EXECUTION OF CONTAINER IMAGES IN A TRUSTED EXECUTION ENVIRONMENT

§101 §102 §103

DETAILED ACTION This action is in response to application 18/139078, filed on 4/25/2023. Claims 1-18 are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because the claimed “computer-readable medium” is defined in the specification (at paras. 82-83) as including “any tangible medium that is capable of storing, encoding or carrying instructions for execution by a machine and that cause the machine to perform any one or more of the methodologies of the present disclosure or that is capable of storing, encoding or carrying data.” This definition is sufficiently broad to include non-statutory “transitory” media, e.g., carrier waves. To overcome this rejection, Applicant is encouraged to amend claim 1 to recite “A non-transitory computer-readable medium” or similar. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-6, 8-10, 12-16, and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Arnautov et al., “SCONE: Secure Linux Containers with Intel SGX,” hereinafter “Arnautov.” Regarding claim 1, Arnautov anticipates “A computer-readable medium including instructions that, when executed on a processor, cause the processor to perform operations including: retrieving an application image; (see, e.g., Arnautov, pg. 696; “Images are created in a trusted environment (see Figure 7).”) generating a bundle for the application image by mounting an overlay onto the application image, the overlay including library functionality for operating in a trusted execution environment (TEE); (see, e.g., Arnautov, pg. 696; “To create a secure container image, the image creator first builds a SCONE executable of the application. They statically compile the application with its library dependencies and the SCONE library.”; “Next, the image creator uses the SCONE client to create the metadata necessary to protect the file system. The client encrypts specified files and creates a file system (FS) protection file, which contains the message authentication codes (MACs) for file chunks and the keys used for encryption. The FS protection file itself is encrypted and added to the image.”) and providing the bundle for execution in the TEE.” (see, e.g., Arnautov, pg. 696; “After that, the secure image is published using standard Docker mechanisms. SCONE does not need to trust the Docker registry, because the security-relevant parts are protected by the FS protection file.”). Regarding claim 2, Arnautov anticipates “The computer-readable medium of claim 1, wherein the operations include determining whether to execute the bundle within a confidential container or a non-confidential container based on configuration settings corresponding to the application image.” (see, e.g., Arnautov, pg. 696; “If the image creator wants to support the composition of a secure Docker image [42], they only sign the FS protection file with their public key, but do not encrypt it. In this way, only its integrity is ensured, permitting additional customization. The confidentiality of the files is assured only after finishing the customization process.”) Regarding claim 3, Arnautov anticipates “The computer-readable medium of claim 1, wherein the operations include providing runtime environment-agnostic images to a container registry.” (see, e.g., Arnautov, pg. 696; “We chose to integrate SCONE with Docker because it is the most popular and widely used container platform.” “With SCONE, a secure container consists of a single Linux process that is protected by an enclave, but otherwise it is indistinguishable from a regular Docker container, e.g., relying on the shared host OS kernel for the execution of system calls.”). Regarding claim 4, Arnautov anticipates “The computer-readable medium of claim 1, wherein generating the bundle includes performing image service operations.” (see, e.g., Arnautov, pg. 696; fig. 7; “push image” “pull image”). Regarding claim 5, Arnautov anticipates “The computer-readable medium of claim 4, wherein the image service operations include at least one of an image pulling operation, a decryption operation, an unpacking operation, and a bundling operation.” (see, e.g., Arnautov, pg. 696; fig. 7; “pull image”). Regarding claim 6, Arnautov anticipates “The computer-readable medium of claim 1, wherein the operations further include parsing an application configuration and generating artifacts specific to a program execution environment operating in the TEE.” (see, e.g., Arnautov, pg. 696; “the image creator uses the SCONE client to create the metadata necessary to protect the file system.”). Regarding claim 8, Arnautov anticipates “The computer-readable medium of claim 1, wherein the application image is in an open container initiative (OCI) format.” (see, e.g., Arnautov, pg. 696; “A future version of SCONE may use the open container platform [28]”). Regarding claims 9, 12-15, and 18, the instant claims are equivalents of claims 1-3 and 5-6, differing only by statutory class. Accordingly, the rejection of claim 1 applies, mutatis mutandis, to claims 9 and 15; the rejection of claim 2 applies, mutatis mutandis, to claim 18; the rejection of claim 3 applies, mutatis mutandis, to claim 12; the rejection of claim 5 applies, mutatis mutandis, to claim 13; and the rejection of claim 6 applies, mutatis mutandis, to claim 14. Regarding claim 10, Arnautov anticipates “The method of claim 9, wherein the TEE comprises a process-based TEE and wherein the TEE is launched outside of a virtual machine (VM) environment.” (see, e.g., Arnautov, pg. 690; “When executing secure containers, SCONE requires only an SGX-capable Intel CPU, an SGX kernel driver and an optional kernel module for asynchronous system call support.”; “Containers use OS-level virtualization [35] and have become increasingly popular for packaging, deploying and managing services such as key/value stores [46, 23] and web servers [47, 25]. Unlike VMs, they do not require hypervisors or a dedicated OS kernel.”). Regarding claim 16, Arnautov anticipates “The computing node of claim 15, wherein the TEE comprises a process-based TEE and wherein the TEE is launched outside of a virtual machine (VM) environment.” (see, e.g., Arnautov, pg. 690; “When executing secure containers, SCONE requires only an SGX-capable Intel CPU, an SGX kernel driver and an optional kernel module for asynchronous system call support.”; “Containers use OS-level virtualization [35] and have become increasingly popular for packaging, deploying and managing services such as key/value stores [46, 23] and web servers [47, 25]. Unlike VMs, they do not require hypervisors or a dedicated OS kernel.”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 7, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Arnautov and USPGPUB 2015/0089502, hereinafter “Horovitz.” Regarding claim 7, Arnautov discloses “The computer-readable medium of claim 1,” but does not appear to disclose the further limitation “wherein the operations are executed inside a virtual machine (VM) environment.” However, Horovitz discloses (at para. 12) “a software-based method to secure the execution of a virtual machine, leveraging processor features that offer strong hardware guarantees regarding memory integrity and confidentiality” which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” Horovitz further discloses (at para. 25) a method wherein an emulator “may emulate the execution of Intel SGX instructions that create or manipulate guest enclaves within the VM.” Horovitz and Arnautov are directed toward secure/trusted computing and therefore are analogous art. On or before the effective filing date of the instant application, one of ordinary skill in the art would have deemed it obvious to try to combine the VM SGX of Horovitz with the SCONE of Arnautov, thereby obtaining the invention of the instant claim. A clear and predictable benefit of so combining would have appeared as the ability to run secure containers within a VM, which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” (Horovitz, para. 12). Accordingly, the instant claim is unpatentable over the combination of Horovitz and Arnautov. Regarding claim 7, Arnautov discloses “The method of claim 9, wherein the TEE comprises a process-based TEE” (see, e.g., Arnautov, pg. 690; “When executing secure containers, SCONE requires only an SGX-capable Intel CPU, an SGX kernel driver and an optional kernel module for asynchronous system call support.”) but does not appear to disclose the further limitation “and wherein the TEE is launched inside of a virtual machine (VM) environment.” However, Horovitz discloses (at para. 12) “a software-based method to secure the execution of a virtual machine, leveraging processor features that offer strong hardware guarantees regarding memory integrity and confidentiality” which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” Horovitz further discloses (at para. 25) a method wherein an emulator “may emulate the execution of Intel SGX instructions that create or manipulate guest enclaves within the VM.” Horovitz and Arnautov are directed toward secure/trusted computing and therefore are analogous art. On or before the effective filing date of the instant application, one of ordinary skill in the art would have deemed it obvious to try to combine the VM SGX of Horovitz with the SCONE of Arnautov, thereby obtaining the invention of the instant claim. A clear and predictable benefit of so combining would have appeared as the ability to run secure containers within a VM, which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” (Horovitz, para. 12). Accordingly, the instant claim is unpatentable over the combination of Horovitz and Arnautov. Regarding claim 17, Arnautov discloses “The method of claim 15, wherein the TEE comprises a process-based TEE” (see, e.g., Arnautov, pg. 690; “When executing secure containers, SCONE requires only an SGX-capable Intel CPU, an SGX kernel driver and an optional kernel module for asynchronous system call support.”) but does not appear to disclose the further limitation “and wherein the TEE is launched inside of a virtual machine (VM) environment.” However, Horovitz discloses (at para. 12) “a software-based method to secure the execution of a virtual machine, leveraging processor features that offer strong hardware guarantees regarding memory integrity and confidentiality” which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” Horovitz further discloses (at para. 25) a method wherein an emulator “may emulate the execution of Intel SGX instructions that create or manipulate guest enclaves within the VM.” Horovitz and Arnautov are directed toward secure/trusted computing and therefore are analogous art. On or before the effective filing date of the instant application, one of ordinary skill in the art would have deemed it obvious to try to combine the VM SGX of Horovitz with the SCONE of Arnautov, thereby obtaining the invention of the instant claim. A clear and predictable benefit of so combining would have appeared as the ability to run secure containers within a VM, which “allows applications within a VM to utilize the same processor features to create protected regions isolated from the guest OS; providing such a capability preserves the isolation of secure applications from all privileged software, consistent with the original motivation for Intel SGX.” (Horovitz, para. 12). Accordingly, the instant claim is unpatentable over the combination of Horovitz and Arnautov. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to RYAN D. COYER whose telephone number is (571) 270-5306 and whose fax number is (571) 270-6306. The examiner normally can be reached via phone on Monday-Friday 12pm-10pm Eastern Time. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Mui, can be reached on 571-272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Ryan D. Coyer/Primary Examiner, Art Unit 2191