2

How do software companies ensure that their product or app can only run in a given number of bare-metal or VM instances? I'm curious about the cryptography behind the scenes. What prevents a user from cloning the application indefinitely in a cloud environment?

In a virtualized environment, since the application could move around datacenters (with VM migration) binding the license to attributes like the IP or MAC could invalidate the license, which isn't the right behavior either.

Improve this question
7
  • In person audits. The license agreement allows someone from the developer's company to come in and make sure the license agreement is not being violated.
    – André Borie
    Commented Jul 6, 2016 at 18:39
  • Is this the state of the art? Seems not so scalable..
    – DaTaBomB
    Commented Jul 6, 2016 at 18:41
  • 1
    Sometimes they bind to a combination of factors (i.e. IP + MAC Address or other unique combo). Tenable does this for their Nessus scanners to prevent your exact question.
    – HashHazard
    Commented Jul 6, 2016 at 19:06
  • Thanks for your comment, I have edited the question to be more specific about the problem in virtualized environments.
    – DaTaBomB
    Commented Jul 6, 2016 at 19:19
  • 2
    @DaTaBomB hardware dongles used to be a thing back in the past. Nowadays for enterprise audits are more common, for home users there isn't much because at the end of the day any DRM will get cracked, so the company may end up loosing less money due to piracy than spending it on even more complex DRM. Piracy should just be considered as the cost of doing business IMO.
    – André Borie
    Commented Jul 7, 2016 at 13:32

2 Answers 2

Reset to default
4
+50

One system I've seen is to use dynamic license codes.

Each time the software is run, it connects back to the vendor's server. It submits the current license code, and is issued a new one. The old license code is invalidated. If the VM is cloned, then only one clone will have the new license code.

Drawbacks with this system:

  • Internet access is required to run the software.
  • Legitimate users can lose the license code, for example, if they use System Restore.
  • It is still vulnerable to cracking - someone modifying the application code to tamper with license checks.

In the example I saw, the need for Internet access and vulnerability to cracking were considered acceptabe. However, the System Restore issue was not, and led to them stopping using this approach.

Improve this answer
3

How do software companies ensure that their product or app can only run in a given number of bare-metal or VM instances?

They don't!

Software companies start with some half-a**ed technologies that are incomplete solutions. These are then watered down so they don't break the user model too badly. In the end, the only thing that software licensing does is discourage honest users from cheating. Simply search for the string cracked <your-favorite-application> and see all of the hits. (Note that cracked software is a notorious source of malware and illegal in most jurisdictions.)

The root of the problem is that the software is run on hardware not controlled by the software vendor. As such, anything can be cracked given enough time. The only solution that works reasonably well is to keep all or part of the application on hardware owned by the software vendor. This is one of the reasons why the cloud is so attractive to software vendors.

Improve this answer
5
  • "cracked software is a notorious source of malware" [citation needed]
    – Alexander O'Mara
    Commented Jul 11, 2016 at 16:13
  • Updated @AlexanderO'Mara
    – Neil Smithline
    Commented Jul 11, 2016 at 16:18
  • Yeah, that's the best I can find too, but it's very anecdotal, kind-of old, and unclear if it really refers to true cracked-software with malware, or straight-up fake downloads.
    – Alexander O'Mara
    Commented Jul 11, 2016 at 16:21
  • @AlexanderO'Mara - Without disagreeing with your comment, I'm not sure it really affects the answer. The warning about cracked software was just added to stop future readers from blindly infecting themselves. Perhaps you want to ask a new question about real statistics concerning malware and cracked software? That might be interesting...
    – Neil Smithline
    Commented Jul 11, 2016 at 16:27
  • Yep, the answer is otherwise fine and gets and has my vote. I couldn't find a duplicate, so I posted a question on this topic.
    – Alexander O'Mara
    Commented Jul 11, 2016 at 17:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .