JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 172

Buffer Overflow Prevention in Mobile RFID

Environment using Train Algorithm
M. SANDHYA and Dr. T. R. RANGASWAMY

Abstract RFID technology is widely used worldwide in a broad range of applications. Such technology however raises security
concerns about the protection of the information stored in the RFID tags and exchanged during the wireless communication with
the readers. Buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous
Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very
large portion of the most serious security threats would also be eliminated.This paper describes the use of train algorithm to tackle
the buffer over flow attacks in mobile RFID environment.

Index Terms — RFID, Buffer overflow

——————————  ——————————

1 INTRODUCTION
RFID identifies object in the open system environment by
using the radio frequency technology which is a kind of
non-contact automatic identification technique, and can
automatically read the information from a great deal of
tags instantly[1]. This technology has shown its powerful
practical value and potential in the field of retailing,
manufacturing and logistics.
As can be seen in figure 1, an RFID system consists of
three components:
 Tags, that consists of an integrated circuit with a
small antenna. Tags use to be placed in each
object that should be identified. Each tag will
send its identifier (ID) when interrogated.
 Reader(s), that communicates with a database
and with the tags. They are responsible of
performing the queries to the tags.
 Database with information of the tags and their
items (e.g. medicine name, chemical
components...).RFID readers will check the
database for identifying an object and for
obtaining its associated information.
    
Fig.1: RFID System
Mobile RFID enables unique RFID use-cases not
possible with fixed readers. Mobile data collection
————————————————
M.SANDHYA is with the B.S.Abdur Rahman University, Chennai,
India.She is working as a Assistant Professor (Senior Grade) in the
Department of Computer Science& Engineering.
devices such as scanners tethered to mobile computers,
integrated handheld readers, and vehicle mounted
readers from companies such as Intermec, LXE, and
Motorola, allow the reader to be brought to the asset
instead of the asset having to pass by the reader. These
devices and custom applications running on them can
leverage existing wireless networks to communicate
continuously with the rest of the system, and can often be
used offline to collect data for transmission to the rest of
the system at later time.
Today’s deployments that use mobile RFID
technology—from workers carrying integrated handheld
readers to the mounting of specialized readers on fork
lifts—benefit from more flexible interaction with tagged
assets and broader location coverage. The additional read
opportunities enable greater asset visibility and allow for
the recording of asset entry, movement, and placement
around a facility. New applications are being built every
day to leverage these unique capabilities.
In order to truly capitalize on the benefits of mobile
RFID, application developers must understand the
unique requirements and challenges of mobile
application development, deployment, and usage. A flex-
ible architecture provides a rich foundation for mobile
application development to extend the software across
platforms and readers.
The rest of this paper is structured as follows: Section 2
gives a brief introduction about Buffer Overflows and
their defenses. Section 3 reviews the related work. Section
4 presents a description of the Train algorithm.The
implementation of Train algorithm in mobile RFID is
described in section 5. The experimental results are
shown in section 6.Finally the work is concluded in
section 7.

Dr.T.R.RANGASWAMY is with the B.S.Abdur Rahman University,

Chennai, India. He is working as a Professor & Head in the 2 BUFFER OVERFLOWS
Department of Information Technology. Buffer overflows are among the most common sources of
security vulnerabilities in software. Found in both legacy
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
and modern software, buffer overflows cost the software
industry hundreds of millions of rupees per year. Buffer
overflows have also played aprominent part in events of
hacker legend and lore, including the Morris (1988), Code
Red (2001), and SQL Slammer (2003) worms [2].
Buffer overflows usually arise as a consequence of the
improper use of languages such as C or C++ that are not
“memory-safe”. Functions without bounds checking
(strcpy, strlen, strcat, sprintf, gets), functions with null
termination problems (strncpy, snprintf, strncat) and us-
er-created functions with pointer bugs are notorious buf-
fer overflow enablers.
The life of a buffer overflow begins when an attacker
inputs data either directly (i.e. via user input) or
indirectly (i.e. via environment variables). This input data
is deliberately longer than the allocated end of a buffer in
memory, so it overwrites whatever else happened to be
there. Program control data is often located in the
memory areas adjacent to data buffers [3].
RFID tags can exploit buffer overflows to compromise
back-end RFID middleware systems. This is
counterintuitive, since most RFID tags are limited to 1024
bits or less. However, commands like 'write multiple
blocks' from ISO-15693 can allow a resource poor RFID
tag to repeatedly send the same data block,with the net
result of killing up an application-level buffer. Meticulous
formatting of the repeatedly sent data block can still
manage to overwrite a return address on the stack.
An attacker can also cheat and use contactless smart
cards, which have a larger amount of available storage
space. Better yet, an attacker can really blow RFID
middleware's buffers away, by using a resource rich
actively-powered RFID tag simulating device, like the
RFID Guardian [4].
2.1 Payloads
RFID buffer overflows can inject a variety of platform
dependent shell-command payloads. Apart from obvious
commands like rm, buffer-overflow injected system
commands like netcat can be used to create backdoors.
netcat listens on a TCPport and prints the data that is
received. This data can be passed to an instance of the
shell, which causes commands to be executed, as
demonstrated in the following example:
netcat -lp1234|sh
Another useful system utility is screen. This creates an
instance of the shell and detaches it from its terminal, so
that it runs as a daemon process. By combining this with
the ability to execute remote shell commands, an attacker
can construct a more advanced backdoor:
screen -dmS t bash -c’’while [true]; do netcat
-lp1234|sh; done’’
This command runs in an infinite loop, which allows
the attacker to connect to the backdoor multiple times.
Another favorite is the wget utility, which downloads
files from a web server or ftp server and stores them on
the local filesystem [5]. This utility can be leveraged to
download and execute programs written by the attacker:
wget http://ip/myexploit -O /tmp/myexploit;
chmod +x /tmp/myexploit; /tmp/myexploit
173
2.2 Defenses
There are three basic approaches to defend against buffer
overflow vulnerabilities and attacks [6].The operating
systems approach is to make the storage areas for buffers
non-executable, preventing the attacker from injecting
attack code This approach stops many buffer overflow
attacks because attackers do not necessarily need to inject
attack code to perpetrate a buffer overflow attack but this
method leaves substantial vulnerabilities. The direct
compiler approach is to perform array bounds checks on
all array accesses. This method completely eliminates the
buffer overflow problem by making overflows
impossible, but imposes substantial costs. The indirect
compiler approach is to perform integrity checks on code
pointers before dereferencing them. While this technique
does not make buffer overflow attacks impossible, it does
stop most buffer overflow attacks, and the attacks that it
does not stop are difficult to create.The compatibility and
performance advantages over array bounds checking are
substantial.
3 RELATED WORK
C. Richard Jones and Paul Kelly developed a gcc patch [7]
that does full array bounds checking for C programs.
Compiled programs are compatible with other gcc
modules, because they have not changed the
representation of pointers. Rather, they derive a “base”
pointer from each pointer expression and check the
attributes of that pointer to determine whether the
expression is within bounds.
The performance costs are substantial: a pointer
intensive program (ijk matrix multiply) experienced 30
times slowdown. Since slowdown is proportionate to
pointer usage, which is quite common in privileged
programs, this performance penalty is particularly
Unfortunate.The compiler did not appear to be mature;
complex programs such as elm failed to execute when
compiled with this compiler. However, an updated
version of the compiler is being maintained [8], it can
compile and run at least portions of the SSH software
encryption package. Throughput experiments with the
updated compiler and software encryption using SSH
encryption showed a 12 times slowdown[9].
Purify uses “object code insertion” to instrument all
memory accesses [10]. After linking with the Purify linker
and libraries, one gets a standard native executable
program that checks all of its array references to ensure
that they are legitimate. While Purify-protected programs
run normally without any special environment, Purify is
not actually intended as a production security tool: Purify
protection imposes a 3 to 5 times slowdown. Snarskii
developed a custom implementation of libc [11] that
introspects the CPU stack to detect buffer overflows.
StackGuard is a compiler technique for providing code
pointer integrity checking to the return address in
function activation records [12]. StackGuard is
implemented as a small patch to gcc that enhances the
code generator for emitting code to set up and tear down
functions. StackGuard’s notion of integrity checking the
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
stack in this way is derived from the Synthetix [13, 14]
notion of using quasi-invariants to assure the correctness
of incremental specializations. A specialization is a
deliberate change to the program, which is only valid if
certain conditions hold. To assure correctness, Synthetix
developed a variety of tools to guard the state of
quasi-invariants [15].
4 TRAIN ALGORITHM
Many programming languages provide automatic
garbage collection to reduce the need for memory
management related programming. However, traditional
garbage collection techniques lead to long and
unpredictable delays and are therefore unsatisfactory in a
number of settings, such as interactive systems, where
non-disruptive behavior is of paramount importance.
Generation-based collection techniques alleviate the
problem somewhat by concentrating collection efforts on
small but hopefully gainful areas of memory, the so called
young generations. This reduces the need for collecting
the remaining large memory area, the old, or mature,
generation, but in no way obviates it. Traditionally,
conventional techniques have been employed for old
generation collection, leading to pauses which, although
less frequent, are still highly disruptive.
Train algorithm that has been gaining popularity is the
mature object space algorithm, originally proposed by
Hudson and Moss [16] and first implemented and
analyzed by Seligmann and Grarup [17]. In this
algorithm, the heap is split into small regions (train cars),
each of which can be collected independently.Train
algorithm is currently used by Sun's Hotspot virtual
machine, specifies an organization for the mature object
space of a generational collector. The purpose of the train
algorithm is to provide time-bounded incremental
collection of the mature object space. Incremental
coll ect i on reduce s ga rbage collection incre a se s
throughput by reducing the number of pauses, making it
desirable for real time systems. Train Garbage Collection
divides the heap into old and young generations. Taking
advantage of the empirical observation that most objects
have very short lifetimes, a generational collector collects
the sub-heaps of younger generations more often than
those of older generations.
To achieve this, the algorithm arranges the blocks into
disjoint sets. With a striking metaphor, Hudson & Moss
refer to the blocks as cars, and to the set of blocks to which
a car belongs as its train. Mature object space can then be
thought of as a giant railway station with trains lined up
on its tracks [18] illustrated in figure2.
Just as in real life, cars belong to exactly one train and
are ordered within that train. The trains, in turn, are
ordered by giving them sequence numbers as they are
created. This imposes a global lexicographical ordering
on the blocks in mature object space: One block precedes
another if it resides in a lower numbered (i.e. older) train;
or if both blocks belong to the same train, then if that
block has a lower car number (i.e. was added to the train
earlier on) than the other. In the example structure shown
174
in Figure 2, Car 1.1 precedes Car 1.2, Car 1.2 precedes Car
1.3, Car 1.3 precedes Car 2.1, and so on. Intuitively, the
Train Algorithm works by constantly clustering sets of
related objects. In this way, it eventually collapses any
interlinked garbage structure into the same train
even for complex structures.
Fig.2: Mature Object space with train cars
4.1 Car Collection Strategy
Each invocation of the Train Algorithm processes the
lowest numbered car of the lowest numbered train in the
system. Its space is reclaimed as follows. First, a check is
made to see whether there are any references into the
train to which the car being collected belongs. If this is not
the case, then the entire train contains only garbage and
all its cars are reclaimed immediately. (This is the part of
the algorithm which enable s large cyclic garbage
structures to be recognized and reclaimed, even if they
are too big to fit into a single car.
Otherwise, all objects residing in the car being collected
referenced from outside the train are evacuated as
follows. Objects referenced from other trains are moved
to those trains; objects referenced from outside mature
object space are moved to any train except the one being
collected. If a receiving train runs full, a new car is simply
created and hooked onto its end [19]. Then, in typical
copy collector style, evacuated objects are scanned for
pointers into the car being collected, moving the objects
thus found into the train from which they are now
referenced and so on.
With the transitive closure of all externally referenced
objects having been evacuated, the only live objects in the
car being processed are those referenced (exclusively)
from cars further down the train being collected. Such
objects are evacuated to the last car of the train, as are the
objects they reference, etc. At this point, none of the
objects remaining in the car being collected are referenced
from the outside and are therefore garbage. Thus, the
space occupied by the car is reclaimed and the collection
is finished [20].
4.2 Tenuring Strategy
The tenuring strategy imposed by the Train Algorithm is
simple: Objects promoted from younger generations may
be stored in any train except the one currently being
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
collected, or one or more new trains may be created to
hold them.
To facilitate collection of individual cars, each car has
an associated remembered set containing information about
all references residing outside the car pointing into it. Old
generation cars will only be processed when all younger
generations are collected, so the remembered sets need
only contain references from other old generation cars.
Since cars are processed in lexicographical order, one can
further optimize the remembered set handling by only
recording references from higher numbered to lower
numbered cars. By the time a car comes up for collection,
it will have the lowest number in the system, and thus its
reme mbe re d set will be complete. This gives the
advantage of not having to purge out stale remembered
set entries in other parts of the system when a car is
reclaimed.
5 IMPLEMENTATION
In a mobile RFID environment the number of readers is
not limited and there is a possibility that there can be N
number of readers.The possibility of buffer overflow
attacks is high in the case of mobile RFID environment
because the reader is a hand-held device and only limited
amount of memory is available for it compared to fixed
readers which is directly connected to the system.Data
plays a vital role in the case of RFID because it cannot be
retrieved back under any circumstances.The figure 3
shown below gives a diagrammatic representation about
how the middleware is placed between the reader and the
server.
Fig.3: Model for Mobile RFID Environment
RFID middleware is system software that collects a
large volume of raw data from heterogeneous RFID
environments, filters them, summarizes into
meaningful information and delivers the information to
application services and middleware platform software,
that standardizes common functions necessary for the
development of RFID applications. The major basic
functions of middleware are supporting the
independency of the protocol of heterogeneous readers,
managing data through realtime collection, filtering and
summarizing, and interoperating with legacy system.
Other functions include process modeling, real-time
execution and controlling, and middleware should have a
structure of high scalability and availability [21].
The middleware has to reside in a place between the
mobile RFID reader and the server.The main database
which gives all the information about the tag will be in
175
the server side. The reader has a fixed amount of
memory and within some seconds of time it has to flush
the data information collected from the tags to the
middleware where all the readers are allotted some
specific memory.While flushing the data the reader
should be very careful in not losing any single data
obtained from the tag.If the allotted memory space for a
particular reader in the middleware is not sufficient it can
use the free memory spaces available for the other
readers.
This will not create any problem for the other readers
also because the middleware will transfer the data to the
server immediately as soon as the memory space allotted
for a particular reader is full. Subsequently the datas
stored on the other memory spaces will also be
transferred to the database.In this way data loss can be
prevented and there is no possibility of buffer overflow
attacks.For allocating the free memory spaces of other
readers the concept of train algorithm is used.By using
the train algorithm, the middleware can easily identify
the place where the datas are stored temporarily if
the memory space allocated for a particular reader is full.
The possibility of data loss and buffer overflow attack is
prevented by using the train algorithm concept in mobile
RFID environment.
6 EXPERIMENTAL RESULTS
The use of train algorithm in mobile RFID environment is
tested using an RFID emulator known as RIFIDI. RIFIDI
is a complete middleware platform for building all facets
of an RFID application .With the industry leading
prototyping tools and a cutting edge RFID middleware
server, RIFIDI can help to develop a product application
from an RFID idea. RIFIDI makes it possible to do rapid
RFID prototyping and production deployments on a high
performance, open source platform.
RIFIDI emulator was used to test under two test cases.In
the first test case the capacity of the reader was set up to
hold upto 20 tags. In the middleware also the same
memory capacity of 20 was set for the reader. It performs
well without any buffer overflow upto that number of
tags. When the number of tags to be read by the reader
was increased to more than 20 and in the middleware the
memory capacity for that reader was not changed, buffer
overflow occurs and the result of it is shown in figure 4.
Fig.4: Error with no Buffer Prevention
Figure 5 shows the result of the second test case using
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 7, JULY 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
the concept of train algorithm. In this case the reader was
first made to read upto 20 tags and in the middleware
also the same memory space was set for the reader.Then
the number of tags to be read was increased in the reader
but in the middleware the memory space was not
increased for that reader.It works well in this scenario
also because it uses the free memory spaces available for
the other readers using train algorithm.
Fig.5: Successful Insertion with Buffer Prevention
The above figure shows that the buffer overflow is
prevented and because of it there is no possibility of data
loss.
7 CONCLUSION
Buffer overflows are worthy of this degree of analysis
because they constitute a majority of security
vulnerability issues and a substantial majority of remote
penetration security vulnerability issues. The results of
this analysis show that the Train algorithm can be
effectively used to avoid buffer overflow. It can be used
in combination with other garbage collection algorithms
also. Whenever a system needs to react very fast it is
indispensable to use an incremental strategy. The Train
Algorithm gives such an incremental garbage collection
strategy that can also be used in distributed systems.
REFERENCES
[1] Klaus Finkerzeller, RFID Handbush. Hanser Fachbuch, 1999.Also
available in English as RFID Handbook: Radio-Frequency
Fundamentals and Applications, John Wiley & Sons, 2000.
[2] Rieback, M.R.; Crispo, B.; Tanenbaum, A.S.; “Is your cat infected
with a computer virus?” Pervasive Computing and Communications,
2006. PerCom 2006. Fourth Annual IEEE International Conference on
13-17 March 2006 Page(s):10 pp.
[3]  Wikipedia ‐ buffer over_ow. http://en.wikipedia.org/wiki/Buffer_  Ubiquitous  Computting”.  In  Proceedings  of  IEEE  International  Confe‐
overflow.  rence on Hybrid Information Technology (ICHITʹ06), 2006.
[4] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. “RFID Guardian: 
A battery‐powered mobile device for RFID privacy management”. In 
Proc.  10th  Australasian  Conf.  on  Information  Security  and  Privacy 
(ACISP 2005), volume 3574 of LNCS, pages 184.194, July 2005. 
[5]  Melanie  R.  Rieback,  Patrick  N.D.  Simpson,  Bruno  Crispo,b, 
Andrew  S.  Tanenbaum.”RFID malware: Design principles and
examples”. In Elsevier magazine on Pervasive and Mobile Computing,
October 2006.
[6]  Crispin  Cowan,  Perry  Wagle,  Calton  Pu,  Steve  Beattie,  and  
Jonathan  Walpole.  “Buffer  Overflows: Attacks  and  Defenses  for  the 
Vulnerability of the Decade”, Department of Computer Science and 
176
E n g i n e e r i n g   O r e g o n   G r a d u a t e   I n s t i t u t e   o f   S c i e n c e   a n d 
Technology, 2000. 
[7]  Richard  Jones  and  Paul  Kelly.  Bounds  Checking  for 
C.http://www‐ala.doc.ic.ac.uk/  phjk/BoundsChecking.html,  July 
1995. 
[8]  Herman  ten  Brugge.  Bounds  Checking  C  Compiler.http://web. 
.inter.NL.net/hcc/Haj.Ten.Brugge/, 1998. 
[9]  Kurt  Roeckx.  Bounds  Checking  Overhead  in  SSH.  Personal  
 Communications, October 1999. 
[10]  Reed  Hastings  and  Bob  Joyce.  Purify:  “Fast  Detection  of  
Memory Leaks and Access Errors”. In Proceedings of the Winter USE‐
NIX Conference, 1992. Also available  at http://www.rational.com 
/support/techpapers/ fast_detection. 
[11]  Alexander  Snarskii.  FreeBSD  Stack  Integrity 
Patch.ftp://ftp.lucky.net/pub/unix/local/libc‐letter, 1997. 
[12]  Crispin  Cowan,  Calton  Pu,  Dave  Maier,  Heather  Hinton,  Peat 
Bakke,  Steve  Beattie,  Aaron  Grier,  Perry  Wagle,  and  Qian  Zhang. 
“StackGuard: Automatic Adaptive Detection and Prevention of Buf‐
fer‐Overflow  Attacks”. In 7th USENIX Security Conference, pages 63–
77, San Antonio, TX, January 1998. 
[13]  Calton  Pu,  Tito Autrey, Andrew  Black,  Charles  Consel,  Crispin 
Cowan,  Jon  Inouye,  Lakshmi  Kethana,  Jonathan  Walpole,  and  Ke 
Zhang.  “Optimistic  Incremental  Specialization:  Streamlining  a 
Commercial  Operating  System”.  In  Symposium  on  Operating  Systems 
Principles (SOSP), Copper Mountain, Colorado, December 1995. 
[14]  Synthetix:  Tools  for  Adapting  Systems  Software.World‐wide  
 web page available at http://www.cse.ogi.edu/ DISC/projects/ 
synthetix. 
[15]  Crispin  Cowan, Andrew  Black,  Charles  Krasic,  Calton  Pu,  and 
Jonathan  Walpole.  “Automated  Guarding  Tools  for  Adaptive  
Operating Systems”, Work in progress, December 1996. 
[16] R. L. Hudson and J. E. B. Moss. “Incremental Garbage Collection 
of  Mature  Objects.”  In  International  Workshop  on  Memory  
Management,  number  637  in  Lecture  Notes  in  Computer  Science, 
pages 1‐42, St. Malo, France, September 1992. Springer‐Verlag. 
[17] J. Seligmann and S. Grarup. “Incremental Mature Garbage Col‐
lection using the Train Algorithm”. In European Conference on Object‐
Oriented Programming. Springer‐Verlag, August 1995. 
[18]  Shubhnandan  S.  Jamwal1  and  Devanand  “Quantifying  
Incremental  Low  Pause  and  TrainGarbage  Collectors”.In 
 International  Journal  of  Engineering  Studies  ISSN  0975‐  6469  
Volume  2,  Number  2  (2010),  pp.  207–214  ©  Research  India 
Publications http://www.ripublication.com/ijes.htm 
[19]  M.  C.  Lowry,  A  New  Approach  to  The  Train  Algorithm  For  
Distributed Garbage Collection. School of Comp. Science, University 
of Adelaide, 2004. 
[20]  R.  Schatz,  Incremental  Garbage  Collection  II.  Seminar  aus 
Softwareentwicklung: Garbage Collection, 2006. 
[21] Gi oug, Oh, and Doo yeon, Kim and Sang il, Kim and Sung yul, 
Rhew,  “A  Quality  Evaluation  Technique  of  RFID  Middleware  in