Mac Advanced Protection Parameters
The table below lists and explains the advanced protection parameters available in Sentinel LDK Envelope. Default values are provided where relevant.
|
Parameter Name |
Description |
Default |
|---|---|---|
|
LOCKING_TYPE |
Determines the type of Sentinel protection key to which the software can be locked. HL represents hardware keys. SL represents SL-AdminMode keys. |
HL or SL-AdminMode |
|
BACKGROUND_CHECK_AUTO_RELOGIN |
If the Sentinel protection key periodic background check fails to detect a Sentinel protection key, the program attempts to log in to the key a second time before the user is informed that the key is missing. |
True |
|
MESSAGE_OUTPUT_MODE |
Enables you to select how run-time user messages are provided. The following options are available: >1 (windows) displays messages in a message box > 2 (eventlog) includes events related to running the protected program in the Windows Administration Tools Event Viewer utility >4 (stderr) displays messages to a user running Sentinel LDK Envelope from a command line |
1 (windows) |
|
DYLIB_INIT_HASP_ERROR |
Enables you to define the behavior when an error occurs when a dylib plug-in fails to initiate. |
Exit process |
|
DYLIB_INIT_RETURN_VALUE |
Enables you to define the value to be returned when a dylib plug-in initiates. (Only enabled when the value of DYLIB_INIT_HASP_ERROR is set to Return value.) |
|
| DUMP_PROTECT_VALUE |
When the code size exceeds a certain size, the code is broken down at run-time and decrypted in the specified number of blocks. >If 0 is specified, dump protection is disabled. >If 1 is specified, all code is decrypted in one block. > Higher values provide better protection, but result in a slower decryption process. > Values greater than 15 significantly increase the decryption time without improving security. If Envelope determines that you have assigned a value that is greater than appropriate (depending on the size of the code), it will automatically reduce the value as required. |
The maximum possible for all architectures inside the universal binary, up to a value of 14. |
| TIGER_COMPATIBILITY |
Whether Envelope should remove the 64-bit versions inside the universal binary so that the binary will be compatible with the OS X 10.4.x (“Tiger”) operating system. > True – Envelope removes the 64-bit versions inside the universal binary. > False – Envelope does not remove the 64-bit versions inside the universal binary. However, a warning is written to the Envelope log that the application is not compatible with the Tiger operating system. |
False |
| THREAD_METHOD |
In a multi-thread application, if the Sentinel protection key periodic background check fails to detect a Sentinel protection key, all threads are (by default) suspended. When the key is detected again, the suspended threads are resumed. This parameter specifies which threads are suspended. Possible values are: • >MACHOLDR_THREAD_ALL: All threads are suspended. >MACHOLDR _THREAD_MAIN: Only the main thread is suspended. > MACHOLDR _THREAD_NONE: No threads are suspended. Warning: In certain situations, suspending only the main thread can cause damage to data or hardware. For example, when burning DVD media, suspending only the main thread can destroy the media. |
MACHOLDR_THREAD_ALL |
| CHECK_KERNEL_DEBUGGER |
It is possible to pass startup options to the kernel via NVRAM (non-volatile RAM). These flags can be set with a command line utility from terminal (this requires admin privileges). Typically, these flags are intended for developers who work on kernel extensions, to enable some kernel-level debugging features. As a side effect, some protection techniques (like dump protection) can be easily bypassed when some of these kernel debugging features are enabled. CHECK_KERNEL_DEBUGGER examines the currently-active kernel flags and compares them with the bit-mask created from the values of the flags that follow this parameter. If a match is found, the process is terminated to ensure that an attacker cannot analyze the protected application. Usually the default settings assigned by Envelope are appropriate. However, in some instances, it might make sense to fine-tune or even disable this check (for example, for developer machines that work on kernel extensions that are part of the vendor software). The descriptions of the kernel flags listed are beyond the scope of this help system. |
All kernel flags are set to True except for the following: MACHOLDR_DB_HALT MACHOLDR_DB_KDP_BPDIS |
| OBJECTIVEC_OBFUSCATION |
In some applications, program code may be executed by external calls to Objective-C objects before the entry point has been executed. Therefore, the code is not yet decrypted, and the program crashes. If OBJECTIVE-C OBFUSCATION is enabled, all information about the Objective-C code implemented in the application is hidden from the operating system. Therefore these external calls do not occur, as the application looks like it was not developed in Objective-C. All the Objective-C related information will be registered with the operating system during the Envelope runtime after decryption. If the protected application crashes during startup, try enabling OBJECTIVE-C OBFUSCATION. This option also offers some additional level of obfuscation, as static analysis will not show any Objective-C information. In some instances, this feature is not compatible with the application. Therefore OBJECTIVE-C OBFUSCATION is disabled by default. |
False |
|
|
||
|
If selected: >Envelope displays a field that you can use to specify XML parameters for a custom login scope. >The protected program will only search for a Sentinel protection key according to the custom login scope that you specify. For information on the syntax for login scope parameters, see the topic "Scope Input XML Tags" in Sentinel Licensing API Reference. You can also paste a login scope that was created using Sentinel LDK ToolBox in this field. |
||