spoofing hostids

For many years, Sun has provided hardware with a unique hostid. I never used a Sun-1, but I wouldn't be surprised if it had a unique hostid. The hostid is traditionally used by software vendors as a unique identifier for software license enforcement. For example, a software license key could be provided to a paying customer which would be a hash which could compare to the hostid. Thus, the software company could believe that the software was only operational on the host which had the proper hostid.

Back in the days of SunOS 3 and 4, it was common for people to recompile the kernel. It didn't take long before people began compiling their own system calls which returned the hostid. The sources were readily available on the various ftp sites and newsgroups of the time (this was before HTTP was invented.) Others found that the Sun workstation hostid was partially read from a nonvolatile memory which could be easily hacked via the firmware interface, and later OpenBoot. But the cleverest implementations were done in the kernel and did things like look at an environment variable for the hostid.

When SunOS 5 (part of Solaris 2) came along, compiling the kernel wasn't required or recommended. This led to a number of new ways to spoof the hostid using dynamically loadable libraries and other techniques.

Now with Solaris 10 we have an awesome tool called DTrace. Amongst the many useful things you can do with DTrace is spoof the hostid. I'll leave the details as an excercise for the truly bored, but suffice to say it takes about 6 lines of D code, more if you want to be more clever. Although the Sun execs have said that Solaris source will be available RSN, you don't need to recompile the kernel to spoof the hostid.

My advice to software vendors has remained unchanged since I started buying software back in the mid 70's: trust your customer. There is no real way to enforce licenses by supposedly unique keys on hardware. Get over it. Laser holes in floppy disks didn't work. Little serial port dongles didn't work. hostids certainly didn't work. Make all of our lives easier, and come up with a good way to win customers with your value and trust them.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

relling

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today