Home // SECURWARE 2022, The Sixteenth International Conference on Emerging Security Information, Systems and Technologies // View article

AC-SIF: ACE Access Control for Standardized Secure IoT Firmware Updates

Authors:
Joel Höglund
Anum Khurshid
Shahid Raza

Keywords: ACE; SUIT; COSE; IoT; security

Abstract:
Globally identifiable, internet-connected embedded systems can be found throughout critical infrastructures in modern societies. Many of these devices operate unattended for several years at a time, which means a remote software update mechanism should be available in order to patch vulnerabilities. However, this is most often not the case, largely due to interoperability issues endemic to the Internet of Things (IoT). Significant progress toward global IoT compatibility has been made in recent years. In this paper we build upon emerging IoT technologies and recommendations from IETF SUIT working group to design a firmware update architecture which (1) provides end-to-end security between authors and devices, (2) is agnostic to the underlying transport protocols, (3) does not require trust anchor provisioning by the manufacturer and (4) uses standard solutions for crypto and message encodings. This work presents the design of a firmware manifest (i.e., metadata) serialization scheme based on CBOR and COSE, and a profile of CBOR Web Token (CWT) to provide access control and authentication for update authors. We demonstrate that this architecture can be realized whether or not the recipient devices support asymmetric cryptography. We then encode these data structures and find that all required metadata and authorization information for a firmware update can be encoded in less than 600 bytes with this architecture.

Pages: 54 to 62

Copyright: Copyright (c) IARIA, 2022

Publication date: October 16, 2022

Published in: conference

ISSN: 2162-2116

ISBN: 978-1-68558-007-0

Location: Lisbon, Portugal

Dates: from October 16, 2022 to October 20, 2022