Abstract
The threat that malware poses to RFID systems was identified only recently. Fortunately, all currently known RFID malware is based on SQLIA. Therefore, in this chapter we propose a dual pronged, tag based SQLIA detection and prevention method optimized for RFID systems. The first technique is a SQL query matching approach that uses simple string comparisons and provides strong security against a majority of the SQLIA types possible on RFID systems. To provide security against second order SQLIA, which is a major gap in the current literature, we also propose a tag data validation and sanitization technique. The preliminary evaluation of our query matching technique is very promising, showing 100% detection rates and 0% false positives for all attacks other than second order injection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rieback, M., Simpson, P., Crispo, B., Tanenbaum, A.: RFID malware: Design principles and examples. Pervasive and Mobile Computing 2(4), 405–426 (2006)
Fernando, H., Abawajy, J.: Securing RFID Systems from SQLIA. In: Xiang, Y., Cuzzocrea, A., Hobbs, M., Zhou, W. (eds.) ICA3PP 2011, Part II. LNCS, vol. 7017, pp. 245–254. Springer, Heidelberg (2011)
Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions, London, UK, November 9-12, pp. 1–8. IEEE (2009)
Schuster, E.W., Allen, S.J., Brock, D.L.: Global RFID. Springer, Berlin (2007)
Kindy, D.A., Pathan, A.K.: A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In: IEEE 15th International Symposium on Consumer Electronics (ISCE), Singapore, June 14-17, pp. 468–471 (2011)
Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)
Rieback, M., Tanenbaum, A., Crispo, B.: RFID Malware: Truth vs. Myth. IEEE Security and Privacy 4(4), 70–72 (2006)
Suliman, A., Shankarapani, M., Mukkamala, S., Sung, A.: RFID malware fragmentation attacks. In: International Symposium on Collaborative Technologies and Systems, Irvine, CA, pp. 533–539. IEEE (2008)
Fernando, H., Abawajy, J.: A RFID Architecture Framework for Global Supply Chain Applications. In: 11th International Conference on Information Integration and Web-based Application and Services, Kular Lampur, Malaysia. ACM (2009)
Brabrand, C., Møller, A., Ricky, M., Schwartzbach, M.I.: Powerforms: Declarative client-side form field validation. World Wide Web 3(4), 205–214 (2000)
McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, Missouri, USA, pp. 88–96. ACM (2005)
Valeur, F., Mutz, D., Vigna, G.: A Learning-Based Approach to the Detection of SQL Attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems, p. 70 (2004)
Gould, C., Su, Z., Devanbu, P.: JDBC checker: A static analysis tool for SQL/JDBC applications. In: 26th International Conference on Software Engineering, pp. 697–698. IEEE (2004)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis, MO, USA, pp. 174–183. ACM (2005)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware, pp. 106–113. ACM (2005)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382. ACM (January 2006)
Sulaiman, A., Mukkamala, S., Sung, A.: SQL infections through RFID. Journal in Computer Virology 4(4), 347–356 (2008)
Zhang, Q., Wang, X.: SQL Injections through Back-End of RFID System. In: International Symposium on Computer Network and Multimedia Technology, pp. 1–4. IEEE (2009)
Kyaw, A.K.: Digital Forensics in small devices: RFID tag investigation. AUT University, Auckland (2011)
Das, D., Sharma, U., Bhattacharyya, D.: An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching. International Journal of Computer Applications IJCA 1(25), 39–45 (2010)
Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: 26th International Conference on Software Engineering (2004)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Transactions on Information Systems Security 13(2), 1–39 (2010), doi:10.1145/1698750.1698754
McClure, R.A., Kruger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, May 15-21, pp. 88–96 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Fernando, H., Abawajy, J. (2013). Malware Detection and Prevention in RFID Systems. In: Bessis, N., Xhafa, F., Varvarigou, D., Hill, R., Li, M. (eds) Internet of Things and Inter-cooperative Computational Technologies for Collective Intelligence. Studies in Computational Intelligence, vol 460. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34952-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-34952-2_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34951-5
Online ISBN: 978-3-642-34952-2
eBook Packages: EngineeringEngineering (R0)