DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The amendment filed 24 November 2025 has been entered. Applicant amended claims 39, 55, and 71. Applicant previously canceled claims 1-38. Accordingly, claims 39-71 remain pending.
Response to Arguments
Applicant’s arguments with respect to claim(s) 39, 55, and 71 and the amended limitations have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 39, 41-46, 48-49, 51-55, 57-62, 64-65, and 67-71 is/are rejected under 35 U.S.C. 103 as being unpatentable over White US 10579457 (hereinafter White) in view of LeMay et al US 20160092673 (hereinafter LeMay), and in further view of Rabet et al US 20180088988 (hereinafter Rabet).
As to claim 39, White teaches a system comprising a processing circuit that is configured to (column 1, lines 8-10 discloses a processor which provides control flow integrity and a method of providing notice of a fault in a control flow):
detect that a flow reached a flow change command or is about to reach the flow change command (column 2, lines 14-38 disclose detecting changes in the address of the instructions to be executed), wherein the flow change command belongs to a current software environment identified by a current environment identifier (column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57);
retrieve a shadow environment identifier that is stored in a top position of a shadow stack above any other software environment identifier (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+), wherein the shadow environment identifier identifies a known software environment with executable instructions (column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed. Column 2, lines 35-38 reveals the instructions of the return address is executable when there is a match of the address of the shadow stack with the address of the data stack) , the known software environment having an entry region that was most recently accessed by the flow (column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack), wherein the entry region comprises a shadow stack update instruction that was executed by the flow (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed), and
wherein the shadow stack update instruction that was executed by the flow used to store the last shadow environment identifier at the top position of the shadow stack when the flow entered the last entry region (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed);
compare the shadow environment identifier to the current environment identifier (column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3); and
detect [an attack/fault] when the shadow environment identifier differs from the current environment identifier (column 1, lines 14-25; column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3. When there is a difference between the top of the data stack and the top of shadow stack, then there is a fault. The fault pertains to an exploit/ROP from an attacker), indicating that the current software environment is attempting to use another entry region that differs from the entry region of the known software environment (column 10, 57+ and column 11, lines 1-3 disclose that the data stack return address instruction is foo ret address which is a different called instruction from the shadow stack return address is “A”).
White does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment and detect a potential attack when the shadow environment identifier differs from the current environment identifier.
LeMay teaches detect a potential attack when the shadow environment identifier differs from the current environment identifier indicating that the last entry region was for a software environment that differs from the current software environment (paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack such that if there is a mismatch, perform one or more security operations (paragraph 47 of LeMay).
The combination of White in view of LeMay does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment.
Rabet teaches wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment (paragraph 13 reveals the shadow stack is also referred to as the control stack. Paragraphs 28- 29 reveal in response to the function being invoked/executed, the processor writes the return address for the function to the data stack. The return address for the function/program is the memory address at which code execution is to resume upon completion of the function. A return flow guard prologue copies the return address for the function to the control/shadow stack. The operating system maintains a data stack pointer that points to a value most recently stored to the data stack and the data stack pointer includes the memory address where the value most recently stored to the data stack is stored. The return flow guard prologue copies the return address for the function that is copied from the data stack (that is to be stored in the control stack). (thus, this return address is an entry memory region that comprises instructions that was executed by the flow when entering/executed/invoked in the known software environment). Paragraph 30 further reveals when the control code executes, the operating system can write additional function return addresses to the data stack and the return flow guard prologue would copy the additional function return address to the control stack).
It would have been obvious for one having ordinary skill in the art before the effective filing date of the invention to modify the detection of the attack obtained in White’s system in view of LeMay’s teachings of detecting a likely attack with Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment to protect against memory corruption vulnerabilities that may be exploited by malicious users or code to overwrite return addresses located on the data stack and thus redirect control flow (paragraph 43 of Rabet).
As to claim 41, the combination of White in view of LeMay and Rabet teaches wherein the detecting of the potential attack is followed by stopping an execution of the flow (LeMay: paragraph 31 discloses upon determining a mismatch cause by a malicious ROP exploit, a mismatch module terminates the software tread). Motivation similar to the motivation presented in claim 39.
As to claim 42, the combination of White in view of LeMay and Rabet teaches wherein the processing circuit is configured to amend by a compiler, the entry region to include the shadow stack update instruction (White: column 8, lines 11-40 and column 8, lines 30-54 disclose the ISA (an instruction set architecture) of the CFI-enabled processor defines opcodes and operations to be executed by the processor. The ISA instruction includes the instruction and identifies the register for the instructions. When the instruction is assembled and complied, an opcode is provided that represents both the operation and the operand. Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack and column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed).
As to claim 43, the combination of White in view of LeMay and Rabet teaches wherein the entry region was amended by a compiler to include the shadow stack update instruction (White: column 8, lines 11-40 and column 8, lines 30-54 disclose the ISA (an instruction set architecture) of the CFI-enabled processor defines opcodes and operations to be executed by the processor. The ISA instruction includes the instruction and identifies the register for the instructions. When the instruction is assembled and complied, an opcode is provided that represents both the operation and the operand. Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack and column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed).
As to claim 44, the combination of White in view of LeMay and Rabet teaches wherein the processing circuit is configured to execute the flow change command when the shadow environment identifier equals the current environment identifier (LeMay: paragraphs 46 and 49 disclose the processor determines whether the top legacy stack pointer value of the shadow stack matches the legacy stack pointer. If there is match, the method branches ahead to step 430 in which the processor pops the legacy stack pointer value from the shadow stack, and in paragraph 51 performs other operations typically performed by a legacy return instructions (flow change instruction)/completing the execution of the return instruction. White: column 2, lines 30-38 and column 8, lines 35-40 disclose if the addresses match (from the shadow stack and the data stack), the control flow integrity is confirmed and the execution of the program continues). Motivation similar to the motivation presented in claim 39.
As to claim 45, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a return command ( White: column 2, lines 28-35 discloses a return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack; LeMay: paragraphs 26 and 91 disclose execution of a return instruction); and wherein the executing of the return command comprises: retrieving, from the shadow stack, a return environment identifier that identifies a return software environment (LeMay: paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer. The processor retrieve the shadow stack pointer from the shadow stack to determine whether the top return address of the shadow stack matches the top return address of the legacy stack. Paragraph 46 discloses the legacy stack pointer is retrieve because the processor compares the legacy stack pointer with the top legacy stack pointer value stored on the shadow stack. White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57); and jumping to the return software environment (LeMay: paragraph 34 discloses after pushing the return address onto the legacy stack, the processor jumps to the target of the call instruction. Paragraph 40 discloses the return instruction maybe any processor instruction that causes a jump of execution to a return address). Motivation similar to the motivation presented in claim 39.
As to claim 46, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a jump subroutine command for jumping to a subroutine (LeMay: paragraph 32 discloses the call instruction may be embodied as any processor instruction that causes a jump of execution to specified procedure; paragraph 66 discloses setjmp and longjmp functions); and wherein the executing of the jump subroutine command comprises: jumping to the subroutine and executing a shadow stack update included in the entry region of the subroutine (LeMay: paragraph 34 discloses after pushing the return address onto the legacy stack, the processor jumps to the target of the call instruction. Paragraph 40 discloses the return instruction maybe any processor instruction that causes a jump of execution to a return address; paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer); wherein the executing of the shadow stack update comprises storing in the shadow stack an update to the shadow environment identifier that identifies the subroutine (LeMay: paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer). Motivation similar to the motivation presented in claim 39.
As to claim 48, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a jump subroutine command (LeMay: paragraph 32 discloses the call instruction may be embodied as any processor instruction that causes a jump of execution to specified procedure; paragraph 66 discloses setjmp and longjmp functions). Motivation similar to the motivation presented in claim 39.
As to claim 49, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a return command (White: column 2, lines 28-35 discloses a return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack).
As to claim 51, the combination of White in view of LeMay and Rabet teaches wherein the current software environment comprises a current software environment entry region (White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack (entry region). The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57) that comprises a shadow stack update instruction for updating the shadow stack with the current environment identifier (White: column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (update instruction) that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+), wherein the entry region comprises a shadow stack update instruction that was executed by the flow (White: column 2, lines 29-38 and column 2, lines 58+ disclose the processor includes a data stack pointer associated with the data stack that identifies the current top of the stack (entry region). Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (update instruction) that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+).
As to claim 52, the combination of White in view of LeMay and Rabet teaches wherein the processing circuit is configured to detect the potential attack before executing the flow change command (Lemay: paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer). Motivation similar to the motivation presented in claim 39.
As to claim 53, the combination of White in view of LeMay and Rabet teaches wherein the processing circuit is configured to respond to a detection of the potential attack before executing the flow change command (Lemay: paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer). Motivation similar to the motivation presented in claim 39.
As to claim 54, the combination of White in view of LeMay and Rabet teaches wherein the processing circuit is configured to respond by preforming at least one of: generating an alert, stopping the execution of the flow, or rebooting a processor (LeMay: paragraph 31 discloses upon determining a mismatch cause by a malicious ROP exploit, a mismatch module terminates the software tread). Motivation similar to the motivation presented in claim 39.
As to claim 55, White teaches a method for evaluating flow control integrity, comprising:
detecting that a flow reached a flow change command or is about to reach the flow change command (column 2, lines 14-38 disclose detecting changes in the address of the instructions to be executed), wherein the flow change command belongs to a current software environment identified by a current environment identifier (column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57);
retrieving a shadow environment identifier that is stored in a top position of a shadow stack above any other software environment identifier (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+), wherein the shadow environment identifier identifies a known software environment with executable instructions (column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed. Column 2, lines 35-38 reveals the instructions of the return address is executable when there is a match of the address of the shadow stack with the address of the data stack), the known software environment having an entry region that was most recently accessed by the flow (column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed), wherein the entry region comprises a shadow stack update instruction that was executed by the flow (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed), and
wherein the shadow stack update instruction that was executed by the flow used to store the last shadow environment identifier at the top position of the shadow stack when the flow entered the last entry region (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed);
comparing the shadow environment identifier to the current environment identifier (column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3); and
detecting [an attack/fault] when the shadow environment identifier differs from the current environment identifier (column 1, lines 14-25; column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3. When there is a difference between the top of the data stack and the top of shadow stack, then there is a fault. The fault pertains to an exploit/ROP from an attacker), indicating that the current software environment is attempting to use another entry region that differs from the entry region of the known software environment (column 10, 57+ and column 11, lines 1-3 disclose that the data stack return address instruction is foo ret address which is a different called instruction from the shadow stack return address is “A”).
White does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment and detecting a potential attack when the shadow environment identifier differs from the current environment identifier.
LeMay teaches detect a potential attack when the shadow environment identifier differs from the current environment identifier indicating that the last entry region was for a software environment that differs from the current software environment (paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack such that if there is a mismatch, perform one or more security operations (paragraph 47 of LeMay).
The combination of White in view of LeMay does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment.
Rabet teaches wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment (paragraph 13 reveals the shadow stack is also referred to as the control stack. Paragraphs 28- 29 reveal in response to the function being invoked/executed, the processor writes the return address for the function to the data stack. The return address for the function/program is the memory address at which code execution is to resume upon completion of the function. A return flow guard prologue copies the return address for the function to the control/shadow stack. The operating system maintains a data stack pointer that points to a value most recently stored to the data stack and the data stack pointer includes the memory address where the value most recently stored to the data stack is stored. The return flow guard prologue copies the return address for the function that is copied from the data stack (that is to be stored in the control stack). (thus, this return address is an entry memory region that comprises instructions that was executed by the flow when entering/executed/invoked in the known software environment). Paragraph 30 further reveals when the control code executes, the operating system can write additional function return addresses to the data stack and the return flow guard prologue would copy the additional function return address to the control stack).
It would have been obvious for one having ordinary skill in the art before the effective filing date of the invention to modify the detection of the attack obtained in White’s system in view of LeMay’s teachings of detecting a likely attack with Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment to protect against memory corruption vulnerabilities that may be exploited by malicious users or code to overwrite return addresses located on the data stack and thus redirect control flow (paragraph 43 of Rabet).
As to claim 57, the combination of White in view of LeMay and Rabet teaches wherein the detecting of the potential attack is followed by stopping an execution of the flow (LeMay: paragraph 31 discloses upon determining a mismatch cause by a malicious ROP exploit, a mismatch module terminates the software tread). Motivation similar to the motivation presented in claim 55.
As to claim 58, the combination of White in view of LeMay and Rabet teaches wherein the entry region was amended by a compiler to include the shadow stack update instruction (White: column 8, lines 11-40 and column 8, lines 30-54 disclose the ISA (an instruction set architecture) of the CFI-enabled processor defines opcodes and operations to be executed by the processor. The ISA instruction includes the instruction and identifies the register for the instructions. When the instruction is assembled and complied, an opcode is provided that represents both the operation and the operand. Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack and column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed).
As to claim 59, the combination of White in view of LeMay and Rabet teaches comprising amending, by a compiler, the entry region to include the shadow stack update instruction (White: column 8, lines 11-40 and column 8, lines 30-54 disclose the ISA (an instruction set architecture) of the CFI-enabled processor defines opcodes and operations to be executed by the processor. The ISA instruction includes the instruction and identifies the register for the instructions. When the instruction is assembled and complied, an opcode is provided that represents both the operation and the operand. Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack and column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed).
As to claim 60, the combination of White in view of LeMay and Rabet teaches comprising executing the flow change command when the shadow environment identifier equals the current environment identifier (LeMay: paragraphs 46 and 49 disclose the processor determines whether the top legacy stack pointer value of the shadow stack matches the legacy stack pointer. If there is match, the method branches ahead to step 430 in which the processor pops the legacy stack pointer value from the shadow stack, and in paragraph 51 performs other operations typically performed by a legacy return instructions (flow change instruction)/completing the execution of the return instruction. White: column 2, lines 30-38 and column 8, lines 35-40 disclose if the addresses match (from the shadow stack and the data stack), the control flow integrity is confirmed and the execution of the program continues). Motivation similar to the motivation presented in claim 55.
As to claim 61, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a return command (White: column 2, lines 28-35 discloses a return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack. LeMay: paragraphs 26 and 91 disclose execution of a return instruction); and wherein the executing of the return command comprises: retrieving, from the shadow stack, a return environment identifier that identifies a return software environment (LeMay: paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer. The processor retrieve the shadow stack pointer from the shadow stack to determine whether the top return address of the shadow stack matches the top return address of the legacy stack. Paragraph 46 discloses the legacy stack pointer is retrieve because the processor compares the legacy stack pointer with the top legacy stack pointer value stored on the shadow stack. White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57); and jumping to the return software environment (LeMay: paragraph 34 discloses after pushing the return address onto the legacy stack, the processor jumps to the target of the call instruction. Paragraph 40 discloses the return instruction maybe any processor instruction that causes a jump of execution to a return address). Motivation similar to the motivation presented in claim 55.
As to claim 62, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a jump subroutine command for jumping to a subroutine (LeMay: paragraph 32 discloses the call instruction may be embodied as any processor instruction that causes a jump of execution to specified procedure; paragraph 66 discloses setjmp and longjmp functions); and wherein the executing of the jump subroutine command comprises: jumping to the subroutine and executing a shadow stack update included in the entry region of the subroutine (LeMay: paragraph 34 discloses after pushing the return address onto the legacy stack, the processor jumps to the target of the call instruction. Paragraph 40 discloses the return instruction maybe any processor instruction that causes a jump of execution to a return address; paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer); wherein the executing of the shadow stack update comprises storing in the shadow stack an update to the shadow environment identifier that identifies the subroutine (LeMay: paragraph 38 discloses after pushing the return address onto the legacy stack and shadow stack, the processor may update the shadow stack pointer such as push the legacy stack pointer value onto the shadow stack. Paragraph 42 discloses the top return address of the shadow stack may be stored at the shadow stack pointer). Motivation similar to the motivation presented in claim 55.
As to claim 64, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a jump subroutine command (LeMay: paragraph 32 discloses the call instruction may be embodied as any processor instruction that causes a jump of execution to specified procedure; paragraph 66 discloses setjmp and longjmp functions). Motivation similar to the motivation presented in claim 55.
As to claim 65, the combination of White in view of LeMay and Rabet teaches wherein the flow change command is a return command (White: column 2, lines 28-35 discloses a return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack).
As to claim 67, the combination of White in view of LeMay and Rabet teaches wherein the current software environment comprises a current software environment entry region (White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack (entry region). The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57) that comprises a shadow stack update instruction for updating the shadow stack with the current environment identifier (White: column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (update instruction) that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+), wherein the entry region comprises a shadow stack update instruction that was executed by the flow (White: column 2, lines 29-38 and column 2, lines 58+ disclose the processor includes a data stack pointer associated with the data stack that identifies the current top of the stack (entry region). Column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (update instruction) that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+).
As to claim 68, the combination of White in view of LeMay and Rabet teaches wherein the detecting the potential attack before executing the flow change command (Lemay: paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer). Motivation similar to the motivation presented in claim 55.
As to claim 69, the combination of White in view of LeMay and Rabet teaches comprising responding to the detecting of the potential attack before executing the flow change command (Lemay: paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer). Motivation similar to the motivation presented in claim 55.
As to claim 70, the combination of White in view of LeMay and Rabet teaches wherein the responding comprising at least one of: generating an alert, stopping the execution of the flow, or rebooting a processor (LeMay: paragraph 31 discloses upon determining a mismatch cause by a malicious ROP exploit, a mismatch module terminates the software tread). Motivation similar to the motivation presented in claim 55.
As to claim 71, White teaches a non-transitory computer readable medium that stores instructions, wherein when executed on a processing circuit, causes the processing circuit to perform operations comprising: (column 1, lines 8-10 discloses a processor (processors include memory) which provides control flow integrity and a method of providing notice of a fault in a control flow):
detecting that a flow reached a flow change command or is about to reach the flow change command (column 2, lines 14-38 disclose detecting changes in the address of the instructions to be executed), wherein the flow change command belongs to a current software environment identified by a current environment identifier (column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57);
retrieving a shadow environment identifier that is stored in a top position of a shadow stack above any other software environment identifier (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation that pops the shadow stack. Column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. See also column, 52+), wherein the shadow environment identifier identifies a known software environment with executable instructions (column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed. Column 2, lines 35-38 reveals the instructions of the return address is executable when there is a match of the address of the shadow stack with the address of the data stack), the known software environment having an entry region that was most recently accessed by the flow (column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed), wherein the entry region comprises a shadow stack update instruction that was executed by the flow (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed), and
wherein the shadow stack update instruction that was executed by the flow used to store the last shadow environment identifier at the top position of the shadow stack when the flow entered the last entry region (column 2, lines 28-35 disclose return address is stored on the shadow stack. A RET operation is a shadow stack aware operation (shadow stack update instruction) that pops the shadow stack. Column 8, lines 1-17 disclose the CFI shadow stack pointer identifies the top of the shadow stack. See column 8, lines 4-17 disclose write and read operations to and from the CFI shadow stack operate on a LIFO basis. Thus, the last data written to the CFI shadow stack will be first data read from the CFI shadow stack and as instructions are executed which result in data being read from or “popped” off of the CFI shadow stack, the CFI shadow stack pointer is moved up. The position of the data last written to the CFI shadow stack is referred to as the “top” of the CFI shadow stack. Column 2, lines 28-35 disclose return address (address that identifies the known software environment is stored on the shadow stack). The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions (current software environment) to be executed);
comparing the shadow environment identifier to the current environment identifier (column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3); and
detecting [an attack/fault] when the shadow environment identifier differs from the current environment identifier (column 1, lines 14-25; column 2, lines 29-35 disclose the top of the data stack and the shadow stack are compared, and the top of the data stack and the shadow stack has the return addresses/identifiers, see also column 10, 57+ and column 11, lines 1-3. When there is a difference between the top of the data stack and the top of shadow stack, then there is a fault. The fault pertains to an exploit/ROP from an attacker), indicating that the current software environment is attempting to use another entry region that differs from the entry region of the known software environment (column 10, 57+ and column 11, lines 1-3 disclose that the data stack return address instruction is foo ret address which is a different called instruction from the shadow stack return address is “A”).
White does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment and detecting a potential attack when the shadow environment identifier differs from the current environment identifier.
LeMay teaches detecting a potential attack when the shadow environment identifier differs from the current environment identifier indicating that the last entry region was for a software environment that differs from the current software environment (paragraph 47 discloses the mismatch handler may determine whether the stack pointers mismatch is likely to be malicious; paragraph 31 discloses the mismatch module may be configured to determine whether the stack mismatch was likely caused by malicious ROP exploit. Paragraph 66 discloses if the stored legacy stack pointer value on the shadow stack does not match the predicted next legacy stack pointer, then malicious software may have performed a ROP exploit. Thus, paragraph 66 disclosure of determining whether the legacy stack pointer value stored (shadow environment identifier) differs from the predicted value of the next legacy stack pointer (current environment identifier) indicating that the last entry region was for a compromised software environment (indicating ROP attack/exploit because the stored return address/legacy stack pointer value points to execution of software(a software environment) using malicious stack instead of legitimate system stack that differs from the current software identifier of the current environment (the legacy stack bounds/ the predicted value of the next legacy stack pointer).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack such that if there is a mismatch, perform one or more security operations (paragraph 47 of LeMay).
The combination of White in view of LeMay does not teach wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment.
Rabet teaches wherein the entry region comprises a shadow stack update instruction that was executed by the flow when entering the known software environment (paragraph 13 reveals the shadow stack is also referred to as the control stack. Paragraphs 28- 29 reveal in response to the function being invoked/executed, the processor writes the return address for the function to the data stack. The return address for the function/program is the memory address at which code execution is to resume upon completion of the function. A return flow guard prologue copies the return address for the function to the control/shadow stack. The operating system maintains a data stack pointer that points to a value most recently stored to the data stack and the data stack pointer includes the memory address where the value most recently stored to the data stack is stored. The return flow guard prologue copies the return address for the function that is copied from the data stack (that is to be stored in the control stack). (thus, this return address is an entry memory region that comprises instructions that was executed by the flow when entering/executed/invoked in the known software environment). Paragraph 30 further reveals when the control code executes, the operating system can write additional function return addresses to the data stack and the return flow guard prologue would copy the additional function return address to the control stack).
It would have been obvious for one having ordinary skill in the art before the effective filing date of the invention to modify the detection of the attack obtained in White’s system in view of LeMay’s teachings of detecting a likely attack with Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment to protect against memory corruption vulnerabilities that may be exploited by malicious users or code to overwrite return addresses located on the data stack and thus redirect control flow (paragraph 43 of Rabet).
Claim(s) 40 and 56 is/are rejected under 35 U.S.C. 103 as being unpatentable over White US 10579457 (hereinafter White), in view of LeMay et al US 20160092673 (hereinafter LeMay), in further view of Rabet et al US 20180088988 (hereinafter Rabet), in further view of Pan et al US 20090320129 (hereinafter Pan), and in further view of LeMay et al US 20190050566 (hereinafter LeMay’566).
As to claim 40, the combination of White in view of LeMay and Rabet teaches all the limitations recited in claim 39 above and further teaches wherein to detect that the flow is about to reach the flow change command (White: column 2, lines 14-38 disclose detecting changes in the address of the instructions to be executed).
The combination of White in view of LeMay and Rabet does not teach the processing circuit is configured to search the flow change command in proximity to an entry by a program counter.
Pan teaches the processing circuit (paragraphs 27 and 35 disclose the cross-module detection system is implemented on a computing device, the computing device may include a processor) is configured to search the flow change command in proximity to an entry by a program counter (paragraphs 10 and 35 disclose the system first extract a set of possible destination addresses of an inter-module transfer from binaries (Paragraph 11 disclose the detection system directly scan a binary file or the references to the code areas of the module being examined and the incorrect references are eliminated. Each of the remaining references is checked with general compilation knowledge to decide whether it is a legitimate entrance from outside of the module so that the resulting reference set contains only the function starting addresses which can be called by other modules). Paragraph 36 discloses the destination address is expected to be the beginning/entry of a function in the target module when the stack grows and a control flow enters a module. Thus, by scanning the binary file or the references of the code areas of the module; a scan is performed of the flow command in possible vicinity to an entry of the inter-module transfer/flow change command. Paragraph 38 discloses an entry to a module is said to be original by a control flow if the control flow is newly entering the module. The checking module is used to determine whether the entry point of the control flow is legitimate).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment with Pan’s cross-module detection system that searches for flow changes commands to quickly detect and monitor control flows transfers between software modules in a computer system either statically or dynamically without employing disassembly techniques to extract the control flow information because even the most advanced disassembly techniques cannot guarantee the accuracy of disassembly results (paragraph 11 of Pan).
The combination of White in view of LeMay, Rabet, and Pan does not teach an entry pointed by a program counter.
LeMay’566 teaches an entry pointed by a program counter (Paragraph 72 discloses the first target instruction pointer is associated with a destination address. Paragraph 37 discloses the system inspect the destination of target instruction pointer (TIP) packets stored in the trace data. The computing device may compare the target address of each TIP packet to a database of allowable branch destinations. Each allowable branch destination may correspond, for example, to the beginning/entry of a function. Paragraph 46 recites target instruction pointer of the return instruction is the entry point. (A program counter is commonly called instruction pointer)).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack, Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment, and Pan’s cross-module detection system that searches for flow changes commands with LeMay’566 teachings of utilizing an instruction pointer to detect indirect branches to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
As to claim 56, the combination of White in view of LeMay and Rabet teaches all the limitations recited in claim 55 above and further teaches wherein to detect that the flow is about to reach the flow change command (White: column 2, lines 14-38 disclose detecting changes in the address of the instructions to be executed).
The combination of White in view of LeMay and Rabet does not teach the processing circuit is configured to search the flow change command in proximity to an entry by a program counter.
Pan teaches the processing circuit (paragraphs 27 and 35 disclose the cross-module detection system is implemented on a computing device, the computing device may include a processor) is configured to search the flow change command in proximity to an entry by a program counter (paragraphs 10 and 35 disclose the system first extract a set of possible destination addresses of an inter-module transfer from binaries (Paragraph 11 disclose the detection system directly scan a binary file or the references to the code areas of the module being examined and the incorrect references are eliminated. Each of the remaining references is checked with general compilation knowledge to decide whether it is a legitimate entrance from outside of the module so that the resulting reference set contains only the function starting addresses which can be called by other modules). Paragraph 36 discloses the destination address is expected to be the beginning/entry of a function in the target module when the stack grows and a control flow enters a module. Thus, by scanning the binary file or the references of the code areas of the module; a scan is performed of the flow command in possible vicinity to an entry of the inter-module transfer/flow change command. Paragraph 38 discloses an entry to a module is said to be original by a control flow if the control flow is newly entering the module. The checking module is used to determine whether the entry point of the control flow is legitimate).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment with Pan’s cross-module detection system that searches for flow changes commands to quickly detect and monitor control flows transfers between software modules in a computer system either statically or dynamically without employing disassembly techniques to extract the control flow information because even the most advanced disassembly techniques cannot guarantee the accuracy of disassembly results (paragraph 11 of Pan).
The combination of White in view of LeMay, Rabet, and Pan does not teach an entry pointed by a program counter.
LeMay’566 teaches an entry pointed by a program counter (Paragraph 72 discloses the first target instruction pointer is associated with a destination address. Paragraph 37 discloses the system inspect the destination of target instruction pointer (TIP) packets stored in the trace data. The computing device may compare the target address of each TIP packet to a database of allowable branch destinations. Each allowable branch destination may correspond, for example, to the beginning/entry of a function. Paragraph 46 recites target instruction pointer of the return instruction is the entry point. (A program counter is commonly called instruction pointer)).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system and further apply LeMay’s teachings of a likely attack, Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment, and Pan’s cross-module detection system that searches for flow changes commands with LeMay’566 teachings of utilizing an instruction pointer to detect indirect branches to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
Claim(s) 47, 50, 63, and 66 is/are rejected under 35 U.S.C. 103 as being unpatentable over White US 10579457 (hereinafter White), in view of LeMay et al US 20160092673 (hereinafter LeMay), in further view of Rabet et al US 20180088988 (hereinafter Rabet), and in further view of LeMay et al US 20190050566 (hereinafter LeMay’566).
As to claim 47, the combination of White and LeMay and Rabet teaches all the limitations recited in claim 44 above and teaches wherein the address belongs to the current software environment (White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57).
The combination of White in view of LeMay and Rabet does not teach wherein the flow change command is a jump indirect command for jumping to an address that is stored in a memory element.
LeMay’566 teaches wherein the flow change command is a jump indirect command for jumping to an address that is stored in a memory element (paragraph 22 discloses target addresses of indirect branch instructions are logged. Paragraph 54 discloses the computing device may monitor indirect jump instructions. Figure 8 and paragraph 67 that Figure 8 reveal 4096 byte of the memory that has been set to executable only. The memory includes several instruction bundles, each instruction bundle includes instruction to select an indirect branch target/address. Each instruction bundle further includes instructions to jump to the instruction bundle corresponding to that indirect branch target/address. Each instruction bundle occupies 8 bytes of memory. During execution, the RTIT support outputs a TIP packet that identifies the instruction bundle that is the target of each indirect jump).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system in view of LeMay’s teachings of a likely attack and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment and further apply LeMay’566 teachings of jump indirect instructions to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
As to claim 50, the combination of White in view of LeMay and Rabet teaches all the limitations recited in claim 39. The combination of White in view of LeMay and Rabet does not teach wherein the flow change command is a jump indirect command.
LeMay’566 teaches wherein the flow change command is jump indirect command (paragraph 22 discloses target addresses of indirect branch instructions are logged. Paragraph 54 discloses the computing device may monitor indirect jump instructions).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify detection of the attack obtained in White’s system in view of LeMay’s teachings of a likely attack and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment and further apply LeMay’566 teachings of jump indirect instructions to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
As to claim 63, the combination of White in view of LeMay and Rabet teaches all the limitations recited in claim 60 above and teaches wherein the address belongs to the current software environment (White: column 2, lines 29-38 and column 2, lines 58+ disclose data stack stores data relating to instructions (current software environment) executed by the processor. The processor includes a data stack pointer associated with the data stack that identifies the current top of the stack. The return address/current environment identifier that is stored on the data stack. The return address is the address of the instruction to be executed upon return of control to the call site. Therefore, the return address is the current environment identifier that identifies the instructions(current software environment) to be executed. See also column 7, lines 41-57).
The combination of White in view of LeMay and Rabet does not teach wherein the flow change command is a jump indirect command for jumping to an address that is stored in a memory element.
LeMay’566 teaches wherein the flow change command is a jump indirect command for jumping to an address that is stored in a memory element (paragraph 22 discloses target addresses of indirect branch instructions are logged. Paragraph 54 discloses the computing device may monitor indirect jump instructions. Figure 8 and paragraph 67 that Figure 8 reveal 4096 byte of the memory that has been set to executable only. The memory includes several instruction bundles, each instruction bundle includes instruction to select an indirect branch target/address. Each instruction bundle further includes instructions to jump to the instruction bundle corresponding to that indirect branch target/address. Each instruction bundle occupies 8 bytes of memory. During execution, the RTIT support outputs a TIP packet that identifies the instruction bundle that is the target of each indirect jump).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify Pan’s cross-module detection system in view of LeMay’s teachings of comparing the pointer of the shadow stack with the pointer of the current environment and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment and further apply LeMay’566 teachings of jump indirect instructions to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
As to claim 66, the combination of White in view of LeMay and Rabet teaches all the limitations recited in claim 55. The combination of White in view of LeMay and Rabet does not teach wherein the flow change command is jump indirect command.
LeMay’566 teaches wherein the flow change command is jump indirect command(paragraph 22 discloses target addresses of indirect branch instructions are logged. Paragraph 54 discloses the computing device may monitor indirect jump instructions).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claim invention to modify Pan’s cross-module detection system in view of LeMay’s teachings of comparing the pointer of the shadow stack with the pointer of the current environment and Rabet’s teachings of control/shadow stack instructions that was executed by the flow when entering the known software environment and further apply LeMay’566 teachings of jump indirect instructions to disallowed branch targets (paragraph 37 of LeMay’566) and further provide debugging-oriented RTIT and control flow exploit detection (paragraph 55 of LeMay’566).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FELICIA FARROW whose telephone number is (571)272-1856. The examiner can normally be reached M - F 7:30am-4:00pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571)270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/F.F/Examiner, Art Unit 2437
/ALI S ABYANEH/Primary Examiner, Art Unit 2437