DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that the Goodridge-Russinovich-Apple combination does not teach the amended claim language of “wherein the particular operation comprises executing the particular file.” Specifically, Applicant argues against the Goodridge reference on page 9; then further argues that “Goodridge is silent as to receiving a call to perform executing the particular file, checking a policy for at least one rule applicable to the file for the at least one customized right, and using a property associated with the particular file to determine whether to authorize executing the application by applying the rule corresponding to the customized right to the property as set forth in claim 1. Instead, Goodridge relates to determining whether to grant access to a resource for an application using rules. Accordingly, Goodridge fails to show or suggest at least the aforementioned portion of amended claim 1. Russinovich and Apple do not appear to show or suggest the above-referenced portions of claim 1, nor has the Office Action alleged Russinovich or Apple as showing or suggesting this portion of claim 1. Accordingly, Russinovich and Apple fail to cure the deficiencies in Goodridge.”
In response, it is first noted that Goodridge does not specify its authorization requests being for a particular operation comprising executing a particular file. However, it is further noted that at least FIG. 1, [0017], [0021], and [0025] of Russinovich concern authorization for requests associated with, e.g., executing a file. For instance, [0017] of Russinovich concerns receiving “a request for an execution role of a process… the process may be selected by an entity other than the user (e.g., the operating system, another process, an executable file, an executable image, an installation file, etc.).” Additionally, [0021] states that “remote agent 210 receives requests from the driver 206 to determine the execution role of an application or process 208 (e.g., with administrator rights or with user rights)” while [0025] states that “upon receipt of a request from the driver 206 for the execution role of a particular application, the remote agent 210 analyzes the configuration data 220… to determine if the particular application should be allowed to execute… The received execution role is applied to the process 208 or application, and the process 208 or application executes (or is denied) accordingly.”
One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the combination of Goodridge in view of Russinovich and Apple is considered to teach the amended claim language.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 7-9, 11-15, and 17-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goodridge (US 2016/0342803 A1) in view of Russinovich (US 2007/0199068 A1) and Apple (“Authorization Plug-in Reference”).
Regarding claim 1, Goodridge discloses: A method comprising:
determining, via a privileged daemon (Agent 303—e.g., FIG. 5 of Goodridge; [0045] of Goodridge concerning equivalence between agents and daemons) executed a computing device (computer system 300—e.g., FIG. 5 of Goodridge), at least one right for processing of authorization procedures by an authorization system (security system 103—e.g., FIG. 5 of Goodridge);
Refer to at least [0061] and [0063]-[0064] of Goodridge with respect to the agent 303 intercepting an authorization request associated with a privileged operation.
modifying, via the privileged daemon, the at least one right to generate at least one customized right for processing of the authorization procedures, wherein the at least one customized right is generated by the privileged daemon;
Refer to at least [0059] and [0064] of Goodridge with respect to the agent 303 modifying policy database 105 and inserting redirection rules.
Refer to at least [0046] of Goodridge with respect to the policy database having rules associated with respective rights for privileged operations.
Refer to at least [0051] of Goodridge with respect to the AuthorizationRightSet function for adding or editing rules in the policy database.
receiving, via the authorization system executed by the computing device, a call to perform a particular operation associated with a particular file;
Refer to at least [0064]-[0065] of Goodridge with respect to the agent 303 forwarding the authorization request to the security system 103. The authorization request concerns a resource, which may include installed software, system services, drivers, files and/or settings as in [0043] of Goodridge.
checking, via the privileged daemon, a policy stored separate from the particular file (e.g., 110 and 304/104 in FIG. 5 of Goodridge), wherein the policy comprises at least one rule;
Refer to at least [0062] and [0072] of Goodridge with respect to agent 303 checking agent server 304 concerning stored rules.
determining whether the at least one rule is applicable to the particular file for the at least one customized right;
Refer to at least [0072]-[0074] of Goodridge with respect to determining an action to be taken for the authorization request, as well as returning a rule evaluation.
determining, via the authorization system, a property associated with the particular file;
Refer to at least 111 in FIG. 1, [0013], and [0053] of Goodridge with respect to URIs associated with resources; the URIs are determined and matched to rules.
determining, via the computing device, whether to authorize the call to perform the particular operation by applying the at least one rule corresponding to the at least one customized right to the property; and
Refer to at least [0059] and [0073]-[0074] of Goodridge with respect to authorizing the authorization request and associated privileged operation.
Refer to at least [0013]-[0014], [0053], and [0065] of Goodridge with respect to matching the URIs to rules.
in response to determining to authorize the call to perform the particular operation, authorizing, via the computing device, the call to perform the particular operation associated with the particular file.
Refer to at least [0073]-[0074] of Goodridge with respect to notifying the security system 103. Further refer to at least [0067] and [0056] of Goodridge with respect to returning a result granting/denying access to the resource according to the returned result.
Goodridge does not specify: creating, via the privileged daemon, a copy of the at least one right; wherein the particular operation comprises executing the particular file. Althouugh Goodridge concerns OS X as in [0044], concerns keys associated with rules as in [0046], and concerns AuthorizationRightSet as in [0051], it does not explicitly disclose: modifying the at least one right by modifying a key configuration comprising at least one of: a class key configuration or mechanism key configuration. However, Goodridge in view of Russinovich discloses: creating, via the privileged daemon, a copy of the at least one right;
Refer to at least [0024] and [0034]-[0036] of Russinovich with respect to having a local copy of configuration/privilege data maintained in a memory area.
wherein the particular operation comprises executing the particular file.
Refer to at least FIG. 1, [0017], [0021], and [0025] of Russinovich with respect to a request for an execution role of a process associated with an executable file, and with respect to allowing or denying the associated execution.
The teachings of Russinovich likewise relate to customized policy for authorizing processes, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant's invention to modify the teachings of Goodridge to further store local copies of policy data for at least the purpose of redundancy (e.g., if DB 105 is down) and faster access (i.e., looking up data locally). It further would have been obvious to support requesting authorization for execution because the particular known technique was recognized as part of the ordinary capabilities of one skilled in the art.
Goodridge-Russinovich does not specify: modifying the at least one right by modifying a key configuration comprising at least one of: a class key configuration or mechanism key configuration. However, Goodridge-Russinovich in view of Apple discloses: modifying the at least one right by modifying a key configuration comprising at least one of: a class key configuration or mechanism key configuration.
Refer to “About Authorization Plug-ins” on pages 8-10 of Apple with respect to using the AuthorizationRightSet function to add lines to the authorization policy database, including a class key and mechanism key configuration.
The teachings of Apple likewise concern OS X and a similar authorization framework, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant's invention to modify the teachings of Goodridge-Russinovich to further implement modifying key information as in Apple because the particular known technique was recognized as part of the ordinary capabilities of one skilled in the art.
Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Goodridge).
Regarding claim 3, Goodridge-Russinovich-Apple discloses: The method of claim 1, the method further comprising: determining that the policy does not specify a rule to apply to authorize the at least one customized right;
Refer to at least [0074] of Goodridge with respect to the situation where there is no match for an agent rule. The default behavior of the security system 103 is then utilized.
retrieving a client user identifier; determining whether the client user identifier corresponds to a root user and the at least one customized right allows root; and
Refer to at least [0048]-[0049] and [0051] with respect to obtaining a password/identifier of, e.g., an administrator.
if the client user identifier corresponds to root user and the at least one customized right allows root, authorizing the at least one customized right.
Refer to at least [0053]-[0056] of Goodridge with respect to a default authorization mechanism including obtaining the password/identifier and authorizing the authorization request.
Regarding claim 7, Goodridge-Russinovich-Apple discloses: The method of claim 1, wherein the call to perform the particular operation is received via a MechanismInvoke callback function.
Refer to at least [0044] and [0048]-[0049] of Goodridge with respect to OS X and associated authorization plugin, where OS X is known to use MechanismInvoke.
Refer to at least the abstract, [0054], [0059], and [0066] of Goodridge with respect to invoking authorization mechanisms.
Regarding claim 8, it is rejected for substantially the same reasons as claim 7 above (i.e., the citations; OS X security system).
Regarding independent claim 9, it is substantially similar to independent claim above, and is therefore likewise rejected.
Regarding claim 11, Goodridge-Russinovich-Apple discloses: The system of claim 9, wherein the particular operation comprises performing a restricted operation to a running application corresponding to the particular file.
Refer to at least [0007] of Goodridge with respect to enforcing access rights for running applications.
Regarding claim 12, it is rejected for substantially the same reasons as claim 9 above (i.e., citations to Goodridge concerning resource URIs).
Regarding claim 13, it is rejected for substantially the same reasons as claim 9 above (i.e., citations to Goodridge concerning agent 303; [0045] of Goodridge).
Regarding claim 14, Goodridge-Russinovich-Apple discloses: The system of claim 9, wherein the privileged daemon is further configured to further comprising at least one second computing device configured to: generate a list of a plurality of rights to be modified comprising the at least one right; and modify each of the plurality of rights in the list to generate a plurality of customized rights for processing of the authorization procedures, the plurality of customized rights comprising the at least one customized right.
Refer to at least [0059] of Goodridge with respect to the agent 303 modifying a set of rules.
Refer to at least FIG. 3A-B, FIG. 4A-B, [0028], and [0046]-[0052] of Russinovich with respect to modifying a plurality of privileges.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant's invention to modify the teachings of Goodridge-Russinovich-Apple to further support modifying a plurality of rights for at least the purpose of implementing more complex access rights (e.g., access to a plurality of resources by an application; resources with dependencies).
Regarding independent claim 15, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).
Regarding claim 17, it is rejected for substantially the same reasons as claim 15 above (i.e., the citations to Russinovich and the obviousness rationale).
Regarding claim 18, Goodridge-Russinovich-Apple discloses: The method of claim 15, further comprising: determining that the at least one rule specifies a requirement of user input; and launching a message module to display a message in order to retrieve the user input required by the at least one rule.
Refer to at least [0047], [0054], [0066], and [0073] of Goodridge with respect to a user credentials dialog presented to a user as part of authorization.
Regarding claim 19, it is rejected for substantially the same reasons as claim 15 above (i.e., returning an authorization result and granting resource access to the application).
Regarding claim 20, Goodridge-Russinovich-Apple discloses: The method of claim 15, further comprising: initializing, via the privileged daemon if the at least one rule is applicable (e.g., [0073] of Goodridge), a launcher module with at least one parameter identifying the particular file; and launching the particular file, by the launcher module, with root-user privilege.
Refer to at least [0083] of Russinovich with respect to a trusted installer for placing executable content on a system.
Regarding claim 21, Goodridge-Russinovich-Apple discloses: The method of claim 1, further comprising: storing, via the authorization system, the at least one customized right as a first rule in the policy; and
Refer to at least [0046], [0051], and [0059] of Goodridge with respect to modifying the policy database 105 that is part of the security system 103.
in response to receiving the call to perform the particular operation associated with the particular file, loading the at least one customized right from the policy.
Refer to at least [0064]-[0066] of Goodridge with respect to the security system 103 obtaining the modified policy responsive to the authorization request.
Regarding claim 22, it is rejected for substantially the same reasons as claim 15 above (i.e., returning an authorization result and granting resource access to the application).
Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goodridge-Russinovich-Apple as applied to claims 1-3, 7-9, 11-15, and 17-22 above, and further in view of Bowman (US 2010/0235907 A1).
Regarding claim 16, Goodridge-Russinovich-Apple does not specify: further comprising: storing, in a cache, an authorization result of the determination of whether to authorize the at least one customized right for the request; receiving, via the authorization system, a second request associated with the particular file; determining that the authorization result is stored in the cache; and determining whether to authorize the second request according to the authorization result from the cache. However, it is generally well known in the art to cache authorization decisions for quick retrieval on subsequent same requests. For instance, Goodridge-Russinovich-Apple in view of Bowman discloses: further comprising: storing, in a cache, an authorization result of the determination of whether to authorize the at least one customized right for the request; receiving, via the authorization system, a second request associated with the particular file; determining that the authorization result is stored in the cache; and determining whether to authorize the second request according to the authorization result from the cache.
Refer to at least FIG. 5 and [0041] of Bowman with respect to an authorization decision cache.
The teachings of Goodridge-Russinovich-Apple and Bowman concern authorization decisions, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Goodridge-Russinovich to further include an authorization decisions cache for at least the purpose of improving efficiency by quickly retrieving known decisions without additional processing.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432