Vivek’s Soapbox

There’s two phrases you never thought would go together! What do RFIDs, those tiny, powerless, passive things, have to do with havoc-wreaking command injection attacks?

Andrew Tannenbaum’s group has just published a paper that shows how seemingly innocent RFIDs can be used to inject malicious code into the backends that process their data:

One day a container arrives in the supermarket distribution center that is carrying a surprising payload. The container’s RFID tag is infected with a computer virus. This particular RFID virus uses SQL injection to attack the backend RFID middleware systems.

There you go — another channel for tainted input.
This so-called “taint problem” comes up everywhere. Most recently, its been brought to light because of its implications for web application security, but if you dig deeper, its a much more fundamental problem that comes up whenever your program deals with untrusted input.

I think the long-term solution to this is to have fine-grained labeling of data, along with a way to propagate those labels. We’ve made an initial jab at the problem, but that’s only scratching the surface. How long before labeling becomes a first-class abstraction in a language? In a virtual machine runtime? Or even at the architecture level in hardware?