Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Product Lines Can Jeopardize Their Trade Secrets

622 vues

Publié le

What do you give for free to your competitor when you ex-
hibit a product line? This paper addresses this question
through several cases in which the discovery of trade secrets
of a product line is possible and can lead to severe conse-
quences. That is, we show that an outsider can understand
the variability realization and gain either confidential busi-
ness information or even some economical direct advantage.
For instance, an attacker can identify hidden constraints and
bypass the product line to get access to features or copy-
righted data. This paper warns against possible naive mod-
eling, implementation, and testing of variability leading to
the existence of product lines that jeopardize their trade se-
crets. Our vision is that defensive methods and techniques
should be developed to protect specifically variability – or
at least further complicate the task of reverse engineering it.

Publié dans : Sciences
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Product Lines Can Jeopardize Their Trade Secrets

  1. 1. Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
  2. 2. Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
  3. 3. Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
  4. 4. Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
  5. 5. Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
  6. 6. Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
  7. 7. Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
  8. 8. Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
  9. 9. Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
  10. 10. Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
  11. 11. Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
  12. 12. Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
  13. 13. Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
  14. 14. Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
  15. 15. Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
  16. 16. Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
  17. 17. Product Lines Can Jeopardize Their Trade Secrets 17 Questions?

×