Malware Detection and Prevention in RFID Systems

Chapter
Part of the Studies in Computational Intelligence book series (SCI, volume 460)

Abstract

The threat that malware poses to RFID systems was identified only recently. Fortunately, all currently known RFID malware is based on SQLIA. Therefore, in this chapter we propose a dual pronged, tag based SQLIA detection and prevention method optimized for RFID systems. The first technique is a SQL query matching approach that uses simple string comparisons and provides strong security against a majority of the SQLIA types possible on RFID systems. To provide security against second order SQLIA, which is a major gap in the current literature, we also propose a tag data validation and sanitization technique. The preliminary evaluation of our query matching technique is very promising, showing 100% detection rates and 0% false positives for all attacks other than second order injection.

Keywords

Parse Tree Generate Query Query Pattern Query Structure Injection Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Rieback, M., Simpson, P., Crispo, B., Tanenbaum, A.: RFID malware: Design principles and examples. Pervasive and Mobile Computing 2(4), 405–426 (2006)CrossRefGoogle Scholar
  2. 2.
    Fernando, H., Abawajy, J.: Securing RFID Systems from SQLIA. In: Xiang, Y., Cuzzocrea, A., Hobbs, M., Zhou, W. (eds.) ICA3PP 2011, Part II. LNCS, vol. 7017, pp. 245–254. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions, London, UK, November 9-12, pp. 1–8. IEEE (2009)Google Scholar
  4. 4.
    Schuster, E.W., Allen, S.J., Brock, D.L.: Global RFID. Springer, Berlin (2007)Google Scholar
  5. 5.
    Kindy, D.A., Pathan, A.K.: A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In: IEEE 15th International Symposium on Consumer Electronics (ISCE), Singapore, June 14-17, pp. 468–471 (2011)Google Scholar
  6. 6.
    Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)Google Scholar
  7. 7.
    Rieback, M., Tanenbaum, A., Crispo, B.: RFID Malware: Truth vs. Myth. IEEE Security and Privacy 4(4), 70–72 (2006)CrossRefGoogle Scholar
  8. 8.
    Suliman, A., Shankarapani, M., Mukkamala, S., Sung, A.: RFID malware fragmentation attacks. In: International Symposium on Collaborative Technologies and Systems, Irvine, CA, pp. 533–539. IEEE (2008)Google Scholar
  9. 9.
    Fernando, H., Abawajy, J.: A RFID Architecture Framework for Global Supply Chain Applications. In: 11th International Conference on Information Integration and Web-based Application and Services, Kular Lampur, Malaysia. ACM (2009)Google Scholar
  10. 10.
    Brabrand, C., Møller, A., Ricky, M., Schwartzbach, M.I.: Powerforms: Declarative client-side form field validation. World Wide Web 3(4), 205–214 (2000)MATHCrossRefGoogle Scholar
  11. 11.
    McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, Missouri, USA, pp. 88–96. ACM (2005)Google Scholar
  12. 12.
    Valeur, F., Mutz, D., Vigna, G.: A Learning-Based Approach to the Detection of SQL Attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems, p. 70 (2004)Google Scholar
  15. 15.
    Gould, C., Su, Z., Devanbu, P.: JDBC checker: A static analysis tool for SQL/JDBC applications. In: 26th International Conference on Software Engineering, pp. 697–698. IEEE (2004)Google Scholar
  16. 16.
    Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis, MO, USA, pp. 174–183. ACM (2005)Google Scholar
  17. 17.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware, pp. 106–113. ACM (2005)Google Scholar
  18. 18.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382. ACM (January 2006)Google Scholar
  19. 19.
    Sulaiman, A., Mukkamala, S., Sung, A.: SQL infections through RFID. Journal in Computer Virology 4(4), 347–356 (2008)CrossRefGoogle Scholar
  20. 20.
    Zhang, Q., Wang, X.: SQL Injections through Back-End of RFID System. In: International Symposium on Computer Network and Multimedia Technology, pp. 1–4. IEEE (2009)Google Scholar
  21. 21.
    Kyaw, A.K.: Digital Forensics in small devices: RFID tag investigation. AUT University, Auckland (2011)Google Scholar
  22. 22.
    Das, D., Sharma, U., Bhattacharyya, D.: An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching. International Journal of Computer Applications IJCA 1(25), 39–45 (2010)CrossRefGoogle Scholar
  23. 23.
    Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: 26th International Conference on Software Engineering (2004)Google Scholar
  24. 24.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Transactions on Information Systems Security 13(2), 1–39 (2010), doi:10.1145/1698750.1698754CrossRefGoogle Scholar
  25. 25.
    McClure, R.A., Kruger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, May 15-21, pp. 88–96 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Deakin UniversityGeelongAustralia

Personalised recommendations