Internet of Things (IoT) refers to networks with billions of physical devices for collecting, sharing, and utilizing data in the virtual world. Most of IoT applications centralize security assurance in creating, authenticating, transferring, or delating system components. However, the centralization exposes its limitations to meet security needs of a rapidly growing number of things world-widely. How to scale up the applications with assured security becomes a critical challenge. Blockchain technology (BCT) is a promising solution to provide security and protect privacy in a large scale; especially, smart contracts offer opportunities to improve the reliability of IoT applications. Smart contracts establish trusts for both of data and executed processes. Recently, many literature surveys and positioning articles have been published on the integration of BCT with IoT, but they are limited to superficial discussions of technical potentials, and very few of them have a thorough exploration of the challenges in developing BCT for IoT at technical levels. This paper uses the system design approach to scrutinize the state of the art of study on BCT-based applications and clarify critical research areas of enabling BCT for security assurance: 1) the relations of BCT and IoT are modeled and discussed; 2) the needs of eliminating threats in IoT-based applications are defined as functional requirements (FRs), existing works on enabling technologies of BCT are defined as the physical solutions (PSs); and 3) the mappings between FRs and PSs are established to identify the limitations and the critical areas for the applications of BCT in large-scale distributed environment.