Sentinel RMS – Virtualization FAQ: The following frequently asked questions about Sentinel RMS and Virtualization technology are based on the current behavior of the system: 1. What is the behavior of Sentinel RMS machine locking under Virtualization technology? Virtualization technology is an abstraction layer that decouples the physical hardware from the virtual operating system. Virtualization allows multiple virtual machines, with heterogeneous operating systems to run in isolation, side-by-side on the same physical machine. Each virtual machine has its own set of virtual hardware (e.g., RAM, CPU, NIC, etc.) upon which an operating system and applications are loaded. The operating system sees a consistent, normalized set of hardware regardless of the actual physical hardware components. Like all applications and processes in a virtual environment, Sentinel RMS behaves as if the virtual environment is a separate and independent physical machine. Sentinel RMS allows machine fingerprinting and will compute a fingerprint for that virtual environment. The following locking criteria are available on the Virtual Environment: DiskID Ethernet Mac address IP HostName The CID locking exhibits different behavior on different Virtual Environments. On Virtual PC, the CID is not detected. VMWare can detect only a USB CID. And, the USB CID is bound to only one OS (host or one guest OS) at a time. 2. Can virtual software – like VMware and Virtual PC, change the emulation hardware id to match another virtual environment? Yes, but most virtual software products consider this as an advance configuration setting. However the easiest way of doing this is creating a virtual machine and then after installing necessary software on it, makes copies of that virtual machine. Now each running instance of that virtual machine would be having the same emulated hardware IDs. In such case, the licenses locked to such a hardware ID can be literally multiplied by the user. To avoid such abuse, the developer can detect the virtual environments through his application and take an informed decision. 3. How RMS locking codes of one virtual machine can be matched with another virtual machine? The table shows how the various RMS locking criteria behaves in the commonly used Virtual environments: Lock Codes VMware Disk ID Can be replicated in Can be replicated in specific cases. Refer to a) specific cases. Refer to a) below below Can be replicated for Can be replicated for all some MAC address MAC addresses. range. Refer to b) below Can be replicated, as the IP can be changed within the virtual environment. Ethernet MAC Address IP Virtual PC Hostname Can be replicated, as the hostname can be changed within the virtual environment. CID key USB CID lock cannot be used concurrently, as it is bound to one OS at any time. CID is not detected. The lock codes between two separately installed virtual machines can be matched as follows: a) Disk ID: Till RMS 8.0, the Disk ID is not the actual Volume Serial Number of the Hard Disk (physical or virtual), but is calculated the first time “echoid.exe” or “Wechoid.exe” is run on that machine based on some random value. Thus, only way of duplicating Disk ID is by making copies of virtual machines after running the echoID once on the virtual machine. In RMS 8.1, the Disk ID depends only on the Volume Serial Number. Hence, the virtual machine can be replicated any time. b) Ethernet MAC Address: VMware: The VMware configuration file .vmx can be edited to the change the Ethernet MAC address of the virtual machine. VMWare can assign any MAC address randomly for a virtual machine. However, the manual configuration allows only the Ethernet Addresses in the following range: 00:50:56:00:00:00 – 00:50:56:3F:FF:FF Virtual PC: The Virtual PC configuration file .vmc can be configured to change the Ethernet MAC address of the virtual machine. Virtual PC allows MAC address in any range. 4. How RMS locking codes of one virtual machine can be matched with another physical machine? Lock Codes Disk ID Ethernet MAC Address VMware Not possible* Can be matched for address range: 00:50:56:00:00:00 – 00:50:56:3F:FF:FF IP As explained in question 3 Hostname As explained in question 3 CID key CID works with only one machine (virtual or physical) at a time. * Refer to the DiskID information of question 3 Virtual PC Not possible* Can be matched to any MAC address As explained in question 3 As explained in question 3 CID is not available for details. 5. How will CID key work under a virtual environment? VMware: Only USB CID Key is detected by the VMware. Also the USB CID key (or any other USB device) is detected by the Virtual machine only if it is in focus. In that case the USB CID key would be unavailable to the host physical machine. Thus, whatever be the number of virtual OS running on a host OS, the CID key would be detected by only one machine (virtual or physical) at a time. Virtual PC: USB is not available in Virtual PC environment. Thus CID key will not work here. 6. What is the threat when virtualization is abused? Because physical hardware is decoupled and abstracted and emulated by the virtual software, any hardware id can be manipulated and change to match another virtual environment. This allows an invalid license due to incorrect machine fingerprinting to work. By mirroring another virtual environment will allow a user to “multiply” the license. NOTE: Typically, a virtual environment will not be able to replicate the hosting environment, as the physical hardware id will conflict between the emulated and the real physical hardware id. However, a virtual machine running on one physical machine may very well replicate another physical machine. 7. What are the recommended locking options under virtual environment? CID locked licenses can thwart the license abuse on a virtual environment. The parallel CID keys will not be detected by any Virtual Environment. Though the USB CID key gets detected by the virtual machine of VMWare, it gets bound to that virtual machine until is unplugged. On either way, the licenses will not be abused by the end user. NOTE: Other locking methods may also be used, but they can be easily abused. So they should be used along with custom locking – but this all depends on how the vendor implements the custom locking method. 8. Are there steps to prevent abused if emulated hardware are being changed to cheat the system? Yes. Sentinel RMS allows custom lock implementation that a vendor can implement to detect virtual environment. By detecting a virtual environment, the vendor will have a choice whether to generate a license for that given virtual environment or not. Vendor should implement mechanisms where before licenses are distributed to end users, that they should be aware if the machine being licensed is a virtual machine or not. One way to do this is the following: - Get two locking codes from the end users o Locking code #1: the locking code that the license will use: Ethernet MAC Address Disk ID IP Hostname o Locking code #2: another locking code that uses the custom implementation that would detect the presence of virtual environment and return some fix value – otherwise a random value. This locking code is not used in the license – but as a flag to tell the vendor whether to issue the license or not - Custom lock implementation can be substituted with the vendor own virtual environment detection method, and pass this value along with the lock code The vendor should decide whether to issue the license based on the above factors 9. To prevent the revenue leakage, can a license with the standard PC locking rendered unusable on a Virtual environment? Yes. The vendor can detect if the application is running on the Virtual environment and stop issuing the license. Sentinel RMS allows registering a pre-hook event before any license request. The vendor can register a function which will deny license if it detects the virtual environment. Please refer to the customization features in Appendix B of Sentinel RMS API Reference Guide for details of VLSeventAddHook API. Internet provides a variety of ways to detect the Virtual environments. Please contact Safenet to get one such sample implementation for a standalone application.