Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant(s) Response to Office Action
The response on 03/20/2026 has been entered and made of record.
Claims 1-2,6-7 and 11 have been amended. No new claims have been added or removed.
Response to Arguments
Currently Claims 1-20 are pending in this application.
Applicant’s arguments filed on 03/20/2026 have been fully considered but are not persuasive.
Applicant on Page 8 states:
Bulck does not disclose or suggest such functionality performed by an operating system. Instead, Bulck describes enclave shielding runtimes and developer-generated bridge code (e.g., edger8r) that copy input buffers into enclave memory and allow application code to operate on the copied buffer. Bulck therefore merely describes copying data into enclave memory and executing application code on that buffer; it does not disclose an operating system updating an address contained in a call parameter to redirect an application's access from shared memory to a shadow buffer as now required by amended Claim 11.
Regarding the argument stated above, the Examiner would like to state the following. Bluck in Page 1748 Page 1748, Figure 3 discloses that data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed. Therefore, the argument is not persuasive.
Applicant on Page 9 argues:
Bulck describes enclave shielding runtimes and developer-generated bridge code that copy buffers into enclave memory and allow application code to operate on the copied buffer. Bulck therefore does not disclose or suggest a secure operating system updating an address contained in a call parameter prior to executing the trusted application. Leslie-Hurd likewise fails to remedy this deficiency. Leslie-Hurd is relied upon only for teaching allocation by a secure OS and does not disclose or suggest modifying a call parameter to redirect application memory access. Consequently, even if Bulck were combined with Leslie-Hurd, the combination would still fail to teach or suggest the amended limitations of independent Claims 1 and 6.
Regarding the argument stated above, the Examiner would like to once state the following. The Examiner relies on Leslie-Hurd only for the limitation “allocating, by a secure operating system (OS)”. The Examiner does not rely on Leslie-Hurd to teach the additional functionality alleged by the Applicant. Furthermore, Bluck in Page 1748 Page 1748, Figure 3 discloses that data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed. Therefore, the argument is not persuasive.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 11-17 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Jo Van Bulck “A Tale of Two World: Assessing the Vulnerability of Enclave Shielding Runtimes” herein after ‘Bulck’.
Regarding Claim 11, Bluck discloses an electronic apparatus, comprises: a memory storing a first operating system (OS); and a processor configured to execute the first OS, (Page 1743, Figure 1 Examiner Note (E.N.) An OS along with the necessary hardware (i.e. processor) is disclosed.)
wherein the first OS is configured to receive a type from a second OS indicating whether to operate in a shadow buffer mode, (Page 1748 Section 5.1 Validating pointer arguments, Intel SGX-SDK Paragraph [0002] E.N. All input buffer pointers are validated to fall completely outside the enclave before being copied from the untrusted shared memory to a sufficiently-sized shadow buffer allocated on the enclave heap.)
wherein the first OS is configured to copy data stored in a shared memory by a first application and shared between the first application and a second application to a shadow buffer, (Page 1748, Figure 3)
update an address of the data in the shared memory carried in a call parameter to an address of the copied data in the shadow buffer, (Page 1748, Figure 3 E.N. Data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed.)
change an address used by the second application and referencing the data in the shared memory to reference the copied data in the shadow buffer, when the type indicates to operate in the shadow buffer mode. (Page 1748 Section 5.1 Validating pointer arguments, Intel SGX-SDK Paragraph [0002] E.N. The edger8r bridge transfers control to the code written by the application developer, which can now safely operate on the cloned buffer in the enclave memory. A symmetrical path is followed when returning or performing ocalls to the untrusted code outside the enclave)
Regarding Claim 12, Bulck discloses the electronic apparatus of Claim 11. Bulck further discloses wherein the first OS is a secure OS and the second OS is rich OS. (Page 1741 Section 1 Introduction, Paragraph [0001] E.N. Interaction between the untrusted host OS (rich OS) and the secure enclave (sending or receiving data to or from the enclave). Secure Enclaves are capable of running secure OS within the environment)
Regarding Claim 13, Bulck discloses the electronic apparatus of Claim 11. Bulck further discloses wherein the first application is a client application (CA) and the second application is a trusted application (TA). (Page 1743, Figure 1 E.N. App (client application) and TRTS (trusted application) is disclosed).
Regarding Claim 14, Bulck discloses the electronic apparatus of Claim 11. Bulck further discloses wherein the second application reads the data from the shadow buffer when the type indicates to operate in the shadow buffer mode using the changed address, in response to receiving a call from the first application to pass the data to the second application. (Page 1748, Figure 3 and Section 5.1 Validating pointer arguments, Intel SGX-SDK Paragraph [0002] E.N. The edger8r bridge transfers control to the code written by the application developer, which can now safely operate on the cloned buffer in the enclave memory. A symmetrical path is followed when returning or performing ocalls to the untrusted code outside the enclave)
Regarding Claim 15, Bulck discloses the electronic apparatus of Claim 14. Bulck further discloses wherein the second application reads the data from the shared memory when the type does not indicate to operate in the shadow buffer mode, in response to receiving a call from the first application to pass the data to the second application. (Page 1748, Figure 3 and Section 5.1 Validating pointer arguments, Intel SGX-SDK Paragraph [0002] E.N. The edger8r bridge transfers control to the code written by the application developer, which can now safely operate on the cloned buffer in the enclave memory. A symmetrical path is followed when returning or performing ocalls to the untrusted code outside the enclave)
Regarding Claim 16, Bulck discloses the electronic apparatus of Claim 15. Bulck further discloses wherein the call includes an address of the data in the shared memory and a size of the data. (Page 1743, Figure 1 and Page 1742 Section Our Contribution, Paragraph [0003] E.N. Particular attention is paid to pointers and size arguments due to many TEE designs, at least part of the enclave’s address space is shared with untrusted adversary-controlled code.)
Regarding Claim 17, Bulck discloses the electronic apparatus of Claim 11. Bulck further discloses wherein the first OS performs a logical AND operation on the type to determine whether to operate in the shadow buffer mode. (Page 1748, Figure 3 and Section 5.1 Validating pointer arguments, Intel SGX-SDK, Paragraph [0002] E.N. The edger8r bridge transfers control to the code written by the app developer to the safety of the cloned buffer (shadow buffer) in the enclave memory.)
Regarding Claim 20, Bulck discloses the electronic apparatus of Claim 11. Bulck further discloses wherein the shadow buffer is located inside the first OS and the shared memory is located outside the first OS. (Page 1748, Figure 3)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-10 are rejected under 35 U.S.C. 103 as being unpatentable over Jo Van Bulck “A Tale of Two World: Assessing the Vulnerability of Enclave Shielding Runtimes” herein after ‘Bulck’ in view of Leslie-Hurd (US20160188906).
Regarding Claim 1 and 6, Bluck discloses: a cache area in a trusted execution environment (TEE) to data in response to a client application (CA) calling a trusted application (TA) entry to pass the data; (Figure 3 and Page 1748 Section [Intel SGX-SDK] E.N. From untrusted shared memory to a sufficiently-sized shadow buffer allocated on the enclave heap.)
copying, by the secure OS, the data from a pre-allocated shared memory to the cache area; (Figure 3 (Element 2) and Page 1748 Section [SGX-SDK] E.N. Before being copied from untrusted shared memory to a sufficiently-sized shadow buffer allocated on the enclave heap)
and running, by the secure OS, the TA entry so that the TA obtains the data from the cache area, (Figure 3 (Element 4) and Page 1748 Section [Intel SGX-SDK] E.N. The edger8r bridge transfers control to the code written by the app developer which can now safely operate on the cloned buffer in enclave memory.)
wherein the secure OS updates an address of the shared memory carried in a call parameter to an address of the cache area before running the TA entry. (Page 1748, Figure 3 E.N. Data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed.)
Bluck does not, but in related art, Leslie-Hurd discloses A method for passing data, comprises: allocating, by a secure operating system (OS), (Paragraph [0028] E.N. A suitable embodiment of the secure enclave page storage as used in SGX implementation is an Enclave Page Cache (EPC). The secure enclave page represents an area of physical memory and the pages are loaded into the enclave page storage by the privileged-level storage (secure OS)).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Lesley-Hurd because Bulck does not explicitly disclose allocating by the secure OS which is taught by Lesley-Hurd. Incorporating the teachings of Lesley-Hurd to Bulck allows for the use of allocation in a secure OS for better security.
Regarding Claim 2 and 7, Bulck in view of Lesley-Hurd discloses the method for passing data according to claim 1 and the device for passing data according to claim 6. Bulck further discloses: wherein, a call parameter for the CA calling the TA entry includes an address of the data in the shared memory and a size of the data, and (Page 1743, Figure 1 and Page 1742 Section 1 Introduction, Our Contribution, Paragraph [0003] E.N. Particular attention is paid to pointers and size arguments due to many TEE designs, at least part of the enclave’s address space is shared with untrusted adversary-controlled code.)
running the TA entry using a call parameter in which the address of the data corresponds to the address of the cache area, (Page 1748 Figure 3: Automatically generated edger8r bridge code handles shielding of application input and output buffers.)
wherein the call parameter for the TA entry includes the address of the data in the cache area and the size of the data, to enable the TA to obtain the data from the cache area. (Page 1748, Figure 3 E.N. Data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed.)
Bluck does not, but in related art, Leslie-Hurd discloses the secure OS running the TA entry comprises: Leslie-Hurd (Paragraph [0028] E.N. A suitable embodiment of the secure enclave page storage as used in SGX implementation is an Enclave Page Cache (EPC). The secure enclave page represents an area of physical memory and the pages are loaded into the enclave page storage by the privileged-level storage (secure OS)).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Lesley-Hurd because Bulck does not explicitly disclose allocating by the secure OS which is taught by Lesley-Hurd. Incorporating the teachings of Lesley-Hurd to Bulck allows for the use of allocation in a secure OS for better security.
Regarding Claim 3 and 8, Bulck in view of Lesley-Hurd discloses the method for passing data according to claim 2 and the device for passing data according to claim 7. Bulck further discloses: wherein, determining, by the secure operating system, whether the size of the data exceeds a preset value; if the size of the data exceeds the preset value, the secure OS returning an error to the CA; and (Page 1744 Section 2.3 Related work, Paragraph [0002] and Page 1757 Listing 7, E.N. Attacks are closely related to a small subset of the vulnerabilities described in this work, specially attack vector 9 which exploits that pointer or buffer sizes returned by untrusted ocalls are not properly sanitized. In order to prevent TOCTOU issues, steps disclosed in Listing 7 is taken.)
if the size of the data does not exceed the preset value, the secure OS allocating the cache area. ( Page 1748, Figure 3)
Bulck does not, but in related art, Lesley-Hurd discloses wherein, the secure OS allocating the cache area in the trusted execution environment (TEE) to the data further comprises: (Paragraph [0028] E.N. A suitable embodiment of the secure enclave page storage as used in SGX implementation is an Enclave Page Cache (EPC). The secure enclave page represents an area of physical memory and the pages are loaded into the enclave page storage by the privileged-level storage (secure OS)).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Lesley-Hurd because Bulck does not explicitly disclose allocating by the secure OS a cache area which is taught by Lesley-Hurd. Incorporating the teachings of Lesley-Hurd to Bulck allows for the use of allocation in a secure OS for better security.
Regarding Claim 4 and 9, Bulck in view of Lesley-Hurd discloses the method for passing data according to claim 2 and the device for passing data according to claim 7. Bulck further discloses: determining whether the call parameter for the CA calling the TA entry includes indication information, (Page 1748, Figure 3 E.N. Data is cloned and the developer code operates on the secure copy before a copy is shared back to the shared memory if needed.)
where the indication information is used to indicate that the TA obtains the data from the shared memory; (Page 1748, Figure 3 (Element 4) and Section 5.1 Validating Pointer Argument, Intel SGX-SDK, Paragraph [0002] E.N. The edger8r bridge transfers control to the code written by the app developer which can now safely operate on the cloned buffer in enclave memory.)
the secure operating system running the TA entry so that the TA obtains the data from the shared memory if the call parameter for the CA calling the TA entry includes the indication information; and (Page 1748, Figure 3)
to the data if the call parameter for the CA calling the TA entry does not carry the indication information. (Page 1748, Figure 3 and Section 5.1 Validating Pointer Argument, Intel SGX-SDK Paragraph [0002] E.N. From untrusted shared memory to a sufficiently-sized shadow buffer allocated on the enclave heap.)
Bulck does not, but in related art, Lesley-Hurd discloses the secure operating system allocating the cache area (Paragraph [0028] E.N. A suitable embodiment of the secure enclave page storage as used in SGX implementation is an Enclave Page Cache (EPC). The secure enclave page represents an area of physical memory and the pages are loaded into the enclave page storage by the privileged-level storage (secure OS)).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Lesley-Hurd because Bulck does not explicitly disclose allocating by the secure OS a cache area which is taught by Lesley-Hurd. Incorporating the teachings of Lesley-Hurd to Bulck allows for the use of allocation in a secure OS for better security.
Regarding Claim 5 and 10, Bulck in view of Lesley-Hurd discloses the method for passing data according to claim 4 and the device for passing data according to claim 7. Bulck further discloses: wherein, the indication information is included in a parameter type of the call parameter, and the indication information is further used by the TA to perform an obfuscation attack check. (Page 1744 Section 2.3 Related Work, Memory corruption attacks on ARM TrustZone, Paragraph [0001] E.N. If an adversary passes a pointer into trusted memory where a pointer to shared memory is expected, memory corruption or disclosure may occur when the pointer is not properly validated by the trusted runtime. It is obvious in order to prevent this type of obfuscation attack, the pointer must be properly validated by the trusted runtime.)
Claim(s) 18 and 19 is rejected under 35 U.S.C. 103 as being unpatentable over Jo Van Bulck “A Tale of Two World: Assessing the Vulnerability of Enclave Shielding Runtimes” herein after ‘Bulck’ in view of Badal-Badalian (US20210312440).
Regarding Claim 18, Bulck discloses the electronic apparatus of Claim 17. Bulck further discloses when a result of the logical AND operation determines to operate in the shadow buffer mode. (Page 1748, Figure 3)
Bulck does not, but in related art, Badal-Badalian discloses wherein the type includes a first parameter not supported by a global platform (GP) specification (Paragraph [0052] E.N. Application wholly or partially stored on a device to provide security in binding the application to the specific device using hardware, firmware, or software feature, using for example Global Platform (GP) standards.)
Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Badal-Badalian because Bulck does not explicitly disclose global platform which is taught by Badal-Badalian. Incorporating the teachings of Badal-Badalian to Bulck allows for the incorporation of the global platform for an industry standard practice.
Regarding Claim 19, Bulck discloses the apparatus of claim 18. Bulck does not, but in related art, Badal-Badalian discloses wherein the type further includes a second parameter supported by the GP. (Paragraph [0052] E.N. Application wholly or partially stored on a device to provide security in binding the application to the specific device using hardware, firmware, or software feature, using for example Global Platform (GP) standards.)
Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Bulck to incorporate the teachings of Badal-Badalian because Bulck does not explicitly disclose global platform which is taught by Badal-Badalian. Incorporating the teachings of Badal-Badalian to Bulck allows for the incorporation of the global platform for an industry standard practice.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AAYUSH ARYAL whose telephone number is (571)272-2838. The examiner can normally be reached 8:00 a.m. - 5:30 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AAYUSH ARYAL/Examiner, Art Unit 2435
/AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435
Prosecution Insights