SlideShare a Scribd company logo
1 of 17
Download to read offline
Product Lines Can Jeopardize
Their Trade Secrets
Mathieu Acher, Guillaume Bécan, Benoit Combemale,
Benoit Baudry and Jean-Marc Jézéquel
IRISA, Inria, University of Rennes 1, France
Product Lines Can Jeopardize Their Trade Secrets 2
Motivating example
Configurator
Final product
Options
Product Lines Can Jeopardize Their Trade Secrets 3
Motivating example
Configurator
Final product
Options
Different
configuration
Different
car
Product Lines Can Jeopardize Their Trade Secrets 4
Motivating example
● Customers
– Activate/deactivate options
● Competitors
– Understand the options and their constraints
– Create a “better” product line
● Contractors
– Create, change or extend options
– Access software without specialized tools (e.g.
for diagnostic)
What if the product line is not protected?
Product Lines Can Jeopardize Their Trade Secrets 5
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 6
Security for sofware product lines
● Software Product Lines (SPL) are everywhere !
● Naive implementation of SPL
– No security
– Trade secrets become available to attackers
– Need to secure implementation mechanisms
● New research domain: security for SPL
● What's different from traditional software security?
– Combinatorial explosion
– Restrict access or hide some options of the SPL
– Hide marketing/business constraints
– Open world: new and unplanned options to protect
– Protect the significant effort to create an SPL
Product Lines Can Jeopardize Their Trade Secrets 7
Concrete example: online video generator
● 3 steps
– Enter your name
– Choose your 3 favorite shows of Canal+
– Watch YOUR episode of Bref (famous
humorous TV show of Canal+)
● This is a product line
(French TV channel)
Product Lines Can Jeopardize Their Trade Secrets 8
Online video generator
Configurator
Final product
(Complete video)
Options
(Chunks of videos)
random choices+
...
Product Lines Can Jeopardize Their Trade Secrets 9
Let's hack it !
● 3 days of work
● Manual analysis of HTTP request
– Videos are made of 18 sequences
– For each sequence, there are several possible variants
– Video variants are directly accessible
● Ask for many episodes (bash script, wget)
– List possible variants for each sequence
– Download all video variants
● Statistics (R script)
– Detect mandatory variants
– 0.1% chance of getting a special variant
Product Lines Can Jeopardize Their Trade Secrets 10
Let's reengineer a configurator !
● 2 days of work
● Complete configurator
● No random choices
● Videos are hosted on the original service
Product Lines Can Jeopardize Their Trade Secrets 11
Threats
● Only one week of work
● Download all video sequences which are
protected by copyright
● Re-engineer a new configurator
– Kill the original idea (e.g. no random choices)
– No advertising
● Find all the codes hidden in the video
sequences and win the contest !
Product Lines Can Jeopardize Their Trade Secrets 12
Trade secrets are in...
Product Lines Can Jeopardize Their Trade Secrets 13
RD1: Protection of positive variability
● Compositional approach
– Options are composed on demand
– Clean modular design
● Ease the identification of options and how they can be
composed
● How to secure positive variability?
– Obfuscate the variability and modularity in the source code or
data
– Obfuscate the mapping between options and corresponding
artifacts
● Challenge: develop techniques for diversifying the mapping
– non intrusive for the developers
– agnostic to a domain
Product Lines Can Jeopardize Their Trade Secrets 14
RD2: Protection of negative variability
● Exhibit all variants and content at once
● Activate/deactivate variants depending on
some conditions
● How to secure negative variability?
– Improve mechanism used to remove or
activate variants
– Obfuscate pre-defined variants
Product Lines Can Jeopardize Their Trade Secrets 15
RD3: Barriers to master configuration space
● A configuration set can also contain trade
secrets
● Crawling the configuration space reveals
these secrets
● A comprehensive visit offers a global view
of the options and their constraints
● Challenge: develop barriers to limit the
exploration of the configuration space
Product Lines Can Jeopardize Their Trade Secrets 16
Conclusion
● Variability should be protected
● Usual cost/benefit tradeoff
● New research domain: security in SPL
● Cross-fertilize research results in software
product line and security
● Challenge: diversify or vary variability
Product Lines Can Jeopardize Their Trade Secrets 17
Questions?

More Related Content

Similar to Product Lines Can Jeopardize Their Trade Secrets

CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
jemtallon
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
AndrewRJamieson
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Powersoft19 Overview - 2013
Powersoft19 Overview - 2013
Huzaifa Saadat
 

Similar to Product Lines Can Jeopardize Their Trade Secrets (20)

Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Develop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-GameDevelop a Killer Patent Strategy to Achieve Your End-Game
Develop a Killer Patent Strategy to Achieve Your End-Game
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Bai giang-se-17feb14
Bai giang-se-17feb14Bai giang-se-17feb14
Bai giang-se-17feb14
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Clone Clone Make: a better way to build
Clone Clone Make: a better way to buildClone Clone Make: a better way to build
Clone Clone Make: a better way to build
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
 
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptxMuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
MuleSoft_Meetup_Brisbane_2022-06-01_SonarQube_CataloguingAPIs.pptx
 
Se 20150507
Se 20150507Se 20150507
Se 20150507
 
20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product20141111 tinker tuesday prototype to product
20141111 tinker tuesday prototype to product
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
Getting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® GraphicsGetting Space Pirate Trainer* to Perform on Intel® Graphics
Getting Space Pirate Trainer* to Perform on Intel® Graphics
 
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
Splunk All the Things: Our First 3 Months Monitoring Web Service APIs - Splun...
 
Dealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs DesignDealing with Component Shortages That Impact Battery Packs Design
Dealing with Component Shortages That Impact Battery Packs Design
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Powersoft19 Overview - 2013
Powersoft19 Overview - 2013Powersoft19 Overview - 2013
Powersoft19 Overview - 2013
 
SCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptxSCM + PUF_Day 3.pptx
SCM + PUF_Day 3.pptx
 

Recently uploaded

Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdfPests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
PirithiRaju
 
The importance of continents, oceans and plate tectonics for the evolution of...
The importance of continents, oceans and plate tectonics for the evolution of...The importance of continents, oceans and plate tectonics for the evolution of...
The importance of continents, oceans and plate tectonics for the evolution of...
Sérgio Sacani
 
The solar dynamo begins near the surface
The solar dynamo begins near the surfaceThe solar dynamo begins near the surface
The solar dynamo begins near the surface
Sérgio Sacani
 
Continuum emission from within the plunging region of black hole discs
Continuum emission from within the plunging region of black hole discsContinuum emission from within the plunging region of black hole discs
Continuum emission from within the plunging region of black hole discs
Sérgio Sacani
 
Tuberculosis (TB)-Notes.pdf microbiology notes
Tuberculosis (TB)-Notes.pdf microbiology notesTuberculosis (TB)-Notes.pdf microbiology notes
Tuberculosis (TB)-Notes.pdf microbiology notes
jyothisaisri
 
Isolation of AMF by wet sieving and decantation method pptx
Isolation of AMF by wet sieving and decantation method pptxIsolation of AMF by wet sieving and decantation method pptx
Isolation of AMF by wet sieving and decantation method pptx
GOWTHAMIM22
 

Recently uploaded (20)

GBSN - Biochemistry (Unit 4) Chemistry of Carbohydrates
GBSN - Biochemistry (Unit 4) Chemistry of CarbohydratesGBSN - Biochemistry (Unit 4) Chemistry of Carbohydrates
GBSN - Biochemistry (Unit 4) Chemistry of Carbohydrates
 
INSIGHT Partner Profile: Tampere University
INSIGHT Partner Profile: Tampere UniversityINSIGHT Partner Profile: Tampere University
INSIGHT Partner Profile: Tampere University
 
Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdfPests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
Pests of Green Manures_Bionomics_IPM_Dr.UPR.pdf
 
National Biodiversity protection initiatives and Convention on Biological Di...
National Biodiversity protection initiatives and  Convention on Biological Di...National Biodiversity protection initiatives and  Convention on Biological Di...
National Biodiversity protection initiatives and Convention on Biological Di...
 
WASP-69b’s Escaping Envelope Is Confined to a Tail Extending at Least 7 Rp
WASP-69b’s Escaping Envelope Is Confined to a Tail Extending at Least 7 RpWASP-69b’s Escaping Envelope Is Confined to a Tail Extending at Least 7 Rp
WASP-69b’s Escaping Envelope Is Confined to a Tail Extending at Least 7 Rp
 
Alternative method of dissolution in-vitro in-vivo correlation and dissolutio...
Alternative method of dissolution in-vitro in-vivo correlation and dissolutio...Alternative method of dissolution in-vitro in-vivo correlation and dissolutio...
Alternative method of dissolution in-vitro in-vivo correlation and dissolutio...
 
Triploidy ...............................pptx
Triploidy ...............................pptxTriploidy ...............................pptx
Triploidy ...............................pptx
 
The importance of continents, oceans and plate tectonics for the evolution of...
The importance of continents, oceans and plate tectonics for the evolution of...The importance of continents, oceans and plate tectonics for the evolution of...
The importance of continents, oceans and plate tectonics for the evolution of...
 
The solar dynamo begins near the surface
The solar dynamo begins near the surfaceThe solar dynamo begins near the surface
The solar dynamo begins near the surface
 
NuGOweek 2024 full programme - hosted by Ghent University
NuGOweek 2024 full programme - hosted by Ghent UniversityNuGOweek 2024 full programme - hosted by Ghent University
NuGOweek 2024 full programme - hosted by Ghent University
 
ERTHROPOIESIS: Dr. E. Muralinath & R. Gnana Lahari
ERTHROPOIESIS: Dr. E. Muralinath & R. Gnana LahariERTHROPOIESIS: Dr. E. Muralinath & R. Gnana Lahari
ERTHROPOIESIS: Dr. E. Muralinath & R. Gnana Lahari
 
Mining Activity and Investment Opportunity in Myanmar.pptx
Mining Activity and Investment Opportunity in Myanmar.pptxMining Activity and Investment Opportunity in Myanmar.pptx
Mining Activity and Investment Opportunity in Myanmar.pptx
 
The Scientific names of some important families of Industrial plants .pdf
The Scientific names of some important families of Industrial plants .pdfThe Scientific names of some important families of Industrial plants .pdf
The Scientific names of some important families of Industrial plants .pdf
 
Ostiguy & Panizza & Moffitt (eds.) - Populism in Global Perspective. A Perfor...
Ostiguy & Panizza & Moffitt (eds.) - Populism in Global Perspective. A Perfor...Ostiguy & Panizza & Moffitt (eds.) - Populism in Global Perspective. A Perfor...
Ostiguy & Panizza & Moffitt (eds.) - Populism in Global Perspective. A Perfor...
 
MODERN PHYSICS_REPORTING_QUANTA_.....pdf
MODERN PHYSICS_REPORTING_QUANTA_.....pdfMODERN PHYSICS_REPORTING_QUANTA_.....pdf
MODERN PHYSICS_REPORTING_QUANTA_.....pdf
 
Continuum emission from within the plunging region of black hole discs
Continuum emission from within the plunging region of black hole discsContinuum emission from within the plunging region of black hole discs
Continuum emission from within the plunging region of black hole discs
 
Lec 1.b Totipotency and birth of tissue culture.ppt
Lec 1.b Totipotency and birth of tissue culture.pptLec 1.b Totipotency and birth of tissue culture.ppt
Lec 1.b Totipotency and birth of tissue culture.ppt
 
Tuberculosis (TB)-Notes.pdf microbiology notes
Tuberculosis (TB)-Notes.pdf microbiology notesTuberculosis (TB)-Notes.pdf microbiology notes
Tuberculosis (TB)-Notes.pdf microbiology notes
 
Isolation of AMF by wet sieving and decantation method pptx
Isolation of AMF by wet sieving and decantation method pptxIsolation of AMF by wet sieving and decantation method pptx
Isolation of AMF by wet sieving and decantation method pptx
 
Plasma proteins_ Dr.Muralinath_Dr.c. kalyan
Plasma proteins_ Dr.Muralinath_Dr.c. kalyanPlasma proteins_ Dr.Muralinath_Dr.c. kalyan
Plasma proteins_ Dr.Muralinath_Dr.c. kalyan
 

Product Lines Can Jeopardize Their Trade Secrets

  • 1. Product Lines Can Jeopardize Their Trade Secrets Mathieu Acher, Guillaume Bécan, Benoit Combemale, Benoit Baudry and Jean-Marc Jézéquel IRISA, Inria, University of Rennes 1, France
  • 2. Product Lines Can Jeopardize Their Trade Secrets 2 Motivating example Configurator Final product Options
  • 3. Product Lines Can Jeopardize Their Trade Secrets 3 Motivating example Configurator Final product Options Different configuration Different car
  • 4. Product Lines Can Jeopardize Their Trade Secrets 4 Motivating example ● Customers – Activate/deactivate options ● Competitors – Understand the options and their constraints – Create a “better” product line ● Contractors – Create, change or extend options – Access software without specialized tools (e.g. for diagnostic) What if the product line is not protected?
  • 5. Product Lines Can Jeopardize Their Trade Secrets 5 Trade secrets are in...
  • 6. Product Lines Can Jeopardize Their Trade Secrets 6 Security for sofware product lines ● Software Product Lines (SPL) are everywhere ! ● Naive implementation of SPL – No security – Trade secrets become available to attackers – Need to secure implementation mechanisms ● New research domain: security for SPL ● What's different from traditional software security? – Combinatorial explosion – Restrict access or hide some options of the SPL – Hide marketing/business constraints – Open world: new and unplanned options to protect – Protect the significant effort to create an SPL
  • 7. Product Lines Can Jeopardize Their Trade Secrets 7 Concrete example: online video generator ● 3 steps – Enter your name – Choose your 3 favorite shows of Canal+ – Watch YOUR episode of Bref (famous humorous TV show of Canal+) ● This is a product line (French TV channel)
  • 8. Product Lines Can Jeopardize Their Trade Secrets 8 Online video generator Configurator Final product (Complete video) Options (Chunks of videos) random choices+ ...
  • 9. Product Lines Can Jeopardize Their Trade Secrets 9 Let's hack it ! ● 3 days of work ● Manual analysis of HTTP request – Videos are made of 18 sequences – For each sequence, there are several possible variants – Video variants are directly accessible ● Ask for many episodes (bash script, wget) – List possible variants for each sequence – Download all video variants ● Statistics (R script) – Detect mandatory variants – 0.1% chance of getting a special variant
  • 10. Product Lines Can Jeopardize Their Trade Secrets 10 Let's reengineer a configurator ! ● 2 days of work ● Complete configurator ● No random choices ● Videos are hosted on the original service
  • 11. Product Lines Can Jeopardize Their Trade Secrets 11 Threats ● Only one week of work ● Download all video sequences which are protected by copyright ● Re-engineer a new configurator – Kill the original idea (e.g. no random choices) – No advertising ● Find all the codes hidden in the video sequences and win the contest !
  • 12. Product Lines Can Jeopardize Their Trade Secrets 12 Trade secrets are in...
  • 13. Product Lines Can Jeopardize Their Trade Secrets 13 RD1: Protection of positive variability ● Compositional approach – Options are composed on demand – Clean modular design ● Ease the identification of options and how they can be composed ● How to secure positive variability? – Obfuscate the variability and modularity in the source code or data – Obfuscate the mapping between options and corresponding artifacts ● Challenge: develop techniques for diversifying the mapping – non intrusive for the developers – agnostic to a domain
  • 14. Product Lines Can Jeopardize Their Trade Secrets 14 RD2: Protection of negative variability ● Exhibit all variants and content at once ● Activate/deactivate variants depending on some conditions ● How to secure negative variability? – Improve mechanism used to remove or activate variants – Obfuscate pre-defined variants
  • 15. Product Lines Can Jeopardize Their Trade Secrets 15 RD3: Barriers to master configuration space ● A configuration set can also contain trade secrets ● Crawling the configuration space reveals these secrets ● A comprehensive visit offers a global view of the options and their constraints ● Challenge: develop barriers to limit the exploration of the configuration space
  • 16. Product Lines Can Jeopardize Their Trade Secrets 16 Conclusion ● Variability should be protected ● Usual cost/benefit tradeoff ● New research domain: security in SPL ● Cross-fertilize research results in software product line and security ● Challenge: diversify or vary variability
  • 17. Product Lines Can Jeopardize Their Trade Secrets 17 Questions?