DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on February 03, 2026 has been entered.
Response to arguments
Claims 1, 5, 8 and 13-15 have been amended. No claim has been added or cancelled. Therefore, claims 1-20 are pending.
Claims 1-20 are rejected under over BARAK, US Pat.No US 20160299778 in view of Wysopal, US 8613080 B2 in further view of Ivanov, US pat. No 20180157592 in further view of Antony, US pat. No US 20170353433 in further view of Wesley, US pat. No 20140304326 in further view of Ivanov, US pat. No 20180157592.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 5-6, 8-10, 11, 13, 14-15, 16-17 and 19-20 are rejected under 35 U.S.C 103 as being unpatentable over BARAK, US pat. No US 20160299778 A1 in view of Wysopal, US 8613080 B2.
1.BARAK discloses a secure virtual machine configuration (See BARAK, abstract; Systems and methods associated with virtual machine security are described herein. One example method includes instantiating a guest virtual machine in a virtual computing environment.) system comprising: a host device implemented in a cloud service provider environment; (See BARAK, [0003]; a life cycle manager component in a cloud environment in concert with local life cycle agents on virtual machines in the cloud environment may enable security controls throughout numerous virtual machine life cycle states) a virtual machine implemented on the host device; (See BARAK, [0031-0032]; a user may interact with guest virtual machine 107 via one or more of user devices 103. For example, a user device 103 may connect to cloud environment 101 via network 105 and therefore be provided with access to guest virtual machine 107 that provides one or more services 111. In some implementations, user devices 103 may be or include one or more servers, desktop computers, laptop computers, tablet computers, hand-held computers, smart phones, cellular phones, personal digital assistants (PDAs), and/or other computing devices.) and a guest agent deployed within the virtual machine, (See BARAK, [0047]; In some implementations a life cycle agent 321 may be installed on all guest virtual machines a cloud environment 101. Life cycle agents 321 installed on such guest virtual machines may be managed and/or may interact with a life cycle manager 301 to provide comprehensive life cycle management of the guest virtual machines in the cloud environment 101.) the guest agent configured to: receive, over a secure communication channel between a tenant device and the guest agent, one or more policies indicating software components allowed to be executed by the virtual machine; (See BARAK, [0088-0090]; In an embodiment, there is provided a system, comprising: a policy data store to store policies associated with a guest virtual machine operating in a virtual computing environment; an agent deployment module to deploy a life cycle agent to a guest virtual machine; a policy deployment module to transmit a set of the policies to the life cycle agent; and a life cycle engine module to monitor state changes associated with the guest virtual machine based on the policies, and to take remedial action upon detecting an unauthorized state change. [0090] In an embodiment, there is provided a system, comprising: a policy data store to store policies associated with a guest virtual machine operating in a virtual computing environment; an agent deployment module to deploy a life cycle agent to a guest virtual machine; a policy deployment module to transmit a set of the policies to the life cycle agent; and a virtual machine integrity module to detect integrity of the guest virtual machine based on the policies, and to take remedial action upon detecting that integrity of the guest virtual machine has been compromised.)
BARAK does not appear to explicitly disclose and monitor the virtual machine to allow or prevent execution of software components received by the virtual machine from a source external to the virtual machine based on the one or more policies, wherein the guest agent is configured to prevent execution by the virtual machine of software components not specified as allowable within the one or more policies.
However, Wysopal discloses and monitor the virtual machine to allow or prevent execution of software components received by the virtual machine from a source external to the virtual machine based on the one or more policies, wherein the guest agent is configured to prevent execution by the virtual machine of software components not specified as allowable within the one or more policies. (See Wysopal, col 23, lines 1-60; a whitelisting agent operating as software. The software agent may execute on a server or client, including hand-held devices, smart phones, PDAs, and the like. Procedurally, the agent computes the hash value for the executable for which it is attempting to validate and sends the hash to its whitelist database. If the hash is in the whitelist, the executable is permitted to execute (or be installed, copied, transferred or otherwise used). the whitelist agent described herein takes advantage the software security report to make a more informed decision based on numerous data points.
an organization may have a policy stating that a web application on the external network cannot have any cross-site scripting (XSS) vulnerabilities yet software running on the internal network may allow XSS vulnerabilities. The policies used by the whitelisting agents running externally can refer to the software security report for a count of XSS defects, and if the count is non-zero, restrict the execution of the software. (85) In another example in which software is distributed through a central repository (e.g., SourceForge, iTunes App Store, BlackBerry AppWorld, Android Marketplace, etc.) bound security reports offer a higher assurance level to the consumer because the application has been rated for security and not tampered with prior to downloading.)
BARAK and Wysopal are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK with the teaching of Wysopal to include the security report because it would have allowed for analyzing computer code, and more particularly to determine whether the computer code representing a virtual machine contains security flaws or is vulnerable to known security threats. (See Wysopal, col 1)
2. The combination of BARAK and Wysopal discloses the secure virtual machine configuration system of claim 1 wherein the tenant device is configured to transmit policies to the guest agent indicating a desired state of the guest agent. (See BARAK [0088] In an embodiment, there is provided a system, comprising: a policy data store to store policies associated with a guest virtual machine operating in a virtual computing environment; an agent deployment module to deploy a life cycle agent to a guest virtual machine; a policy deployment module to transmit a set of the policies to the life cycle agent; and a life cycle engine module to monitor state changes associated with the guest virtual machine based on the policies, and to take remedial action upon detecting an unauthorized state change.)
5. The combination of BARAK and Wysopal discloses the secure virtual machine configuration system of claim 1 wherein the software components comprise virtual machine software extensions. (See Wysopal, col 8, lines 45-55; for web-based applications, a dynamic web scan may be used to "crawl" through the application by manually navigating the web site to be tested. In this manner, a person or automated "bot" interacts with all (or some selected subset) of the user interface elements and enters valid data. In some cases, pre-defined invalid data (either in format or substance) may be included to test the application's response. In some cases, an automated testing process such as a regression test harness may also be used. During the crawl, a browser plug-in or a proxy running on the client records all web requests to and responses from the web application.)
BARAK and Wysopal are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK with the teaching of Wysopal to include the security report because it would have allowed for analyzing computer code, and more particularly to determine whether the computer code representing a virtual machine contains security flaws or is vulnerable to known security threats. (See Wysopal, col 1)
6. The combination of BARAK and Wysopal discloses the secure virtual machine configuration system of claim 1 wherein the guest agent is configured as a trusted agent. (See BARAK, [0078])
8. As to claim 8, the claim is rejected under the same rationale as claim 1. See the rejection of claim 1 above.
9. As to claim 9, the claim is rejected under the same rationale as claim 2. See the rejection of claim 2 above.
10. The combination of BARAK and Wysopal discloses the method of claim 9 wherein the guest agent is configured as a trusted agent of the virtual machine. (See BARAK, [0047]; An integrity flaw may include, for example, a file that should not exist on the disk, an unauthorized program running on guest virtual machine 107, a sensitive file having an altered signature, and so forth. Life cycle agent 321 may also download encryption policies from life cycle manager 301 (e.g., from policy deployment module 303c). Furthermore, life cycle agent 321, using an encryption policy, may encrypt local data marked as sensitive by life cycle manager 301 (e.g., according to a security policy 309c). In some implementations, encryption and decryption may be performed at run-time, meaning that when sensitive data is read from the disk of guest virtual machine 107, life cycle agent 321 may decrypt the data, and that when sensitive data is written to the disk of guest virtual machine 107, the data may be encrypted by life cycle agent 321. See also [0050])
11. As to claim 11, the claim is rejected under the same rationale as claim 3. See the rejection of claim 3 above.
13. As to claim 13, the claim is rejected under the same rationale as claim 5. See the rejection of claim 5 above.
14. As to claim 14, the claim is rejected under the same rationale as claim 1. See the rejection of claim 1 above.
15. The combination of BARAK and Wysopal discloses the non-transitory computer readable medium of claim 14 wherein the software components comprise virtual software extensions. (See Wysopal, col 8, lines 45-55; for web-based applications, a dynamic web scan may be used to "crawl" through the application by manually navigating the web site to be tested. In this manner, a person or automated "bot" interacts with all (or some selected subset) of the user interface elements and enters valid data. In some cases, pre-defined invalid data (either in format or substance) may be included to test the application's response. In some cases, an automated testing process such as a regression test harness may also be used. During the crawl, a browser plug-in or a proxy running on the client records all web requests to and responses from the web application.)
BARAK and Wysopal are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK with the teaching of Wysopal to include the security report because it would have allowed for analyzing computer code, and more particularly to determine whether the computer code representing a virtual machine contains security flaws or is vulnerable to known security threats. (See Wysopal, col 1)
16. As to claim 16, the claim is rejected under the same rationale as claim 2. See the rejection of claim 2 above.
17. As to claim 17, the claim is rejected under the same rationale as claim 3. See the rejection of claim 3 above.
19. As to claim 19, the claim is rejected under the same rationale as claim 5. See the rejection of claim 5 above.
20. As to claim 20, the claim is rejected under the same rationale as claim 6. See the rejection of claim 6 above.
Claim 3 is rejected under 35 U.S.C 103 as being unpatentable over BARAK, US pat. No US 20160299778 A1 in view of Wysopal, US 8613080 B2 in further view of Antony, US pat. No US 20170353433.
3. The combination of BARAK and Wysopal does not appear to explicitly disclose the secure virtual machine configuration system of claim 2 wherein the virtual machine comprises a confidential virtual machine (CVM). However, Antony discloses wherein the virtual machine comprises a confidential virtual machine (CVM). (See Antony, [0118] According to an encryption policy configured for “C1,” hypervisor 111 may encrypt a traffic flow of packets originating from “C1” using an encryption key associated with “C1.” Alternatively, according to a decryption policy configured for “C1,” hypervisor 111 may decrypt a traffic flow of packets originating from “C1” using an decryption key associated with “C1.” Any encryption or decryption technique may be used, such as digital signatures, Rivest Shamir Adleman (RSA) algorithm, etc. A traffic flow with encrypted or decrypted packets may also be referred to as a “modified” traffic flow.) BARAK, Wysopal and Antony are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK and Wysopal with the teaching of Antony to include the guest agent because it would have provided additional functionality such as performance and security.
Claims 4, 12 and 18 are rejected under 35 U.S.C 103 as being unpatentable over BARAK, US Pat.No US 20160299778 A1 in view of Wysopal, US 8613080 B2 in further view of Wesley, US pat. No 20140304326.
4. The combination of BARAK and Wysopal does not appear to explicitly disclose the secure virtual machine configuration system of claim 2 wherein the secure communication channel includes a public key infrastructure (PKI) framework. However, Wesley discloses wherein the secure communication channel includes a public key infrastructure (PKI) framework. (See Wesley, [0103] The client agent 604 and the application management framework 614 may be enhanced to support obtaining and using client certificates for authentication to internal PKI protected network resources.)
BARAK, Wysopal and Wesley are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK and Wysopal with the teaching of Wesley to include the PKI authentication because it would have allowed to prevent unauthorized communication over the channel.
12. As to claim 12, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above.
18. As to claim 18, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above.
Claims 7 are rejected under 35 U.S.C 103 as being unpatentable over BARAK, US Pat.No US 20160299778 in view of Wysopal, US 8613080 B2 in further view of Ivanov, US pat. No 20180157592.
7. The combination of BARAK and Wysopal does not appear to explicitly disclose the secure virtual machine configuration system of claim 3 further including an extensions policy repository in the CVM for storing extension policies for access by the guest agent. However, Ivanov discloses including an extensions policy repository in the CVM for storing extension policies for access by the guest agent. (See Ivanov, [0090] ) BARAK, Wysopal and Ivanov are analogous art because they are from the same field of endeavor which is Virtual Machine. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of BARAK and Wysopal with the teaching of Ivanov to include the extension because it would have allowed to deploy specific policies based on needs of the communication channel.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hadar; Ethan, US 20110072486 A1, title “ System, Method, And Software For Enforcing Access Control Policy Rules On Utility Computing Virtualization In Cloud Computing Systems “.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Date: 3/5/2026
/JOSNEL JEUDY/ Primary Examiner, Art Unit 2438