SlideShare a Scribd company logo

Product Lines Can Jeopardize Their Trade Secrets

G
Guillaume Bécan

What do you give for free to your competitor when you ex- hibit a product line? This paper addresses this question through several cases in which the discovery of trade secrets of a product line is possible and can lead to severe conse- quences. That is, we show that an outsider can understand the variability realization and gain either confidential busi- ness information or even some economical direct advantage. For instance, an attacker can identify hidden constraints and bypass the product line to get access to features or copy- righted data. This paper warns against possible naive mod- eling, implementation, and testing of variability leading to the existence of product lines that jeopardize their trade se- crets. Our vision is that defensive methods and techniques should be developed to protect specifically variability – or at least further complicate the task of reverse engineering it.

Science
1 of 17
Download to read offline
Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
Product Lines Can Jeopardize Their Trade Secrets 17 Questions?

Recommended

Synthesis of Attributed Feature Models From Product Descriptions
Synthesis of Attributed Feature Models From Product DescriptionsSynthesis of Attributed Feature Models From Product Descriptions
Synthesis of Attributed Feature Models From Product DescriptionsUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Comparing Approaches to Implement Feature Model Composition
Comparing Approaches to Implement Feature Model CompositionComparing Approaches to Implement Feature Model Composition
Comparing Approaches to Implement Feature Model CompositionUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Acher PhD thesis defense
Acher PhD thesis defense Acher PhD thesis defense
Acher PhD thesis defense University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
From Basic Variability Models to OpenCompare.org
From Basic Variability Models to OpenCompare.orgFrom Basic Variability Models to OpenCompare.org
From Basic Variability Models to OpenCompare.orgUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Automating the Formalization of Product Comparison Matrices
Automating the Formalization of Product Comparison MatricesAutomating the Formalization of Product Comparison Matrices
Automating the Formalization of Product Comparison MatricesGuillaume Bécan
 
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...Assessing Product Line Derivation Operators Applied to Java Source Code: An E...
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case Study
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case StudyProduct Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case Study
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case StudyUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
BENEVOL'11 - Reverse Engineering Architectural Feature Models
BENEVOL'11 - Reverse Engineering Architectural Feature ModelsBENEVOL'11 - Reverse Engineering Architectural Feature Models
BENEVOL'11 - Reverse Engineering Architectural Feature ModelsUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 

Recommended

Synthesis of Attributed Feature Models From Product Descriptions
Synthesis of Attributed Feature Models From Product DescriptionsSynthesis of Attributed Feature Models From Product Descriptions
Synthesis of Attributed Feature Models From Product DescriptionsUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Comparing Approaches to Implement Feature Model Composition
Comparing Approaches to Implement Feature Model CompositionComparing Approaches to Implement Feature Model Composition
Comparing Approaches to Implement Feature Model CompositionUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Acher PhD thesis defense
Acher PhD thesis defense Acher PhD thesis defense
Acher PhD thesis defense University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
From Basic Variability Models to OpenCompare.org
From Basic Variability Models to OpenCompare.orgFrom Basic Variability Models to OpenCompare.org
From Basic Variability Models to OpenCompare.orgUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Automating the Formalization of Product Comparison Matrices
Automating the Formalization of Product Comparison MatricesAutomating the Formalization of Product Comparison Matrices
Automating the Formalization of Product Comparison MatricesGuillaume Bécan
 
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...Assessing Product Line Derivation Operators Applied to Java Source Code: An E...
Assessing Product Line Derivation Operators Applied to Java Source Code: An E...University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case Study
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case StudyProduct Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case Study
Product Comparison Matrix (PCM), Variability Modeling: The Wikipedia Case StudyUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
BENEVOL'11 - Reverse Engineering Architectural Feature Models
BENEVOL'11 - Reverse Engineering Architectural Feature ModelsBENEVOL'11 - Reverse Engineering Architectural Feature Models
BENEVOL'11 - Reverse Engineering Architectural Feature ModelsUniversity of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Develop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameDevelop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameMintz Levin
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
Bai giang-se-17feb14
Bai giang-se-17feb14Bai giang-se-17feb14
Bai giang-se-17feb14TRAN Khanh Dung, Khoa CNTT, Đại Học Xây Dựng
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Clone Clone Make: a better way to build
Clone Clone Make: a better way to buildClone Clone Make: a better way to build
Clone Clone Make: a better way to buildDanHeidinga
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355AndrewRJamieson
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxBrianFraser29
 
Se 20150507
Se 20150507Se 20150507
Se 20150507葵慶 李
 
20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to productTakeda Pharmaceuticals
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
Getting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsGetting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsIntel® Software
 
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Dan Cundiff
 
Dealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignDealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignEpec Engineered Technologies
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industrialeBetter Software
 
Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Huzaifa Saadat
 
SCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptxSCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptxnagarajan740445
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 

More Related Content

Similar to Product Lines Can Jeopardize Their Trade Secrets

Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Develop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameDevelop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameMintz Levin
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Clone Clone Make: a better way to build
Clone Clone Make: a better way to buildClone Clone Make: a better way to build
Clone Clone Make: a better way to buildDanHeidinga
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355AndrewRJamieson
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxBrianFraser29
 
20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to productTakeda Pharmaceuticals
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
Getting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsGetting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsIntel® Software
 
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Dan Cundiff
 
Dealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignDealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignEpec Engineered Technologies
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industrialeBetter Software
 
Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Huzaifa Saadat
 

Similar to Product Lines Can Jeopardize Their Trade Secrets (20)

Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Develop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameDevelop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-Game
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Bai giang-se-17feb14
Bai giang-se-17feb14Bai giang-se-17feb14
Bai giang-se-17feb14
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Clone Clone Make: a better way to build
Clone Clone Make: a better way to buildClone Clone Make: a better way to build
Clone Clone Make: a better way to build
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
 
Se 20150507
Se 20150507Se 20150507
Se 20150507
 
20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
Getting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsGetting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® Graphics
 
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
 
Dealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignDealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs Design
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Powersoft19 Overview - 2013
Powersoft19 Overview - 2013
 
SCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptxSCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptx
 

Recently uploaded

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
Luciferase in rDNA technology (biotechnology).pptx
Luciferase in rDNA technology (biotechnology).pptxLuciferase in rDNA technology (biotechnology).pptx
Luciferase in rDNA technology (biotechnology).pptxAleenaTreesaSaji
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...Sérgio Sacani
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfmuntazimhurra
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCEPRINCE C P
 
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxyaramohamed343013
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoSérgio Sacani
 
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxPhysiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxAArockiyaNisha
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfAnalytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfSwapnil Therkar
 

Recently uploaded (20)

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
Luciferase in rDNA technology (biotechnology).pptx
Luciferase in rDNA technology (biotechnology).pptxLuciferase in rDNA technology (biotechnology).pptx
Luciferase in rDNA technology (biotechnology).pptx
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Biological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdfBiological Classification BioHack (3).pdf
Biological Classification BioHack (3).pdf
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
 
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Munirka Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docx
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
 
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxPhysiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfAnalytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
 

Product Lines Can Jeopardize Their Trade Secrets

  • 1. Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
  • 2. Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
  • 3. Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
  • 4. Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
  • 5. Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
  • 6. Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
  • 7. Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
  • 8. Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
  • 9. Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
  • 10. Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
  • 11. Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
  • 12. Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
  • 13. Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
  • 14. Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
  • 15. Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
  • 16. Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
  • 17. Product Lines Can Jeopardize Their Trade Secrets 17 Questions?