Enforcing Licensing in Virtual Environments
26.02.2021 Rüdiger Kügler
Virtualization is now in widespread use amongst the IT community and ISVs need to consider the ramifications of virtual machines on software licensing. Simply defined, a virtual machine is hardware, simulated on a host computer. This virtual hardware runs a complete (guest or child) operating system, while severely restricting its ability to interact with the real environment around it. All guest systems and the host share the same physical hardware, but without immediate access allowed to the guest systems. They see a simulated – virtual – machine, which can be saved and recovered with considerable ease.
Applications of virtualization in enterprise networks in the early 2000’s typically involved resource sharing, essentially splitting a single server into separate servers, each one utilizing a fraction of the CPU, storage, and other resources. With the addition of hypervisor control software, modern-day virtualization goes well beyond resource sharing and can involve data, desktops, servers, operating systems, and network functions. Today, there are several types of virtual environments that are being employed:
- Virtual Machines on a local computer: This scenario is typically used for QA and testing purposes, as evaluation can be performed on a consistent, well-defined operating system.
- Virtual Machines on a server: This approach is geared towards ensuring high availability, as it is very easy to move an entire environment from one system to another. The environment is independent of the hardware layer, ensuring high availability despite any hardware issues.
- Virtual Machines in the cloud (AWS and Azure): With the growing popularity of Amazon Web Services (AWS) and Microsoft Azure, virtualization in a cloud environment adds even more benefits. Beyond the savings in hardware, operating costs and efficiencies, cloud virtualization is cost effective, as users only pay for what they use, and it is very easy to scale performance and the number of virtual machines on-demand.
- OS-level virtualization: Environments like Docker Containers are very popular to simplify the deployment of applications. A ready-to-use image is deployed, including all needed dependencies for the application. Such environments limit the access to local available resources. Contrary to a complete virtual machine, in OS-level virtualization parts of the OS kernel are shared between Host and all Containers.
While IT readily leverages the benefits of virtualization, it’s a different story for ISVs as the technology adds another layer of challenges for not only software licensing, but software protection as well. New threats appear and some existing threats are increased. Let’s look at new and increased threats and risks presented in a virtual environment:
- Copying and duplicating a license on another machine: If the licensing relies on hardware properties, which don't change during a copy or clone process, a license could be duplicated multiple times.
- Resetting licenses: If the licensing does detect a time warp of the virtual machine, licenses can be reset to an earlier state. This is a high risk, especially if time-based or usage-based licenses are used. But also, if re-hosting of licenses is allowed, this could be used to duplicate a license. In this scenario, (1) a license gets activated on a first machine, (2) a snapshot is taken of this first machine, (3) the license gets deactivated, (4) the license gets activated on another machine, and (5) the first machine is reset to the snapshot with the activated license. Now the license is available at both machines.
- Increasing floating network licenses: If the licensing does not distinguish between different virtual machines at the same computer, two instances of a running application could be counted as one, resulting in an illegal over-usage of the licenses.
- Avoiding license locking: A strong feature of copy protection systems is the locking of the license if a crack attempt is detected. Like the threat of resetting licenses, an undetected time warp created by resetting the virtual machine to an earlier snapshot, would reduce the security of the license locking mechanism.
Fortunately, there are countermeasures that ISVs can employ to control licensing and protect software in virtual environments just like in conventional hardware. With Wibu-Systems’ CodeMeter protection and licensing platform, ISVs have the tools and methods needed to safeguard IP, no matter which virtual environment configuration is in use. Software-based CmActLicenses use mechanisms that take into account virtualization. Time warps are detected and licenses are invalidated in this case. Special fingerprinting for Microsoft Azure and AWS allow reliable and secure binding to one instance of a virtual machine. Alternatively, CmCloudContainers can be used to control licenses at the CodeMeter Cloud Server of Wibu-Systems. You can learn more about CodeMeter in Virtual Environments in a white paper, or hear from our experts directly in a prerecorded webinar, Real Licenses in Virtual Environments.
Contributor
Ruediger Kuegler
VP Sales | Security Expert
After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box technology.