Securing RFID Systems from SQLIA
While SQL injection attacks have been plaguing web applications for years the threat they pose to RFID systems have only identified recently. Because the architecture of web systems and RFID systems differ considerably the prevention and detection techniques proposed for web applications are not suitable for RFID systems. In this paper we propose a system to secure RFID systems against tag based SQLIA. Our system is optimized for the architecture of RFID systems and consists of a query structure matching technique and tag data cleaning technique. The novelty of the proposed system is that it’s specifically aimed at RFID systems and has the ability to detect and prevent second order injections which is a problem most current solutions haven’t addressed. The preliminary evaluation of our query matching technique is very promising showing very high detection rate with minimal false positives.
KeywordsParse Tree Generate Query Query Pattern Query Structure Injection Attack
Unable to display preview. Download preview PDF.
- 1.Glover, B., Bhatt, H.: RFID Essentials. Theory in Practice. O’Reilly Media, Sebastopol (2006)Google Scholar
- 3.Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions. IEEE, London (2009)Google Scholar
- 4.Tajpour, A., Zade Shooshtari, M.J.J.: Evaluation of SQL Injection Detection and Prevention Techniques. In: 2nd International Conference on Computational Intelligence, Communication Systems and Networks, pp. 216–221. IEEE, Liverpool (2010)Google Scholar
- 5.Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)Google Scholar
- 6.Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: 11th International World Wide Web Conference. ACM, Honolulu (2003)Google Scholar
- 7.McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering. ACM, Missouri (2005)Google Scholar
- 9.Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems (2004)Google Scholar
- 10.Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis. ACM, MO (2005)Google Scholar
- 11.Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages. ACM, New York (2006)Google Scholar
- 14.Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware. ACM, New York (2005)Google Scholar