views:

298

answers:

6

Hi all,

we have an application that is packaged as a Linux VMWare image. Now we have to find a way to protect it against illegal duplication and installation. We have studied several USB dongle-based solutions, but all of them require modifications of the application at the source code level (simple instrumentation is restricted to Windows EXEs). Is there a way to protect a VMWare image from running, and to perform periodic checks?

EDIT: this application is part of a professional solution and not distributed as is. The VMWare packaging is for virtualization purpose, not for distribution. We sell complete solutions for telcos including hardware and support, in the $10k-1M price ranges. However, since the clients have access to the platforms, we have to make sure that they just can't take the images and run them elsewhere or defeat the licensing policy. So the remarks below questioning the need for protection, although perfectly valid in the general case, don't apply there.

+1  A: 

Encrypt the disk partitions of the image using Cryptsetup/dm_crypt and then use some machine-specific (real CPU-ID?) element for decryption at boot. But this implies rolling a new image for each customer ... but you could script that.

Although once it is booted, they could rip open the image anyway. Are you not required by GPL to redistribute anyway?

it will be tricky

Aiden Bell
The part about ripping the image is a good point. However here the image is a self-bootable, closed system, and maintenance is done by the support teams.
fbonnet
The Processor Serial Number in CPU-ID is not always returned. I think it may have been depreciated actually in Modern CPUs, for privacy reasons. You could use the MAC address of the NIC; but that could also be changed. I believe WGA and the like use a combination of MAC, HD serial nos and other things to uniquely identify machines.
Colin Pickard
Still, once the image is live and the data is unencrypted...nothing stopping you rsyncing from vm to external source.
Aiden Bell
There's nothing that can't or won't be broken. After CSS, a vast amount of energy was put into AACS - which was broken almost immediately. If AACS couldn't be made to work (and EA can't protect their games) there is no way a small independant developer can hope to make it work.
Colin Pickard
i agree .......
Aiden Bell
+9  A: 

I know this is said every time, but it is worth repeating:

Please just don't. Sell your software at a price point that represents its worth, with a basic key-scheme if you must to keep honest people honest, and leave it at that. The pirates will always steal it, and a hardware dongle will just cause grief for your honest customers.

Besides, any scheme you build in will just be defeated by reverse engineering; if you make it a pain to use your software, you will motivate otherwise honest people to defeat it, or to search the internet for a crack. Simply make the protection less painful than searching for a crack.

Software Monkey, Jan 2009

Colin Pickard
+1, great answer!
Aiden Bell
I like the part about selling your software for what it's worth. Not a lot of companies do that today.
Geo
Good answer in the general case, but not here - see my edits.
fbonnet
A: 

Also, to futher expand on what Aiden said: You should take legal advice on whether you can do this without breaching either a) one of several licenses that may be present on the Linux distribution you are using or b) the licenses attached to VMWare usuage.

Basically what you are trying to do is called Tivoization, and if any of the packages you are using falls under the GPL v3, you may be breaching it.

Colin Pickard
AFAIK this is not the case. We're not selling the software but the complete solution and related services, and provide complete support.
fbonnet
Whether it is part of a larger product or not, you are distributing the software. The GPL in particular has little restrictions on use, but certain restrictions you must follow if you distribute it.
Colin Pickard
A: 

Given the size of your clients, and the scope of the services you are offering, it doesn't seem to make sense to make them jump thro hoops. If they breach their contract, just negotiate it, and if you can't reach a suitable compromise, sue them.

If dongles were a silver bullet, don't you think Microsoft or Oracle would be requiring them?

For a software product with a very few large clients, support and continued development are typically crucial for the clients, and make up the bulk of the value and cost of your solution. Licensing becomes simply a minor addon.

To be honest if your product is so simple that they don't require ongoing development and support, you are unlikely to be able to charge a lot of money for licensing anyway - they'll just find a code monkey to duplicate it and keep the change.

Colin Pickard
3 answers! Going for a record :P
Aiden Bell
lol .
Colin Pickard
A: 

About USB dongle-based, each and every USB Dongle that's commercially available has been cracked and there's a work-around for them. Doesn't matter what they tell you, the principle of USB dongles is flawed by design.

To make matters worse, once you've delivered your software product to a customer, it will be hacked if they consider the application valuable enough to take the time to hack it. Doesn't matter how strong it's protected, if the hacker has access to the binary contents, it will be hacked.

Also, many of your users will be honest people who will get annoyed by all this security stuff. If you choose for a solution that's extremely strong, you're actually inviting people not to use your software in it's proper, legal ways.

As noted before, be aware that you have to act conform the Linux licenses. Actually, you could be forced to provide your sourcecode for your application as open-source unless you can prove that you've worked according to the license.

However, there is a reasonable easy way to do periodic checks. Use CRON to start a call-home application at least once per day. It would call a web service on your webhost providing additional information about it's setup. As a response, your service tells it if it's still legal or not. If it's legal, no problem. If this check failed, just let the application report a message. If the call-home failed five times in a row or tells it's an illegal version then it's time to annoy the user. (But without breaking the usability of your application, else users become real unhappy.) Now, the stuff that you want to protect might just continue to run without any changes. Or you alter them to check if the call-home application has tried to make contact already. If the user has disabled this process or tampered with it some other way, you could then block your applications too.

Or, to use the simplest option: create a special administrator account with almost full access rights. Don't let your clients run as Root.

Workshop Alex
A: 

Have you tried VMWare ACE?

http://www.vmware.com/products/ace/features.html

It seems to solve your needs.

BrainSCAN