Sentinel RMS – Virtualization FAQ:

advertisement
Sentinel RMS – Virtualization FAQ:
The following frequently asked questions about Sentinel RMS and Virtualization
technology are based on the current behavior of the system:
1. What is the behavior of Sentinel RMS machine locking under
Virtualization technology?
Virtualization technology is an abstraction layer that decouples the physical
hardware from the virtual operating system. Virtualization allows multiple virtual
machines, with heterogeneous operating systems to run in isolation, side-by-side
on the same physical machine. Each virtual machine has its own set of virtual
hardware (e.g., RAM, CPU, NIC, etc.) upon which an operating system and
applications are loaded. The operating system sees a consistent, normalized set
of hardware regardless of the actual physical hardware components.
Like all applications and processes in a virtual environment, Sentinel RMS
behaves as if the virtual environment is a separate and independent physical
machine. Sentinel RMS allows machine fingerprinting and will compute a
fingerprint for that virtual environment.
The following locking criteria are available on the Virtual Environment:
 DiskID
 Ethernet Mac address
 IP
 HostName
The CID locking exhibits different behavior on different Virtual Environments.
 On Virtual PC, the CID is not detected.
 VMWare can detect only a USB CID. And, the USB CID is bound to only
one OS (host or one guest OS) at a time.
2. Can virtual software – like VMware and Virtual PC, change the
emulation hardware id to match another virtual environment?
Yes, but most virtual software products consider this as an advance configuration
setting.
However the easiest way of doing this is creating a virtual machine and then
after installing necessary software on it, makes copies of that virtual machine.
Now each running instance of that virtual machine would be having the same
emulated hardware IDs.
In such case, the licenses locked to such a hardware ID can be literally multiplied
by the user. To avoid such abuse, the developer can detect the virtual
environments through his application and take an informed decision.
3. How RMS locking codes of one virtual machine can be matched with
another virtual machine?
The table shows how the various RMS locking criteria behaves in the commonly
used Virtual environments:
Lock Codes
VMware
Disk ID
Can be replicated in
Can be replicated in
specific cases. Refer to a) specific cases. Refer to a)
below
below
Can be replicated for
Can be replicated for all
some MAC address
MAC addresses.
range. Refer to b) below
Can be replicated, as the IP can be changed within
the virtual environment.
Ethernet MAC Address
IP
Virtual PC
Hostname
Can be replicated, as the hostname can be changed
within the virtual environment.
CID key
USB CID lock cannot be
used concurrently, as it is
bound to one OS at any
time.
CID is not detected.
The lock codes between two separately installed virtual machines can be
matched as follows:
a) Disk ID:
Till RMS 8.0, the Disk ID is not the actual Volume Serial Number of the Hard
Disk (physical or virtual), but is calculated the first time “echoid.exe” or
“Wechoid.exe” is run on that machine based on some random value. Thus,
only way of duplicating Disk ID is by making copies of virtual machines after
running the echoID once on the virtual machine.
In RMS 8.1, the Disk ID depends only on the Volume Serial Number. Hence,
the virtual machine can be replicated any time.
b) Ethernet MAC Address:
VMware: The VMware configuration file .vmx can be edited to the change the
Ethernet MAC address of the virtual machine. VMWare can assign any MAC
address randomly for a virtual machine. However, the manual configuration
allows only the Ethernet Addresses in the following range:
00:50:56:00:00:00 – 00:50:56:3F:FF:FF
Virtual PC: The Virtual PC configuration file .vmc can be configured to change
the Ethernet MAC address of the virtual machine. Virtual PC allows MAC
address in any range.
4. How RMS locking codes of one virtual machine can be matched with
another physical machine?
Lock Codes
Disk ID
Ethernet MAC
Address
VMware
Not possible*
Can be matched for address
range:
00:50:56:00:00:00 –
00:50:56:3F:FF:FF
IP
As explained in question 3
Hostname
As explained in question 3
CID key
CID works with only one
machine (virtual or physical)
at a time.
* Refer to the DiskID information of question 3
Virtual PC
Not possible*
Can be matched to any MAC
address
As explained in question 3
As explained in question 3
CID is not available
for details.
5. How will CID key work under a virtual environment?
VMware: Only USB CID Key is detected by the VMware. Also the USB CID key (or
any other USB device) is detected by the Virtual machine only if it is in focus. In
that case the USB CID key would be unavailable to the host physical machine.
Thus, whatever be the number of virtual OS running on a host OS, the CID key
would be detected by only one machine (virtual or physical) at a time.
Virtual PC: USB is not available in Virtual PC environment. Thus CID key will not
work here.
6. What is the threat when virtualization is abused?
Because physical hardware is decoupled and abstracted and emulated by the
virtual software, any hardware id can be manipulated and change to match
another virtual environment. This allows an invalid license due to incorrect
machine fingerprinting to work. By mirroring another virtual environment will
allow a user to “multiply” the license.
NOTE: Typically, a virtual environment will not be able to replicate the hosting
environment, as the physical hardware id will conflict between the emulated and
the real physical hardware id. However, a virtual machine running on one
physical machine may very well replicate another physical machine.
7. What are the recommended locking options under virtual
environment?
CID locked licenses can thwart the license abuse on a virtual environment. The
parallel CID keys will not be detected by any Virtual Environment. Though the
USB CID key gets detected by the virtual machine of VMWare, it gets bound to
that virtual machine until is unplugged. On either way, the licenses will not be
abused by the end user.
NOTE: Other locking methods may also be used, but they can be easily abused.
So they should be used along with custom locking – but this all depends on how
the vendor implements the custom locking method.
8. Are there steps to prevent abused if emulated hardware are being
changed to cheat the system?
Yes. Sentinel RMS allows custom lock implementation that a vendor can
implement to detect virtual environment. By detecting a virtual environment, the
vendor will have a choice whether to generate a license for that given virtual
environment or not. Vendor should implement mechanisms where before
licenses are distributed to end users, that they should be aware if the machine
being licensed is a virtual machine or not. One way to do this is the following:
-
Get two locking codes from the end users
o Locking code #1: the locking code that the license will use:
 Ethernet MAC Address
 Disk ID
 IP
 Hostname
o Locking code #2: another locking code that uses the custom
implementation that would detect the presence of virtual
environment and return some fix value – otherwise a random
value. This locking code is not used in the license – but as a flag to
tell the vendor whether to issue the license or not

-
Custom lock implementation can be substituted with the
vendor own virtual environment detection method, and pass
this value along with the lock code
The vendor should decide whether to issue the license based on the
above factors
9. To prevent the revenue leakage, can a license with the standard PC
locking rendered unusable on a Virtual environment?
Yes. The vendor can detect if the application is running on the Virtual
environment and stop issuing the license.
Sentinel RMS allows registering a pre-hook event before any license request.
The vendor can register a function which will deny license if it detects the
virtual environment.
Please refer to the customization features in Appendix B of Sentinel RMS API
Reference Guide for details of VLSeventAddHook API.
Internet provides a variety of ways to detect the Virtual environments. Please
contact Safenet to get one such sample implementation for a standalone
application.
Download