Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Product Lines Can Jeopardize
Their Trade Secrets
Mathieu Acher, Guillaume Bécan, Benoit Combemale,
Benoit Baudry and Jean-...
Product Lines Can Jeopardize Their Trade Secrets 2
Motivating example
Configurator
Final product
Options
Product Lines Can Jeopardize Their Trade Secrets 3
Motivating example
Configurator
Final product
Options
Different
configu...
Product Lines Can Jeopardize Their Trade Secrets 4
Motivating example
● Customers
– Activate/deactivate options
● Competit...
Product Lines Can Jeopardize Their Trade Secrets 5
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 6
Security for sofware product lines
● Software Product Lines (SPL) are e...
Product Lines Can Jeopardize Their Trade Secrets 7
Concrete example: online video generator
● 3 steps
– Enter your name
– ...
Product Lines Can Jeopardize Their Trade Secrets 8
Online video generator
Configurator
Final product
(Complete video)
Opti...
Product Lines Can Jeopardize Their Trade Secrets 9
Let's hack it !
● 3 days of work
● Manual analysis of HTTP request
– Vi...
Product Lines Can Jeopardize Their Trade Secrets 10
Let's reengineer a configurator !
● 2 days of work
● Complete configur...
Product Lines Can Jeopardize Their Trade Secrets 11
Threats
● Only one week of work
● Download all video sequences which a...
Product Lines Can Jeopardize Their Trade Secrets 12
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 13
RD1: Protection of positive variability
● Compositional approach
– Opt...
Product Lines Can Jeopardize Their Trade Secrets 14
RD2: Protection of negative variability
● Exhibit all variants and con...
Product Lines Can Jeopardize Their Trade Secrets 15
RD3: Barriers to master configuration space
● A configuration set can ...
Product Lines Can Jeopardize Their Trade Secrets 16
Conclusion
● Variability should be protected
● Usual cost/benefit trad...
Product Lines Can Jeopardize Their Trade Secrets 17
Questions?
Prochain SlideShare
Chargement dans…5
×

Product Lines Can Jeopardize Their Trade Secrets

566 vues

Publié le

What do you give for free to your competitor when you ex-
hibit a product line? This paper addresses this question
through several cases in which the discovery of trade secrets
of a product line is possible and can lead to severe conse-
quences. That is, we show that an outsider can understand
the variability realization and gain either confidential busi-
ness information or even some economical direct advantage.
For instance, an attacker can identify hidden constraints and
bypass the product line to get access to features or copy-
righted data. This paper warns against possible naive mod-
eling, implementation, and testing of variability leading to
the existence of product lines that jeopardize their trade se-
crets. Our vision is that defensive methods and techniques
should be developed to protect specifically variability – or
at least further complicate the task of reverse engineering it.

Publié dans : Sciences
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Product Lines Can Jeopardize Their Trade Secrets

  1. 1. Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
  2. 2. Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
  3. 3. Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
  4. 4. Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
  5. 5. Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
  6. 6. Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
  7. 7. Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
  8. 8. Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
  9. 9. Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
  10. 10. Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
  11. 11. Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
  12. 12. Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
  13. 13. Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
  14. 14. Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
  15. 15. Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
  16. 16. Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
  17. 17. Product Lines Can Jeopardize Their Trade Secrets 17 Questions?

×