Advertisement

Abstract

While SQL injection attacks have been plaguing web applications for years the threat they pose to RFID systems have only identified recently. Because the architecture of web systems and RFID systems differ considerably the prevention and detection techniques proposed for web applications are not suitable for RFID systems. In this paper we propose a system to secure RFID systems against tag based SQLIA. Our system is optimized for the architecture of RFID systems and consists of a query structure matching technique and tag data cleaning technique. The novelty of the proposed system is that it’s specifically aimed at RFID systems and has the ability to detect and prevent second order injections which is a problem most current solutions haven’t addressed. The preliminary evaluation of our query matching technique is very promising showing very high detection rate with minimal false positives.

Keywords

Parse Tree Generate Query Query Pattern Query Structure Injection Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Glover, B., Bhatt, H.: RFID Essentials. Theory in Practice. O’Reilly Media, Sebastopol (2006)Google Scholar
  2. 2.
    Rieback, M., Simpson, P., Crispo, B., Tanenbaum, A.: RFID malware: Design principles and examples. Pervasive and Mobile Computing 2(4), 405–426 (2006)CrossRefGoogle Scholar
  3. 3.
    Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions. IEEE, London (2009)Google Scholar
  4. 4.
    Tajpour, A., Zade Shooshtari, M.J.J.: Evaluation of SQL Injection Detection and Prevention Techniques. In: 2nd International Conference on Computational Intelligence, Communication Systems and Networks, pp. 216–221. IEEE, Liverpool (2010)Google Scholar
  5. 5.
    Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)Google Scholar
  6. 6.
    Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: 11th International World Wide Web Conference. ACM, Honolulu (2003)Google Scholar
  7. 7.
    McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering. ACM, Missouri (2005)Google Scholar
  8. 8.
    Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems (2004)Google Scholar
  10. 10.
    Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis. ACM, MO (2005)Google Scholar
  11. 11.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages. ACM, New York (2006)Google Scholar
  12. 12.
    Suliman, A., Shankarapani, M., Mukkamala, S., Sung, A.: RFID malware fragmentation attacks. IEEE, Los Alamitos (2008)CrossRefGoogle Scholar
  13. 13.
    Das, D., Sharma, U., Bhattacharyya, D.: An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching. International Journal of Computer Applications IJCA 1(25), 39–45 (2010)CrossRefGoogle Scholar
  14. 14.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware. ACM, New York (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Harinda Fernando
    • 1
  • Jemal Abawajy
    • 1
  1. 1.School of ITDeakin UniversityAustralia

Personalised recommendations