What do you give for free to your competitor when you ex-
hibit a product line? This paper addresses this question
through several cases in which the discovery of trade secrets
of a product line is possible and can lead to severe conse-
quences. That is, we show that an outsider can understand
the variability realization and gain either confidential busi-
ness information or even some economical direct advantage.
For instance, an attacker can identify hidden constraints and
bypass the product line to get access to features or copy-
righted data. This paper warns against possible naive mod-
eling, implementation, and testing of variability leading to
the existence of product lines that jeopardize their trade se-
crets. Our vision is that defensive methods and techniques
should be developed to protect specifically variability – or
at least further complicate the task of reverse engineering it.
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
Product Lines Can Jeopardize Their Trade Secrets
1. Product Lines Can Jeopardize
Their Trade Secrets
Mathieu Acher, Guillaume Bécan, Benoit Combemale,
Benoit Baudry and Jean-Marc Jézéquel
IRISA, Inria, University of Rennes 1, France
2. Product Lines Can Jeopardize Their Trade Secrets 2
Motivating example
Configurator
Final product
Options
3. Product Lines Can Jeopardize Their Trade Secrets 3
Motivating example
Configurator
Final product
Options
Different
configuration
Different
car
4. Product Lines Can Jeopardize Their Trade Secrets 4
Motivating example
● Customers
– Activate/deactivate options
● Competitors
– Understand the options and their constraints
– Create a “better” product line
● Contractors
– Create, change or extend options
– Access software without specialized tools (e.g.
for diagnostic)
What if the product line is not protected?
5. Product Lines Can Jeopardize Their Trade Secrets 5
Trade secrets are in...
6. Product Lines Can Jeopardize Their Trade Secrets 6
Security for sofware product lines
● Software Product Lines (SPL) are everywhere !
● Naive implementation of SPL
– No security
– Trade secrets become available to attackers
– Need to secure implementation mechanisms
● New research domain: security for SPL
● What's different from traditional software security?
– Combinatorial explosion
– Restrict access or hide some options of the SPL
– Hide marketing/business constraints
– Open world: new and unplanned options to protect
– Protect the significant effort to create an SPL
7. Product Lines Can Jeopardize Their Trade Secrets 7
Concrete example: online video generator
● 3 steps
– Enter your name
– Choose your 3 favorite shows of Canal+
– Watch YOUR episode of Bref (famous
humorous TV show of Canal+)
● This is a product line
(French TV channel)
8. Product Lines Can Jeopardize Their Trade Secrets 8
Online video generator
Configurator
Final product
(Complete video)
Options
(Chunks of videos)
random choices+
...
9. Product Lines Can Jeopardize Their Trade Secrets 9
Let's hack it !
● 3 days of work
● Manual analysis of HTTP request
– Videos are made of 18 sequences
– For each sequence, there are several possible variants
– Video variants are directly accessible
● Ask for many episodes (bash script, wget)
– List possible variants for each sequence
– Download all video variants
● Statistics (R script)
– Detect mandatory variants
– 0.1% chance of getting a special variant
10. Product Lines Can Jeopardize Their Trade Secrets 10
Let's reengineer a configurator !
● 2 days of work
● Complete configurator
● No random choices
● Videos are hosted on the original service
11. Product Lines Can Jeopardize Their Trade Secrets 11
Threats
● Only one week of work
● Download all video sequences which are
protected by copyright
● Re-engineer a new configurator
– Kill the original idea (e.g. no random choices)
– No advertising
● Find all the codes hidden in the video
sequences and win the contest !
12. Product Lines Can Jeopardize Their Trade Secrets 12
Trade secrets are in...
13. Product Lines Can Jeopardize Their Trade Secrets 13
RD1: Protection of positive variability
● Compositional approach
– Options are composed on demand
– Clean modular design
● Ease the identification of options and how they can be
composed
● How to secure positive variability?
– Obfuscate the variability and modularity in the source code or
data
– Obfuscate the mapping between options and corresponding
artifacts
● Challenge: develop techniques for diversifying the mapping
– non intrusive for the developers
– agnostic to a domain
14. Product Lines Can Jeopardize Their Trade Secrets 14
RD2: Protection of negative variability
● Exhibit all variants and content at once
● Activate/deactivate variants depending on
some conditions
● How to secure negative variability?
– Improve mechanism used to remove or
activate variants
– Obfuscate pre-defined variants
15. Product Lines Can Jeopardize Their Trade Secrets 15
RD3: Barriers to master configuration space
● A configuration set can also contain trade
secrets
● Crawling the configuration space reveals
these secrets
● A comprehensive visit offers a global view
of the options and their constraints
● Challenge: develop barriers to limit the
exploration of the configuration space
16. Product Lines Can Jeopardize Their Trade Secrets 16
Conclusion
● Variability should be protected
● Usual cost/benefit tradeoff
● New research domain: security in SPL
● Cross-fertilize research results in software
product line and security
● Challenge: diversify or vary variability