Product Lines Can Jeopardize
Their Trade Secrets
Mathieu Acher, Guillaume Bécan, Benoit Combemale,
Benoit Baudry and Jean-...
Product Lines Can Jeopardize Their Trade Secrets 2
Motivating example
Configurator
Final product
Options
Product Lines Can Jeopardize Their Trade Secrets 3
Motivating example
Configurator
Final product
Options
Different
configu...
Product Lines Can Jeopardize Their Trade Secrets 4
Motivating example
● Customers
– Activate/deactivate options
● Competit...
Product Lines Can Jeopardize Their Trade Secrets 5
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 6
Security for sofware product lines
● Software Product Lines (SPL) are e...
Product Lines Can Jeopardize Their Trade Secrets 7
Concrete example: online video generator
● 3 steps
– Enter your name
– ...
Product Lines Can Jeopardize Their Trade Secrets 8
Online video generator
Configurator
Final product
(Complete video)
Opti...
Product Lines Can Jeopardize Their Trade Secrets 9
Let's hack it !
● 3 days of work
● Manual analysis of HTTP request
– Vi...
Product Lines Can Jeopardize Their Trade Secrets 10
Let's reengineer a configurator !
● 2 days of work
● Complete configur...
Product Lines Can Jeopardize Their Trade Secrets 11
Threats
● Only one week of work
● Download all video sequences which a...
Product Lines Can Jeopardize Their Trade Secrets 12
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 13
RD1: Protection of positive variability
● Compositional approach
– Opt...
Product Lines Can Jeopardize Their Trade Secrets 14
RD2: Protection of negative variability
● Exhibit all variants and con...
Product Lines Can Jeopardize Their Trade Secrets 15
RD3: Barriers to master configuration space
● A configuration set can ...
Product Lines Can Jeopardize Their Trade Secrets 16
Conclusion
● Variability should be protected
● Usual cost/benefit trad...
Product Lines Can Jeopardize Their Trade Secrets 17
Questions?
Prochain SlideShare
Chargement dans…5
×

Product Lines Can Jeopardize Their Trade Secrets

439 vues

Publié le

What do you give for free to your competitor when you ex-
hibit a product line? This paper addresses this question
through several cases in which the discovery of trade secrets
of a product line is possible and can lead to severe conse-
quences. That is, we show that an outsider can understand
the variability realization and gain either confidential busi-
ness information or even some economical direct advantage.
For instance, an attacker can identify hidden constraints and
bypass the product line to get access to features or copy-
righted data. This paper warns against possible naive mod-
eling, implementation, and testing of variability leading to
the existence of product lines that jeopardize their trade se-
crets. Our vision is that defensive methods and techniques
should be developed to protect specifically variability – or
at least further complicate the task of reverse engineering it.

Publié dans : Sciences
0 commentaire
0 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Aucun téléchargement
Vues
Nombre de vues
439
Sur SlideShare
0
Issues des intégrations
0
Intégrations
5
Actions
Partages
0
Téléchargements
1
Commentaires
0
J’aime
0
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Product Lines Can Jeopardize Their Trade Secrets

  1. 1. Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
  2. 2. Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
  3. 3. Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
  4. 4. Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
  5. 5. Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
  6. 6. Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
  7. 7. Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
  8. 8. Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
  9. 9. Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
  10. 10. Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
  11. 11. Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
  12. 12. Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
  13. 13. Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
  14. 14. Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
  15. 15. Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
  16. 16. Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
  17. 17. Product Lines Can Jeopardize Their Trade Secrets 17 Questions?

×