Abstract
While SQL injection attacks have been plaguing web applications for years the threat they pose to RFID systems have only identified recently. Because the architecture of web systems and RFID systems differ considerably the prevention and detection techniques proposed for web applications are not suitable for RFID systems. In this paper we propose a system to secure RFID systems against tag based SQLIA. Our system is optimized for the architecture of RFID systems and consists of a query structure matching technique and tag data cleaning technique. The novelty of the proposed system is that it’s specifically aimed at RFID systems and has the ability to detect and prevent second order injections which is a problem most current solutions haven’t addressed. The preliminary evaluation of our query matching technique is very promising showing very high detection rate with minimal false positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Glover, B., Bhatt, H.: RFID Essentials. Theory in Practice. O’Reilly Media, Sebastopol (2006)
Rieback, M., Simpson, P., Crispo, B., Tanenbaum, A.: RFID malware: Design principles and examples. Pervasive and Mobile Computing 2(4), 405–426 (2006)
Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions. IEEE, London (2009)
Tajpour, A., Zade Shooshtari, M.J.J.: Evaluation of SQL Injection Detection and Prevention Techniques. In: 2nd International Conference on Computational Intelligence, Communication Systems and Networks, pp. 216–221. IEEE, Liverpool (2010)
Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)
Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: 11th International World Wide Web Conference. ACM, Honolulu (2003)
McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering. ACM, Missouri (2005)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems (2004)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis. ACM, MO (2005)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages. ACM, New York (2006)
Suliman, A., Shankarapani, M., Mukkamala, S., Sung, A.: RFID malware fragmentation attacks. IEEE, Los Alamitos (2008)
Das, D., Sharma, U., Bhattacharyya, D.: An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching. International Journal of Computer Applications IJCA 1(25), 39–45 (2010)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware. ACM, New York (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fernando, H., Abawajy, J. (2011). Securing RFID Systems from SQLIA. In: Xiang, Y., Cuzzocrea, A., Hobbs, M., Zhou, W. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2011. Lecture Notes in Computer Science, vol 7017. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24669-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-24669-2_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24668-5
Online ISBN: 978-3-642-24669-2
eBook Packages: Computer ScienceComputer Science (R0)