Embed Size (px)
Citation preview
WH
ITE
PA
PE
R
Virtualization and FLEXnet Publisherfor trusted storage and certifi cate-based licenses
TABLE OF CONTENTS
Introduction -3
Types of Virtualization Technologies -3
Virtual Machines -3
Application Virtualization/Application Isolation -3
Terminal Services -3
Remote Control -3
Summary of Alternatives -4
Compliance Protection and Virtual Machines -4
Trusted, Storage-based Licenses -4
Certificate-based Licenses -4
Compliance Protection and Application Isolation -5
Licensed Applications -5
Limiting Application Instances -5
Unix Vendor Daemons -5
Windows Vendor Daemons -5
Compliance Protection and Terminal Services -5
Uncounted, Trusted, Storage-based and Certificate-based Licenses on Windows -5
Uncounted, Trusted, Storage-based and Certificate-based Licenses on Unix -6
Counted, Trusted, Storage- and Certificate-based Licenses -6
Anti-piracy Protection -6
Anti-piracy Protection and Virtual Machines -6
Trusted, Storage-based Licenses -6
Certificate-based Licenses -7
Anti-piracy Protection and Application Isolation -8
Anti-piracy Protection and Terminal Services -8
APPENDIX A: How an Application Can Detect if It Is Running on a Virtual Machine -9
VMware -9
Virtual PC/Virtual Server -9
Xen -9
Solaris 10+ Zones -9
AIX 5.3+ LPARS -9
HP-UX 11I+ VPARS -9
APPENDIX B: How to Access Non-built-in Per-virtual Machine Identifiers -10
APPENDIX C: Ethernet MAC Addresses Used by Virtual Machines -11
Virtualization and FLEXnet Publisher
IntroductionNearly every software licensing model eventually requires either one license or a pool of licenses to be bound to a particular machine. To what machine identifier should these licenses be bound to ensure that they cannot be used on another machine?
While this question needed to be answered over the years for physical machines, some virtualization technologies are making it harder for software publishers to enforce their license agreements. This document details how Macrovision Global Services or a publisher can resist these vulnerabilities using current Macrovision products.
Types of Virtualization TechnologiesThe most commonly known virtualization technology is virtual machine technology. However, there are other types. Here is an inventory of those types, the vendors who supply the technology, and a summary of the software licensing issues:
Virtualization Technology
Vendor(s) Software Licensing Issue?
Virtual Machines x86: MS VirtualPC/Server, VMware, Xen;Sun: Solaris Zones;IBM pSeries: LPARs;HP: VPARs
Affects licensing
Application Virtualization / Application Isolation
Windows: MS/Softricity, Citrix, Altiris;UNIX: chroot sandbox
Affects licensing
Terminal Services Windows: MS Remote Desktop, Citrix;UNIX: Tarantella
Affects licensing
Remote Control Windows: GoToMyPC, PC Anywhere, VNC
No affect on licensing
Virtual MachinesWith virtual machine technologies, each operating system instance on a physical machine is made to “believe” it’s the only operating system running on that physical machine. These technologies do this by virtualizing the machine’s hardware components, one virtual machine instance per operating system instance.
Application Virtualization/Application IsolationWith application isolation technologies, each application instance running on an operating system instance is made to “believe” it’s the only application instance running on that operating system instance. These technologies do this by virtualizing the operating system’s file system (and registry on Windows), one virtual file system (and registry) instance per application instance. Some application isolation technologies also isolate the operating system’s global namespace, so objects like semaphores are not shared between application instances. All other operating system services are shared between isolated and non-isolated application instance.
Terminal ServicesWith terminal services, one terminal server machine supports multiple user sessions. Each user session encapsulates the desktop environment of one remotely logged in user. Each user is made to believe he or she is the only user on that machine.
Remote Control (a.k.a. KVM over IP)Only one person can control the host computer at any given time. The keyboard and mouse connected to the host computer and to each of the guest computers can be active simultaneously and thus compete to be the source of input. Keystroke and mouse events from these different input sources can be interleaved. Also, the video of each computer displays the same single desktop. Therefore, these solutions are not intended for multiple guest computers to share the resources of the host computer at the same time.
Remote control solutions do not represent a security vulnerability to license management systems. The ability to remotely control a host computer does not enable a
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
dishonest user to run more instances of licensed software than he could already run if he were using the KVM attached to the host computer. Therefore, this document will not further discuss remote control technologies.
For the virtualization technologies that do affect software licensing, the remainder of the document will describe their effects and describe the alternatives available to the publisher.
Summary of AlternativesThis table summarizes the various alternatives available to the publisher. The remainder of the document provides the details for each alternative described in this summary.
Compliance ProtectionSome publishers use software license enforcement to ensure that the customer remains in compliance with the terms of the publisher’s license agreement, without audits or other manual techniques.
These publishers generally assume that most of their customers are honest; however, they still need to ensure that virtualization technologies will not accidentally cause their customers to be out of compliance.
Compliance Protection and Virtual MachinesIf the publisher already binds each of its licenses to at least one identifier which is unique per virtual machine, then
its customers will remain in compliance even if they run the licensed application or license server on multiple virtual machines (on the same physical machine).
Trusted Storage-based LicensesFor trusted storage-based licenses, Macrovision’s FLEXnet® Publisher binds each trusted storage (and thus each license in a trusted storage) to multiple machine identifiers, some of which are per virtual machine. Therefore, customers using trusted storage-based licenses can remain in compliance.
Certificate-based LicensesFor certificate-based licenses, the publisher chooses one identifier per node-locked license or per set of counted licenses (or multiple identifiers in the case of a COMPOSITE hostid). Therefore, the publisher should choose wisely to prevent accidental overuse by its customers.
Table 1 below lists the per-virtual machine built-in hostids for each operating system that can run on a virtual machine.
Virtual Technology
For Compliance Protection For Anti-Piracy Protection
Virtual Machines
For certificate-based licenses: ensure that the hostid for each node-locked license and each set of counted licenses contains at least one per-virtual machine identifier
For node-locked trusted storage-based licenses: add to an authenticated license field a hostid that accesses a per-virtual machine identifier that cannot be easily duplicated across multiple virtual machines
For trusted storage-based licenses: (a) refuse to checkout licenses if application detects it is running on a virtual machine, or (b) refuse to checkout or serve licenses if the application or vendor daemon, respectively, detects it is running on a virtual machine
For certificate-based licenses: (a) bind a node-locked license or a set of counted licenses to a FLEXid 9 USB key, (b) implement a vendor-defined hostid that accesses a per-virtual machine identifier that cannot be easily duplicated across multiple virtual machines, or (c) refuse to checkout or serve licenses if the application or vendor daemon, respectively, detects it is running on a virtual machine, or (d) refuse to generate a license for a range of Ethernet MAC Address that has been assigned to virtual machines
For Xen virtual machines: refuse to generate a license for a range of Ethernet MAC Address that has been assigned to virtual machines
Application Isolation
For uncounted licenses, if applicable, work with Application Isolation vendor to enforce one application instance per machine
Same actions as for Compliance Protection
For uncounted licenses, if applicable, work with Application Isolation vendor to enforce one application instance per machine
Terminal Services
For uncounted licenses on UNIX: ensure that only one instance of the licensed application is running at any one time
For counted licenses: ensure that the DUP_GROUP setting for each license, if any, does not contain DUP_DISPLAY
Same actions as for Compliance Protection
For uncounted licenses on UNIX: ensure that only one instance of the licensed application is running at any one time
For counted licenses: ensure that the DUP_GROUP setting for each license, if any, does not contain DUP_DISPLAY
Remote Control
No action necessary No action necessary
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
A customer using certificate-based licenses where each node-locked license or set of counted licenses is bound to at least one of these built-in hostids will remain in compliance.
Per-Virtual Machine Built-in Hostid
Platforms
HOSTID_ETHER Windows, Linux, Solaris, Mac OS X
HOSTID_DISK_SERIAL_NUM Windows
HOSTID_INTERNET All
HOSTID_HOSTNAME All
HOSTID_FLEXID9 Windows1, Linux, Mac OS X1Table 1: Per Virtual Machine Built-in Hostids
Table 2 is a list of the per-physical machine built-in hostids for each operating system that can run on virtual machine. This list also includes those built-in hostids which, while not per-physical machine, are not otherwise distinguishable per-virtual machine; like HOSTID_ANY.
A customer using certificate-based licenses where each node-locked license or set of counted licenses is bound to only hostids from Table 2 cannot be guaranteed to remain in compliance. The publisher must choose to bind each node-locked license or set of counted licenses to at least one of the built-in hostids in Table 1 above.
Per-Physical Machine Built-in Hostid
Platforms
HOSTID_LONG AIX, HP-UX, Solaris
HOSTID_FLEXID6, HOSTID_FLEXID7, HOSTID_FLEXID8
Windows
HOSTID_ANY All
HOSTID_DEMO All
HOSTID_ID_STRING All
HOSTID_DISPLAY All
HOSTID_USER AllTable 2: Per-Physical Machine Built-in Hostids
Compliance Protection and Application IsolationApplication isolation technologies do not affect the license compliance enforced by either a licensed application or license server for either trusted storage-based or certificate-based licenses.
Licensed ApplicationsThere are no FLEXnet Publisher security vulnerabilities introduced by running licensed applications in an application isolation environment, regardless of whether the licensed application is checking out a trusted storage-based license or a certificate-based license.
1 As of this writing, applications running in VirtualPC 2004 SP1 cannot access the USB port of the physical machine
Depending upon how the file system isolation is done, application isolation might make it hard to deploy trusted-storage based and node-locked certificate-based licenses. However, any deployment issues do not compromise the license management enforcement.
Limiting Application InstancesSome publishers, as part of their licensing policy will issue node-locked licenses for their applications, but never allow more than one instance of each application to run on a single machine. They prevent multiple instances by using either a lock-file or semaphore/mutex. Since all application isolation technologies give each application instance its own file system and some give each application instance its own semaphore namespace, multiple instances of a mutex’d application can be run on the same machine. This is an issue between the application isolation vendor and the publisher whose mutex’d applications will be isolated by the enterprises using these applications.
Unix Vendor DaemonsFLEXnet Publisher prevents multiple instances of UNIX vendor daemons tagged with the same vendor name from running on the same machine at the same time. FLEXnet Publisher implements this mutex using a lock file per vendor name that FLEXnet Publisher ensures is on a real UNIX file system and not a virtual file system. Therefore, there should be no vulnerabilities associated with UNIX vendor daemons and application isolation technologies.
Windows Vendor DaemonsFLEXnet Publisher prevents multiple instances of Windows vendor daemons tagged with the same vendor name from running on the same machine at the same time. FLEXnet Publisher implements this mutex using a Windows semaphore. One of the leading application isolation technologies does not isolate the Windows semaphore namespace so it does not introduce a vulnerability. For two of theleading apllication isolation technologies that do isolate the Windows semaphore namespace, Macrovision has worked with both companies to ensure that the current versions of their products do not isolate semaphores created by FLEXnet Publisher for this purpose.
Compliance Protection and Terminal ServicesThe compliance issues for terminal services depend on whether a license is uncounted or counted.
Uncounted, Trusted, Storage-based and Certificate-based Licenses on WindowsBy default, a licensed Windows application cannot checkout an uncounted license if the application determines that it is running in a Windows Terminal Services guest session. Terminal services technologies must register their sessions with Windows Terminal Services for them to be supported by FLEXnet Publisher. Remote Desktop, Citrix
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
and Tarantella’s Terminal Services Edition are examples of terminal services technologies that register their sessions with Windows Terminal Services and thus will be detected by FLEXnet Publisher.
This default behavior is because it is assumed that if multiple application instances can be run on the physical machine, they can provide more value to the end user than was intended by the publisher who issued the uncounted license.
However, the publisher may have already taken care of this.
A publisher may allow its application to checkout an uncounted license within a terminal services guest session if (1) it doesn’t care how many instances of its application are run on a physical machine or if (2) it has already ensured that the number of application instances is limited by one of the following:
• The publisher creates its application such that it prevents more than one instance of itself from running on the same computer, or
• The resources (e.g. CPU, RAM, disk) on a single computer, even a terminal server, are insufficient to run more than one instance of the application.
In this case, the publisher would add the TS_OK keyword to the uncounted license. With this keyword set on an uncounted license, the license can be checked out by an application that it is running in any Windows Terminal Services host session, guest session, or neither.
If the application is running directly on the host session or on neither a host nor guest session, it can checkout an uncounted license regardless of whether the uncounted license contains the TS_OK keyword.
Uncounted, Trusted, Storage-based and Certificate-based Licenses on UnixMultiple instances of one uncounted license on UNIX can be checked out by applications running on the host and all guest sessions of a terminal server machine. If the publisher wishes to limit the number of instances of the license that can be checked out on a given physical UNIX machine, it can do the following:
• Before the application checks out its license, inspect a mutex and refuse to run if another instance of the application is holding that same mutex
Counted, Trusted, Storage- and Certificate-based Licenses If the publisher does not specify duplicate grouping for a counted license, then checkouts of that license from applications running in a host session, guest session, or neither will each checkout their own instance of the license, which is no different than for applications running on a machine not configured as a terminal server.
If the publisher specifies DUP_HOST without also specifying DUP_DISPLAY as part of the DUP_GROUP setting for a counted license, then checkouts of that counted license from multiple terminal services sessions will all checkout the same instance of the feature. Therefore, a publisher using duplicate grouping should carefully examine the implications of specifying DUP_HOST without also specifying DUP_DISPLAY if its applications can be run in terminal services sessions. Anti-piracy ProtectionSome publishers use software license enforcement to assure only themselves that the customer will remain in compliance with the terms of the publisher’s license agreement without audits or other manual techniques.These publishers assume that many of their users are dishonest; therefore, they need to ensure that virtualization technologies will not open vulnerabilities that can be exploited by those dishonest users.
Anti-piracy Protection and Virtual MachinesJust as in the section on compliance protection and virtual machines, anti-piracy protection must ensure that each node-locked license and each set of counted licenses is bound to at least one per-virtual machine identifier. Anti-piracy protection adds another requirement; at least one per-virtual machine identifier per node-locked license and each set of counted licenses must be hard for a dishonest user to duplicate across multiple virtual machines on the same physical machine.
Trusted, Storage-based LicensesFor trusted storage-based licenses, all of the per-virtual machine identifiers used to bind trusted storage to its machine can be duplicated by a dishonest user across multiple virtual machines on the same physical machine. Some identifiers require more effort to duplicate than others. To resist duplication of these licenses, the publisher has the following alternatives:
1. For node-locked licenses in trusted storage: If the virtual machine supports a per-virtual machine identifier that is hard to duplicate across multiple virtual machines, if the publisher puts that identifier in an authenticated field in each node-locked license (for example, the SN= field), then the license library refuses to check out such a license the library detects that it is not running on a virtual machine or if the value in the authenticated field does not match the ID of the virtual machine.
• This comparison can be done by either Macrovision Global Services or the publisher in a LM_A_CHECKOUTFILTER; putting this machine identifier in an authenticated field in each node-locked license must be done by the publisher
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
2. License library refuses to check out any licenses if the license library detects it is running on a virtual machine
• This can be done either by Macrovision Global Services or the publisher in the licensed application
3. License library refuses to check out licenses for vendor-specified features if the license library detects it is running on a virtual machine that doesn’t adequately support a per-virtual machine identifier
• This can be done either by Macrovision Global Services or the publisher in a LM_A_CHECKOUTFILTER
Alternative (1) requires that there is a way for a C program to determine the per-virtual machine identifier that is hard to duplicate across multiple virtual machines. See below for more details.
Alternatives (2) and (3) require that there is a way for a C program to determine whether or not it is running on a virtual machine. See below for more details.
Certificate-based LicensesFor certificate-based licenses, all of the per-virtual machine built-in hostids can be duplicated across multiple virtual machines by a dishonest user. Some require more effort to duplicate than others. To resist duplication of these licenses, the publisher has the following alternatives:
Alternatives for Node-locked, Certificate-based Licenses1. Bind node-locked licenses to a FLEXid 9 USB hardware
key2
2. If the virtual machine supports a per-virtual machine identifier that is hard to duplicate across multiple virtual machines, implement a vendor-defined hostid which accesses this identifier and bind node-locked licenses to it
• This creation of the vendor-defined hostid can be done by either Macrovision Global Services or the publisher; binding licenses to this hostid must be done by the publisher
3. License library refuses to check out any node-locked licenses if the license library detects it is running on a virtual machine that only supports per-virtual machine identifiers that are easy to duplicate across multiple virtual machines
• This can be done either by Macrovision Global Services or the publisher in the licensed application
2 VMware Workstation 4.5 and Xen 2.0 will allow a USB hardware key on a physical machine to be associated with only one virtual machine at a time. Neither VirtualPC 2004 SP1 nor VirtualServer 2005 R2 supports USB hardware keys.
4. License library refuses to check out node-locked licenses for vendor-specified features if the license library detects it is running on a virtual machine that doesn’t adequately support a per-virtual machine identifier
• This can be done either by Macrovision Global Services or the publisher in a LM_A_CHECKOUTFILTER
5. Vendor binds its node-locked licenses to the Ethernet MAC address and the vendor’s operations server refuses to grant node-locked licenses bound to those Ethernet MAC addresses used by virtual machine technologies
• This can only be done by the publisher in their operations server
Alternative (2) requires that there is a way for a C program to determine the per-virtual machine identifier that is hard to duplicate across multiple virtual machines. See below for more details.
Alternatives (3) and (4) require that there is a way for a C program to determine whether or not it is running on a virtual machine. See below for more details.
Alternative (5) requires that there is a way for an operations server to determine whether or not an Ethernet MAC address is for a virtual machine. See below for more details.
Alternatives for Counted, Certificate-based Licenses1. Bind counted licenses to a FLEXid 9 USB hardware key2
2. If the virtual machine supports a per-virtual machine identifier that is hard to duplicate across multiple virtual machines, implement a vendor-defined hostid which accesses this identifier and bind counted licenses to it
• This creation of the vendor-defined hostid can be done by either Macrovision Global Services or the publisher; binding licenses to this hostid must be done by the publisher
3. Vendor daemon refuses to serve any counted licenses if the vendor daemon detects it is running on a virtual machine that only supports per-virtual machine identifiers that are easy to duplicate across multiple virtual machines
• This can be done either by Macrovision Global Services or the publisher in the ls_userinit1 vendor daemon callback
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
4. Vendor daemon refuses to serve counted licenses for publisher-specified features if the vendor daemon detects it is running on a virtual machine that only supports per-virtual machine identifiers that are easy to duplicate across multiple virtual machines
• This can be done either by Macrovision Global Services or the publisher in the ls_outfilter vendor daemon callback
5. Vendor binds its counted licenses to the Ethernet MAC address and the vendor’s operations server refuses to grant counted licenses bound to those Ethernet MAC addresses used by virtual machine technologies
• This can only be done by the publisher in its operations server
Alternative (2) requires that there is a way for a C program to access the per-virtual machine identifier that is hard to duplicate across multiple virtual machines. See below for more details.
Alternatives (3) and (4) require that there is a way for a C program to determine whether or not it is running on a virtual machine. See below for more details.
Alternative (5) requires that there is a way for an operations server to determine whether or not an Ethernet MAC address is for a virtual machine. See below for more details.
Anti-piracy Protection and Application IsolationAll the techniques to ensure compliance protection with application isolation will provide anti-piracy protection too. See the methods in the section above.
Anti-piracy Protection and Terminal ServicesAll the techniques to ensure compliance protection with terminal services will provide anti-piracy protection too. See the methods in the section above.
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
�
APPENDIX A: How an Application Can Detect if It Is Running on a Virtual MachineThe following are the list of how an application can detect whether or not it is running in a virtual machine.
VMwareThe best way to detect the presence of VMware is as follows:
At runtime, detect whether a particular machine instruction is valid (indicating a machine instruction added and emulated by VMware) or invalid:
• http://www.codeproject.com/system/VmDetect.asp?df=100&forumid=162437&exp=0&select=1066667
• http://www.trapkit.de/research/vmm/jerry/index.html• http://www.virtualization.info/2004/03/how-application-
can-detect-if-is_17.html
More detailed detection is possible by not only determining the presence of VMware’s backdoor I/O port, but by also determining whether VMware responds with a plausible answer to a virtual machine’s query. See the following list of commands VMware uses to communicate between the virtual machine and the host operating system or hypervisor:
• http://chitchat.at.infoseek.co.jp/vmware/backdoor.html#top
Virtual PC/Virtual ServerThere are three ways to detect the presence of Virtual PC or Virtual Server:
1. At runtime, detect whether a particular machine instruction is valid (indicating a machine instruction added and emulated by VirtualPC/VirtualServer) or invalid. VirtualPC/VirtualServer does not document an official way to do this, but several ways are documented on the internet. Beware that some of these methods are suspected to work only on certain versions of VirtualPC/VirtualServer:
• http://www.codeproject.com/system/VmDetect.asp?df=100&forumid=162437&exp=0&select=1066667
2. At runtime, detect whether the motherboard of the machine has a manufacturer’s name (“Microsoft”) that is only used on VirtualPC/VirtualServer:
• http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/27/484479.aspx
This is the official method documented by Microsoft. However, it is not as reliable as the first method because the manufacturer’s name of the motherboard can be easily overwritten.
More detailed detection might be possible with the following list of machine properties:
• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/win32_motherboarddevice.asp
XenXen virtual machine technology is open source. Therefore, any detection method can be defeated. A hacker can easily modify the source code of Xen to spoof any identification. Therefore, there are no methods available to publish at this time.
Solaris 10+ ZonesIf the getzoneid() function returns zero, the application is running in either the only zone or running in the global zone on the physical machine. If the getzoneid() function returns an integer greater than zero, the application is running in a non-global zone.
AIX �.3+ LPARSIf the lpar_number field of the struct returned by the lpar_get_info(LPAR_INFO_FORMAT1,lpar_info,lpar_info_len) function is -1, the application is running on a physical machine. If the lpar_number field is not -1, the application is running in a LPAR.
HP-UX 11I+ VPARSIf the confstr(_CS_PARTITION_IDENT, buf, len) function returns a string without a “_Vnn” suffix, the application is running on a physical machine. If the confstr(_CS_PARTITION_IDENT, buf, len) returns a string with a “_Vnn” suffix, the application is running in a VPAR.
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
10
APPENDIX B: How to Access Non-built-in Per-virtual Machine IdentifiersFor those virtual machines which do provide a per-virtual machine identifier that cannot be easily duplicated across multiple virtual machines, Table 3 details how to access those identifiers so that they can be referenced from within a vendor-defined hostid for certificate-based licenses.
Per-Virtual Machine Identifier(that is not a built-in hostid)
Platforms
Zone Name: the string representation of the 32-bit number returned by gethostid() concatenated with the string returned by getzonenamebyid(getzoneid())
Introduced in Solaris 10
VPAR ID: the string returned by confstr(_CS_PARTITION_IDENT, buf, len)
Introduced in HP-UX 11i
LPAR ID: the string representation of the 64-bit longnid field of the structure returned by unamex()
Introduced in AIX 5.3
Table 3: Per-Virtual Machine Identifiers that are not built-in hostids
VIRTUALIZATION AND FLEXNET PUBLISHER LICENSING
11
APPENDIX C: Ethernet Mac Addresses Used by Virtual MachinesThe Ethernet MAC Addresses assigned to virtual machines can be identified by inspecting the address’s first 6 hexadecimal characters (the high-order 24 bits). These first 6 hexadecimal characters are called the Organizationally Unique Identifier (OUI) of the Ethernet MAC Address. Here are the relevant OUI assignments at the time of the publication of this document:
• VMware – Ethernet MAC addresses beginning with 00:05:69, 00:0C:29, or 00:50:56
• Microsoft’s VirtualPC/VirtualServer – Ethernet MAC addresses beginning with 00:03:FF, 00:0D:3A, 00:12:5A, 00:15:5D, or 00:50:F2; these are all the OUIs registered to Microsoft, only 00:03:FF and 00:15:5D have been verified to be used by VirtualPC and/or VirtualServer.
• Xen – Ethernet MAC addresses beginning with 00:16:3E
The up-to-date Organizationally Unique Identifier (OUI) listing is at the following URL: http://standards.ieee.org/regauth/oui/oui.txt
Macrovision Corporation2830 De La Cruz BoulevardSanta Clara, CA 95050USA
Santa Clara (Global Headquarters):+1 888-755-0861Chicago: +1 800-809-5659 New York: +1 800-804-0103
United Kingdom (Europe, Middle East Headquarters)+44 870-871-1111+44 870-873-6300
Japan (Asia, Pacifi c Headquarters)+81 3-5774-6253
www.macrovision.com
©2007 Macrovision Corporation. All Rights Reserved. Macrovision and FLEXnet Publisher are registered trademarks of Macrovision Corporation. All other names are trademarks, registered trademarks, or service marks of their respective owners. FNP_whitepaper_Virtualization_May2007
