RFID Middleware

1
RFID Middleware

• University of Houston
• Bauer College of Business
• Spring 2007

Source Forrester, 2004 www.rfidvirus.org
2
Definition

• Middleware Software that connects two disparate
  applications, allowing them to communicate with
  each other and to exchange data (Laudon Laudon,
  2002)

3
Underlying Drivers of RFID Middleware

• Standards
• Integration

4
EPCglobal Network

• Set of global technical standards aimed at
  enabling automatic and instant identification of
  items in the supply chain and sharing the
  information throughout the supply chain
• The EPCglobal NetworkTM consists of five
  fundamental elements
• ID System (EPC Tags and Readers),
• Electronic Product Code (EPC)
• Object Name Service (ONS)
• Physical Markup Language (PML)
• Savant
• (http//www.csis.hku.hk/clwang/RFID/rfid-main2004
  .htm)

5
Savant

• Middleware developed by Auto-ID to provide
  interface between RFID reader and databases
• Sits between tag readers and enterprise
  applications to manage the vast amount of
  information retrieved from the tags
• Manages and moves information in a way that does
  not overload existing networks
• Has a hierarchical architecture that directs the
  flow of data by gathering, storing, and acting on
  information and communicating with other Savants
• Lower level Savants process, filter and direct
  information to the higher level ones and,
  consequently, massive flow of information and
  network traffic is reduced

6
(No Transcript)
7
(No Transcript)
8
Types of RFID Vendors

• RFID Pure Plays offer products that integrate
  with RFID readers, filter and aggregate data, and
  may incorporate some business rules
• ConnectTerra
• GlobeRanger
• OATSystems
• RF Code

9
Types of RFID Vendors

• Integration Specialists add RFID features like
  reader coordination and edge-tier filtering go to
  their existing integration technology
• webMethods
• TIBCO
• Ascential Software

10
Types of RFID Vendors

• Application Vendors offer software ranging from
  RFID-enabled applications for warehouse and asset
  management to more robust RFID middleware
  solutions for reader coordination, data
  filtering, and business logic capabilities
• Povia Software
• Manhattan Associates
• RedPrairie
• SAP

11
Types of RFID Vendors

• Platform Giants extend their existing platforms
  and middleware to accommodate RFID
• Sun Microsystems
• IBM
• Oracle
• Microsoft

12
Middleware Functionality

• Reader and device management RFID middleware
  should allow users to configure, monitor, deploy,
  and issue commands directly to readers through a
  common interface.
• Data management. Once RFID middleware captures
  EPC data from readers, it must be able to
  intelligently filter and route it to the
  appropriate destinations. This capability should
  include both low-level logic like filtering out
  duplicate reads and more complex algorithms like
  content-based routing

13
Middleware Functionality

• Application integration. RFID middleware
  solutions should provide the messaging, routing,
  and connectivity features required to reliably
  integrate RFID data into existing SCM, ERP, WMS,
  or CRM systems
• Partner integration. Some of the most promising
  benefits of RFID will come from sharing RFID data
  with partners to improve collaborative processes
  like demand forecasting and vendor-managed
  inventory

14
Middleware Functionality

• Process management and application development
  Instead of just routing RFID data to business
  applications, sophisticated RFID middleware
  platforms will actually orchestrate RFID-related
  end-to-end processes that touch multiple
  applications and/or enterprises, like inventory
  replenishment. Key process management and
  composite application development features
  include workflow, role management, process
  automation, and UI development tools.

15
Middleware Functionality

• Packaged RFID content. RFID middleware platforms
  that include packaged routing logic, product data
  schemas, and integration with typical
  RFID-related applications and processes like
  shipping, receiving, and asset tracking are major
  assets
• Architecture scalability and administration. This
  means that RFID middleware platforms must include
  features for dynamically balancing processing
  loads across multiple servers and automatically
  rerouting data upon server failure. These
  features should span all tiers of the
  architecture even the edge devices

16
(No Transcript)
17
Forrester Research Conclusions

• Manhattan Associates, OAT, and SAP lead with
  strong mandate solutions
• Pure plays like GlobeRanger and ConnecTerra also
  offer viable solutions for early adopters. But
  unlike OATSystems, these vendor offer pure
  middleware solutions that provide strong reader
  integration capabilities and APIs for publishing
  RFID data to back-end applications and typically
  incorporate less packaged application logic like
  EPC track-and-trace tools.

18
Forrester Research Conclusions

• Both Savi Technology and RF Code have specialty
  capabilities and experience with active RFID tags
• Most platform and integration vendors lack
  generally available products

19
Single-Tier RFID Middleware Architecture
20
Multitier RFID Middleware Architecture
21
RFID Middleware

• Sun
• SAP
• Microsoft
• Oracle

22
Suns RFID Software Architecture
23
Suns Event Manager
24
Suns Information Server
25
SAP
26

• Threats to RFID Middleware
• (Source www.rfidvirus.org)

27
Why RFID systems are vulnerable to attacks

• Lots of source code
• Generic protocols
• Back-end databases
• High-value data
• False sense of security

28
RFID-Based Exploits

• Buffer Overflows
• The life of a buffer overflow begins when an
  attacker inputs data either directly (i.e. via
  user input) or indirectly (i.e. via environment
  variables).
• This input data is deliberately longer then the
  allocated end of a buffer in memory, so it
  overwrites whatever else happened to be there.
• Since program control data is often located in
  the memory areas adjacent to data buffers, the
  buffer overflow can cause the program to execute
  arbitrary code

29
RFID-Based Exploits

• Buffer Overflows
• RFID tags are limited to 1024 bits or less
• Commands like 'write multiple blocks' from
  ISO-15693 can allow a resource-poor RFID tag to
  repeatedly send the same data block, with the net
  result of filling up an application-level buffer
• Meticulous formatting of the repeatedly sent data
• An attacker can also use contactless smart cards,
  which have a larger amount of available storage
  space
• An attacker can really blow RFID middleware's
  buffers away, by using a resource rich
  actively-powered RFID tag simulating device, like
  the RFID Guardian

30
RFID-Based Exploits

• Code Insertion
• Malicious code can be injected into an
  application by an attacker, using any number of
  scripting languages including VBScript, CGI,
  Java, JavaScript, and Perl

31
RFID-Based Exploits

• SQL injection
• SQL injection is a type of code insertion attack
  that tricks a database into running SQL code that
  was not intended.
• Attackers have several objectives
• They might want to enumerate (map out) the
  database structure. Then, the attackers might
  want to retrieve unauthorized data, or make
  equally unauthorized modifications or deletions.
• Databases also sometimes allow DB administrators
  to execute system commands. A system command can
  be used to attack the system

32
RFID-Based Worms

• Worm is a program that self-propagates across a
  network, exploiting security flaws in widely-used
  services
• A worm is distinguishable from a virus in that a
  worm does not require any user activity to
  propagate
• Worms usually have a payload, which performs
  activities ranging from deleting files, to
  sending information via email, to installing
  software patches
• One of the most common payloads for a worm is to
  install a backdoor in the infected computer,
  which grants hackers easy return access to that
  computer system in the future.

33
RFID-Based Viruses

• One can develop RFID based viruses using SQL
  language
• The SQL data can be transmitted to a system via
  an RFID tag

34
Conclusion

• What is middleware
• EPC Global
• Savant
• Vendors
• Functionality
• Architecture
• Threats