VMWare 映像保护

发布于 2024-07-25 19:33:38 字数 392 浏览 9 评论 0原文

我们有一个打包为 Linux VMWare 映像的应用程序。 现在我们必须找到一种方法来保护它免受非法复制和安装。 我们研究了几种基于 USB 加密狗的解决方案,但所有这些都需要在源代码级别修改应用程序(简单的检测仅限于 Windows EXE)。 有没有办法防止 VMWare 映像运行并执行定期检查?

编辑:此应用程序是专业解决方案的一部分,并非按原样分发。 VMWare 打包用于虚拟化目的,而不是用于分发。 我们为电信公司销售完整的解决方案,包括硬件和支持,价格范围为 10,000 美元至 100 万美元。 然而,由于客户可以访问这些平台,我们必须确保他们无法获取图像并在其他地方运行它们或违反许可政策。 因此,下面质疑保护必要性的评论虽然在一般情况下完全有效,但并不适用于此。

we have an application that is packaged as a Linux VMWare image. Now we have to find a way to protect it against illegal duplication and installation. We have studied several USB dongle-based solutions, but all of them require modifications of the application at the source code level (simple instrumentation is restricted to Windows EXEs). Is there a way to protect a VMWare image from running, and to perform periodic checks?

EDIT: this application is part of a professional solution and not distributed as is. The VMWare packaging is for virtualization purpose, not for distribution. We sell complete solutions for telcos including hardware and support, in the $10k-1M price ranges. However, since the clients have access to the platforms, we have to make sure that they just can't take the images and run them elsewhere or defeat the licensing policy. So the remarks below questioning the need for protection, although perfectly valid in the general case, don't apply there.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

贪恋 2024-08-01 19:33:38

我知道每次都会这么说,但它值得重复的是:

请不要这样做。 如果您必须让诚实的人保持诚实,请以代表其价值的价格点出售您的软件,并使用基本的关键方案,然后就这样。 盗版者总会偷走它,而硬件加密狗只会给您诚实的客户带来悲伤。

此外,您构建的任何方案都将被逆向工程击败; 如果你让使用你的软件变得很痛苦,你就会激励其他诚实的人打败它,或者在互联网上搜索破解方法。 只需让保护比寻找裂缝更轻松。

软件猴子,2009 年 1 月

I know this is said every time, but it is worth repeating:

Please just don't. Sell your software at a price point that represents its worth, with a basic key-scheme if you must to keep honest people honest, and leave it at that. The pirates will always steal it, and a hardware dongle will just cause grief for your honest customers.

Besides, any scheme you build in will just be defeated by reverse engineering; if you make it a pain to use your software, you will motivate otherwise honest people to defeat it, or to search the internet for a crack. Simply make the protection less painful than searching for a crack.

Software Monkey, Jan 2009

万水千山粽是情ミ 2024-08-01 19:33:38

使用 Cryptsetup/dm_crypt 加密映像的磁盘分区,然后使用一些特定于计算机的(真实 CPU-ID?)元素在启动时进行解密。 但这意味着为每个客户滚动一个新图像......但您可以编写脚本。

尽管一旦启动,他们就可以撕开图像。 GPL 不要求您重新分发吗?

这会很棘手

Encrypt the disk partitions of the image using Cryptsetup/dm_crypt and then use some machine-specific (real CPU-ID?) element for decryption at boot. But this implies rolling a new image for each customer ... but you could script that.

Although once it is booted, they could rip open the image anyway. Are you not required by GPL to redistribute anyway?

it will be tricky

[浮城] 2024-08-01 19:33:38

另外,为了进一步扩展 Aiden 所说的内容:您应该就是否可以在不违反 a) 您正在使用的 Linux 发行版上可能存在的多个许可证之一或 b) 附加到 VMWare 使用的许可证的情况下执行此操作寻求法律建议。

基本上,您想要做的事情称为 Tivoization,并且如果您正在使用任何软件包属于 GPL v3,您可能违反了它。

Also, to futher expand on what Aiden said: You should take legal advice on whether you can do this without breaching either a) one of several licenses that may be present on the Linux distribution you are using or b) the licenses attached to VMWare usuage.

Basically what you are trying to do is called Tivoization, and if any of the packages you are using falls under the GPL v3, you may be breaching it.

半夏半凉 2024-08-01 19:33:38

考虑到您的客户规模以及您提供的服务范围,让他们急于求成似乎没有意义。 如果他们违反了合同,就通过谈判解决,如果不能达成合适的妥协,就起诉他们。

如果加密狗是灵丹妙药,您认为 Microsoft 或 Oracle 不会需要它们吗?

对于只有很少大客户的软件产品,支持和持续开发通常对客户至关重要,并且构成解决方案的大部分价值和成本。 许可只是一个小插件。

老实说,如果您的产品非常简单,不需要持续的开发和支持,那么您不太可能收取大量的许可费用 - 他们只会找到一个代码猴子来复制它并保留改变。

Given the size of your clients, and the scope of the services you are offering, it doesn't seem to make sense to make them jump thro hoops. If they breach their contract, just negotiate it, and if you can't reach a suitable compromise, sue them.

If dongles were a silver bullet, don't you think Microsoft or Oracle would be requiring them?

For a software product with a very few large clients, support and continued development are typically crucial for the clients, and make up the bulk of the value and cost of your solution. Licensing becomes simply a minor addon.

To be honest if your product is so simple that they don't require ongoing development and support, you are unlikely to be able to charge a lot of money for licensing anyway - they'll just find a code monkey to duplicate it and keep the change.

仲春光 2024-08-01 19:33:38

关于基于 USB 加密狗的,每一个市售的 USB 加密狗都已被破解,并且有一个解决方法。 不管他们告诉你什么,USB 适配器的原理在设计上是有缺陷的。

更糟糕的是,一旦您将软件产品交付给客户,如果他们认为该应用程序足够有价值而花时间对其进行黑客攻击,那么该产品就会被黑客攻击。 不管它的保护有多强,如果黑客能够访问二进制内容,它就会被黑客攻击。

此外,您的许多用户都是诚实的人,他们会对所有这些安全问题感到恼火。 如果您选择一个非常强大的解决方案,那么您实际上是在邀请人们不要以正确、合法的方式使用您的软件。

如前所述,请注意您必须遵守 Linux 许可证。 实际上,您可能被迫以开源方式提供应用程序的源代码,除非您可以证明您已按照许可证工作。

然而,有一种合理简单的方法来进行定期检查。 每天至少使用 CRON 启动一次回拨应用程序。 它会调用您的虚拟主机上的网络服务,提供有关其设置的附加信息。 作为响应,您的服务会告诉它它是否仍然合法。 如果合法的话就没问题。 如果此检查失败,只需让应用程序报告消息即可。 如果回拨连续五次失败或告诉它是非法版本,那么就该惹恼用户了。 (但是不要破坏应用程序的可用性,否则用户会变得非常不高兴。)
现在,您想要保护的内容可能会继续运行而不进行任何更改。 或者您可以更改它们以检查回拨应用程序是否已尝试进行联系。 如果用户禁用了此进程或以其他方式篡改了它,您也可以阻止您的应用程序。

或者,使用最简单的选项:创建一个具有几乎完全访问权限的特殊管理员帐户。 不要让您的客户端以 root 身份运行。

About USB dongle-based, each and every USB Dongle that's commercially available has been cracked and there's a work-around for them. Doesn't matter what they tell you, the principle of USB dongles is flawed by design.

To make matters worse, once you've delivered your software product to a customer, it will be hacked if they consider the application valuable enough to take the time to hack it. Doesn't matter how strong it's protected, if the hacker has access to the binary contents, it will be hacked.

Also, many of your users will be honest people who will get annoyed by all this security stuff. If you choose for a solution that's extremely strong, you're actually inviting people not to use your software in it's proper, legal ways.

As noted before, be aware that you have to act conform the Linux licenses. Actually, you could be forced to provide your sourcecode for your application as open-source unless you can prove that you've worked according to the license.

However, there is a reasonable easy way to do periodic checks. Use CRON to start a call-home application at least once per day. It would call a web service on your webhost providing additional information about it's setup. As a response, your service tells it if it's still legal or not. If it's legal, no problem. If this check failed, just let the application report a message. If the call-home failed five times in a row or tells it's an illegal version then it's time to annoy the user. (But without breaking the usability of your application, else users become real unhappy.)
Now, the stuff that you want to protect might just continue to run without any changes. Or you alter them to check if the call-home application has tried to make contact already. If the user has disabled this process or tampered with it some other way, you could then block your applications too.

Or, to use the simplest option: create a special administrator account with almost full access rights. Don't let your clients run as Root.

掀纱窥君容 2024-08-01 19:33:38

您尝试过 VMWare ACE 吗?

http://www.vmware.com/products/ace/features.html

看来可以解决你的需求了。

Have you tried VMWare ACE?

http://www.vmware.com/products/ace/features.html

It seems to solve your needs.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文