SolidBond Dongle
Overview
SolidBond dongle is a trusted device which ships a fully-featured Plug & Play Launch Control server in a USB form-factor.
The main advantage over self-hosted Solidshield Launch Control server is that SolidBond dongles are self-contained and secured by chain-of-trust design, removing the need to manage additional servers and their security, yet capable of working in redundant setups.
A protected binary is safe against static-analysis and, without any specific configuration, the program will run only if the dongle is plugged into the machine.
SolidBond dongles can serve requests to multiple hosts, acting as a local Launch Control server.
Use cases
Example use-cases for SolidBond dongle:
- Licensing: bind a software to the dongle, so it runs only if the dongle is present.
- Licensing for virtual appliances: when delivering your products as a virtual machine image, it is not possible to control how many virtual instances are running. SolidBond is a secured networked local licensing server that can limit the amount of concurrent virtual instances of your software, running on a set of physical hosts, that does not require Internet connection to a remote server.
- Confidentiality shutdown for emergency situation: useful in scenarios where the physical safety of where the software runs can be compromised.
Supported targets
- ELF x86-64
- ELF x86
- PE x86
- PE x86-64
- Java
Technical details
SolidBond dongles are viewed as a standard TCP/IP server and they automatically trigger all the relevant host driver to enable TCP/IP communication. This allow SolidBond dongles to be reached by multiple computers, with a simple port forwarding, so to create a secured licensing server. By having multiple connected dongles (even on different host machines) and thanks to client-side load-balancing SolidBond code, which is integrated in protected binaries, setting up a redundant Non-Single-Point-Of-Failure secured licensing service is very straightforward. Check Custom configuration paragraph for an example.
Custom configuration
SolidBond allows specifying a configuration JSON file, so to override a few important run-time parameters.
By default, SolidBond will use hardcoded values, then will look for a file named solidbond-config.json in the working directory, which can be overridden with BOND_CONFIG environment variable.
An example configuration, which reflects hardcoded default values:
{
"token-servers": ["10.155.155.1:7007"],
"randomize-servers-list": false,
"connection-timeout": 300,
"connection-retries": 10
}
| Property | Description |
|---|---|
| token-servers | An array of |
| randomize-servers-list | If set to true, the list of servers will be shuffled, before starting connection attempts. This is very useful to perform client-side load-balancing, having multiple clients randomly addressing any of the available servers. |
| connection-timeout | The amount of milliseconds to wait before quitting a connection attempt for timeout. |
| connection-retries | How many times the list of servers will be iterated before exiting, with exit code 127. |
As an example of redundant configuration, having two SolidBond dongles installed on two distinct physical machines, identified by IP addresses 192.168.1.17 and 192.168.1.18. If each machines performs a port-forwarding of it's internal 10.155.155.1:7007 to port 7007 of their own public IP address, a working solidbond-config.json file would look like this:
{
"token-servers": ["192.168.1.17:7007", "192.168.1.18:7007"],
"randomize-servers-list": true,
"connection-timeout": 500,
"connection-retries": 3
}
Run-time parameters
| Environment variable | Description |
|---|---|
| BOND_CONFIG | Path pointing to the SolidBond config JSON file |
Error Exit codes
| Exit Code | Description |
|---|---|
| 126 | Error parsing supplied SolidBond config JSON file. |
| 127 | Cannot connect to any SolidBond server |
Dongle advanced maintenance
SolidBond dongles exposes a minimal WEB interface which is secured by a prompt of credentials. Contact Solidshield team to obtain them. The interface allows to perform two additional administrative operations:
- changing the network setup of the associated virtual network
- performing firmware upgrades of the dongle
Network setup
The configuration of network parameters is performed setting the browser at the address http://10.155.155.1/network.
It is used to configure the network data of the dongle and the IP address that the DHCP server on the dongle will provide to the PC. Changing these settings requires special attention because setting with the wrong settings may interfere with the connection to the dongle.
Firmware upgrade
Firmware upgrade is performed setting the browser at the address http://10.155.155.1/firmware.
To perform a firmware upgrade, click the browse button and select the upgrade file received by Tages. The signature of the firmware will be verified before proceeding with decryption, upgrade and reboot of the dongle.