITHUB.com/fentec-project) and IoTCrawler and the asvin project (github.com/Asvin-io). Rohit has worked as an engineer for semiconductor companies such as LG and ARM.

Mirko Ross is an international well-recognized cybersecurity expert, researcher and co-founder of asvin GmbH. He has worked actively in IoT security research projects such as IoTCrawler (H2020), KATANA (H2020), MITASSIST (Bmbf), PoisonIvy (State BW). In addition, Mirko has contributed to baseline Security recommendations of ENISA as a member of the IoT Security Expert Group and DLT recommendations of AIOTI. He is actively publishing on IT media on Heise.de and it-informatik, contributing to Cybersecurity Podcasts (SecuringDigitalization, Spotlight NGI Architects, Saftey now and more…). Mirko is also active in IEEE in workings groups related to DLT standards and SSI. A recent paper published in disposable identities: https://ieeexplore.ieee.org/document/9527950