Securing Paged Memory with Tags

DETAILED ACTION Applicant's response with amendments filed on 09/03/2025 has been received and entered. Applicant has amended claims 1, 2, 3, 9, and 20. Claims 1-20 have been examined on the merits. Response to Amendment/Arguments Rejection under 35 USC § 112(b) for claim 3 has been withdrawn. Applicant's arguments filed on 09/03/2025 have been fully considered but they are not persuasive. Regarding claim 2, as amended, Applicant argues that: “Bramley fails to teach a tag store in a secure RAM that is separate from system DRAM. […] Bramley […] does not disclose a tag store at all. […] The cited paragraphs [¶ 0042-43, cited in the Office Action] disclose only that a guard tag “can be stored at any other memory location within the memory system” [and] as the Office Action correctly notes, does not disclose even a secure RAM, let alone a “tag store within a secure [RAM]”, as claim 2 recites.” Examiner agrees, as previously noted in the prior Office Action, that Bramley stores guard tags in any given memory location (i.e., tag storage locations 34; see FIG. 2, [0080]) within the memory system and that Bramley does not clarify if the memory system is of any specific type (e.g., RAM, SRAM, DRAM, etc.). As correctly noted by the applicant, Goss is cited to remedy this deficiency of Bramley. Regarding claim 2, as amended, Applicant argues that: “Goss also fails to teach a tag store in a secure RAM that is separate from system DRAM. Nor does Goss teach anything approaching a tag store. The Office Action cites Goss as teaching “a secure RAM and a DRAM.” Office Action at 7 (citing Goss, Fig. 4, 14] 0083, 0156, 0195). The cited portions of Goss do disclose a secure RAM, but Goss does not disclose tags at all, let alone a tag store. […] Indeed, the entire disclosure of Goss is directed to a “secure demand paging system.” Goss, ¶ 0012 (accord id., ¶ 0195). […] Goss is unconcerned with the use of tags, let alone tags that provide access control to memory pages stored in system DRAM. Essentially, Goss provides a completely different architecture, in which actual memory pages are stored in the secure RAM to control access to those pages. In contrast, claim 2 recites a device in which the memory pages are stored in system DRAM, while only tags need be stored in the secure RAM to provide access control to the pages stored in the system memory. Accordingly, Goss does not remedy Bramley’s failure to teach a tag store, let alone a tag store within a secure RAM. For at least this reason, the combination of Bramley and Goss cannot establish that claim 2 is prima facie unpatentable under § 103. Because the Office Action does not allege that Durham discloses either a tag store or a secure RAM, the Office Action does not establish that claim 2 is prima facie unpatentable under § 103.” Goss is cited to show a secure RAM separate from the system DRAM (as shown in FIG. 4: secure RAM 1034 and DRAM 1024). In Goss, page table entries (PTEs) identifying pages are maintained secure on-chip (i.e., in the secure RAM space). PTEs identify pages stored in the secure RAM and the pages in the DRAM are mapped to pages in the secure RAM. In this case both the secure RAM and the DRAM are storing pages. The PTEs are in PA2VA 2120 which is provided in secure RAM space (see [0155-0156], [0160], [0167], [0195]). Thus, for this claim as amended, it is reasonable to equate tags to PTEs, as they both serve as page identifiers; and, there is an association (e.g., mapping) between the pages in RAM and the pages in DRAM. It is important to note that Bramley is cited as disclosing the tags being stored in memory, but since Bramley is not specific about the type of memory system involved (that is, the memory system includes a main memory and a plurality of data cache (see [0079]), which in a typical scenario would be implemented as RAM and SRAM, but these specifics are not disclosed), Goss is then cited to remedy this deficiency and show that tags (e.g., PTEs) associated with pages in DRAM may be stored in a secure RAM. The language of the claim does not preclude the pages being stored in the secure RAM as well as in the DRAM, and does not require “only tags” being stored in the secure RAM. Regarding claim 1 (or 2), as amended, Applicant argues that: “Bramley and Goss cannot be combined to teach the features of claim 1. The Office Action alleges, [Motivation to combine, claim 2 rejection, Office Action, page 8]. Notwithstanding the collective failure of Bramley and Goss to disclose each feature of claim 2, those references cannot be combined as contemplated by the Office Action in any event. For example, the Office Action claims that incorporating the secure RAM of Goss would somehow “provide security with much greater extensibility.” The only relevant disclosure of Goss is the storing of pages of a protected application in a secure memory. Bramley, on the other hand, proposes the use of tags to address “memory related errors” arising from “[t]he enduring prevalence of use of memory-unsafe languages.” Bramley, 4] 0002. Nothing in either disclosure provides any hint that Goss’ “secure demand paging system” might possibly have any utility in the system of Bramley. At best, combining Goss with Bramley might provide a system in which Bramley’s tags (which are not stored in a secure RAM) might secure access to pages of memory in Goss’s secure RAM. This combination is problematic for multiple reasons. First, it most assuredly would not improve the performance of Bramley, because it would require swapping pages from system DRAM to Goss’s secure RAM merely to provide security that likely is redundant of the security already provided by Bramley’s tagging system. Second, and more importantly, the combination of those two references would result in a system that operates directly contrary to the device recited by claim 2. Claim 2 requires the tags to be stored in the secure RAM and the pages to be stored in the system DRAM, while the combined Bramley/Goss system would require pages to be stored in secure RAM while the tags are stored in the system DRAM. Thus, any attempt to combine Bramley and Goss to operate as recited by claim 2 would require modification of Goss to store pages in system DRAM rather than secure RAM. This would change Goss’ principle of operation (and indeed render Goss unsuitable for its intended purpose). As noted above, the entire point of Goss’ system is to store pages in secure RAM, not system DRAM, to ensure the security of protected applications. Thus, if anything, Goss teaches away from any combination that would require storage of pages in the system DRAM. While there may be superficial appeal to the Office Action’s argument that the concept of “a secure RAM and a DRAM” can be imported wholesale from Goss into Bramley, that argument (1) ignores the actual teachings of the entirety of the Goss reference and (2) still fails to account for the fact that neither reference teaches a tag store, let alone a tag store within a secure RAM. For at least these additional reasons, no combination that includes Goss can establish that claim 2 is prima facie unpatentable under § 103. Bramley discloses, inter alia: "[T]here may be a large number of memory related errors which may be vulnerable to exploitation by an attacker or other malicious party. Such errors may include: Bounds violations […] use-after-free errors […] use-after-return […] use-out-of-scope errors; and use-before-initialisation errors […]" (Bramley, [0002-0008]) "Denying access to the requested memory location if the tag check files may improve memory security. However, the tag check takes some time to perform, due to needing to fetch the guard tag from memory, and delaying the actual memory access until the tag check has passed may incur an unacceptable performance cost for some implementations. As the tag check may sometimes be used to identify memory errors in code which may not be a significant security problem in themselves, but may provide a risk that attackers may exploit in future, it may be enough simply to provide an indication of the mismatch while still allowing the access to proceed. This can improve performance. The error response action may therefore involve placing an indication that the tag check detected a mismatch in a status register, recording an entry in an error report, or otherwise signalling a fault. The error response action may indicate that a mismatch was detected as well as an address of a location at which the instruction that led to the mismatch is stored and/or the location for which access was sought." (Bramley, [0078]) The tags in Bramley are indeed related to memory errors, but these errors present a vulnerability to malicious exploitations; thus, these errors are effectively a security issue. Bramley states that denying access to memory locations based on checking a tag improves security and admits that this check may lead to poorer performance (see [0078]). Goss discloses a secure demand paging (SDP) system between internal, on-chip Secure RAM and external, off-chip DRAM and endowed with secure cryptography extensions added to swap operations for purposes of insuring that data which is swapped out to SDRAM will remain secure and be integrity-checked for unauthorized modification, therefore, providing security with much greater extensibility and flexibility that increases performance and security using a limited resource (Goss, [0194-0195]), which is what Bramley lacks. As explained above regarding argument (b), Goss discloses page table entries (PTEs) stored in a table in the secure RAM (e.g., tag store) that identify pages stored in the secure RAM that are mapped to the pages in the DRAM (see [0155-0156], [0160], [0167], [0195]). Please note that encrypted/ authenticated pages are stored in the DRAM and greatly increase the effective size of on-chip secure RAM (see [0150] and [0160]). Therefore, Goss shows that PTEs (e.g., tags) associated with pages in DRAM may be stored in a secure RAM space (see [0167]). Accordingly, the combination of Bramley and Goss takes into consideration the deficiencies of Bramley and the improvements Goss provides to cure these deficiencies in order to provide greater security, extensibility and flexibility. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-12, 15-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bramley et al. (US20230236925A1), hereinafter Bramley, in view of Goss et al. (US20210240637A1), hereinafter Goss. Regarding claim 1, Bramley discloses a [[data processing apparatus 2]], comprising: one or more processors, the one or more processors comprising a secure processor (processing circuitry 4 – see [0079], Fig. 1); a set of instructions encoded on a non-transitory computer readable medium and executable by the secure processor, the set of instructions comprising (instructions decoded by an instruction decoder 6 – see [0079], Fig. 1): instructions to store, with a secure client, a plurality of tags in tag store (tag storage locations (34), see FIG. 2, [0080]) [[memory]] in a secure environment of the [[data processing apparatus 2]] (the guard tag which is associated with a given block of memory locations can be stored at any other memory location within the memory system - see [0042]; the guard tags may be relatively small, for example, 4 or 8 bits, and so multiple guard tags each associated with a different block of memory locations may fit within the same memory location – see [0043]), each one of the plurality of tags being assigned to a different one of a plurality of memory pages in a [[memory of the data processing apparatus 2]], the plurality of tags comprising a first tag assigned to a first memory page, and the (the apparatus may provide permissions information at a level of granularity of the blocks of memory locations for which separate guard tags are defined; may allow more fine-grained permissions to be implemented by setting different guard tag values for different addresses in the same page and associating different permissions with those guard tag values, or by specifying different guard-tag/address-tag mappings for accesses of different types – see [0059]; each page table entry may provide an address translation mapping for a corresponding page of addresses and may also specify access control parameters (e.g., access permissions specifying access types and privilege levels) – see [0079]); and the memory manager (MMU 20 and related circuitry – see Fig. 1), comprising: circuitry to store the plurality of tags in the [[memory]] (the guard tag which is associated with a given block of memory locations can be stored at any other memory location within the memory system - see [0042]; the guard tags may be relatively small, for example, 4 or 8 bits, and so multiple guard tags each associated with a different block of memory locations may fit within the same memory location – see [0043]; see also Fig. 1); circuitry to receive an access request, from an untrusted client, for access to the first memory page (memory access circuitry 15 receives a read access request as illustrated by access type 44 - see [0093], Figs. 2 and 9); circuitry to identify the first tag assigned to the first memory page (read access request 44 specifies a memory location comprised by a block of memory locations 30 associated with guard tag 32 [0093]; Figs. 2 and 9; see also Fig. 1); circuitry to determine whether the untrusted client is authorized to access the first memory page, based at least in part on the first tag (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64 in order to match the associated guard tag value with permissions information (e.g., read, write, execute) – see [0093], Fig. 9; see also Fig. 1); and circuitry to provide the untrusted client with access to the first memory page based at least in part on a determination that the untrusted client is authorized to access the first memory page (the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; the address tag 40 and the remapped tag 52 match and the requested access type 44 is an allowed access type and so no error response action is performed; an error response action is carried out if tags do not match – see [0094], Fig. 9; see also Fig. 1). Bramley does not explicitly disclose the data processing apparatus being a set-up box or what type of memory is being used; that is, Bramley discloses a tag store within the memory, but not a tag store within a secure RAM. The disclosure refers to it as “memory system” [0042], but it is not specific about it being a secure RAM and/or a DRAM. However, in the same field of endeavor, Goss discloses a system and method for secure demand paging and paging operations wherein the memory includes a set-top box, a tag store within a secure RAM, and a separate DRAM (FIG. 1 illustrates an improved communications system 1000 with system blocks suitably implemented in fixed, portable, mobile, automotive, seaborne, and airborne, communications, control, set top box, and other apparatus – see [0059-0061]; security logic 1038 makes secure ROM space inaccessible, makes secure RAM and register space inaccessible and establishes any other appropriate protections to additionally foster security – see [0083]; as illustrated in Fig. 4, secure RAM 1034 is associated with secure swapper 2160, which is coupled to a non-secure DRAM holding encrypted/authenticated pages; PA2VA 2120 (which is provided in secure RAM space) containing page table entries (PTEs) identifying pages is maintained secure on-chip (i.e., in the secure RAM, see [0195]); PTEs identify which pages are stored in the secure RAM and the pages in the DRAM are mapped to pages in the secure RAM; that is, both the secure RAM and the DRAM are storing pages - see [0155-0156], [0160], [0167], [0195] and Fig. 4; see also “Response to Amendment/Arguments” section above). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include a set-top box, a tag store within a secure RAM, and a separate DRAM, as taught by Goss. One would have been motivated to make such a combination to provide advanced networking capability for services, software, content, and other services to accommodate and provide security for secure utilization and entertainment appropriate to these and other applications, and to provide security with much greater extensibility and flexibility that increases performance and security using a limited resource, as recognized by Goss ([0060] and [0194]). Regarding claim 2, Bramley discloses a device, comprising: logic to store, in a tag store (tag storage locations (34), see FIG. 2, [0080]) , a plurality of tags (the guard tag which is associated with a given block of memory locations can be stored at any other memory location within the memory system - see [0042]; the guard tags may be relatively small, for example, 4 or 8 bits, and so multiple guard tags each associated with a different block of memory locations may fit within the same memory location – see [0043]), each one of the plurality of tags being assigned to a different one of a plurality of memory pages in a [[memory]] the plurality of tags comprising a first tag assigned to a first memory page (the apparatus may provide permissions information at a level of granularity of the blocks of memory locations for which separate guard tags are defined; may allow more fine-grained permissions to be implemented by setting different guard tag values for different addresses in the same page and associating different permissions with those guard tag values, or by specifying different guard-tag/address-tag mappings for accesses of different types – see [0059]; each page table entry may provide an address translation mapping for a corresponding page of addresses and may also specify access control parameters (e.g., access permissions specifying access types and privilege levels) – see [0079]); logic to receive an access request from a client for access to the first memory page (memory access circuitry 15 receives a read access request as illustrated by access type 44 - see [0093], Figs. 2 and 9); logic to identify the first tag assigned to the first memory page (read access request 44 specifies a memory location comprised by a block of memory locations 30 associated with guard tag 32 [0093]; Figs. 2 and 9); logic to determine whether the client is authorized to access the first memory page (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64 in order to match the associated guard tag value with permissions information (e.g., read, write, execute) – see [0093], Fig. 9); and logic to provide the client with access to the memory page based at least in part on a determination that the client is authorized to access the memory page (the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; the address tag 40 and the remapped tag 52 match and the requested access type 44 is an allowed access type and so no error response action is performed; an error response action is carried out if tags do not match – see [0094], Fig. 9). Bramley does not explicitly disclose what type of memory is being used; that is, Bramley discloses a tag store within the memory, but not a tag store within a secure RAM. The disclosure refers to it as “memory system” [0042], but it is not specific about it being a secure RAM and/or a DRAM. However, in the same field of endeavor, Goss discloses a system and method for secure demand paging and paging operations wherein the memory includes a tag store within a secure RAM, and a separate DRAM (security logic 1038 makes secure ROM space inaccessible, makes secure RAM and register space inaccessible and establishes any other appropriate protections to additionally foster security – see [0083]; as illustrated in Fig. 4, secure RAM 1034 is associated with secure swapper 2160, which is coupled to a non-secure DRAM holding encrypted/authenticated pages; PA2VA 2120 (which is provided in secure RAM space) containing page table entries (PTEs) identifying pages is maintained secure on-chip (i.e., in the secure RAM, see [0195]); PTEs identify which pages are stored in the secure RAM and the pages in the DRAM are mapped to pages in the secure RAM; that is, both the secure RAM and the DRAM are storing pages - see [0155-0156], [0160], [0167], [0195] and Fig. 4; see also “Response to Amendment/Arguments” section above). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include a tag store within a secure RAM, and a separate DRAM, as taught by Goss. One would have been motivated to make such a combination to provide security with much greater extensibility and flexibility that increases performance and security using a limited resource, as recognized by Goss ([0194]). Regarding claim 3, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device wherein the client is an untrusted processor executing an operating system or application of the device (software to be executed by a data processing apparatus may typically be written in a high-level programing language and then compiled into code according to the instruction set architecture supported by the apparatus on which the software is to be executed; the enduring prevalence of use of memory-unsafe languages means that in compiled code according to a given instruction set architecture, there may be a large number of memory related errors which may be vulnerable to exploitation by an attacker or other malicious party – see [0002]; apparatus 2 may be configured to support both approaches with software able to indicate a selected approach by setting configuration information in a control register to set the length of the remapped address tags to use; updates to any control information used to control how tag mapping is performed may be restricted to software at a certain privilege level or higher (e.g. restricted to operating system or hypervisor software, so that application-level code is not allowed to set the control information) – see [0101]; see also [0003-0008]; note that requests may originate from different threads of processes – see [0046]). Regarding claim 4, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Bramley does not disclose the device wherein the client is an audio or video decoder. However, Goss discloses the device wherein the client is an audio or video decoder (Audio/voice block 1170 supports audio and voice functions and interfacing; speech/voice codec(s) are suitably provided in memory space in audio/voice block 1170 for processing by processor(s) 1110 – see [0073]; audio block 1220 has an analog-to-digital converter (ADC) coupled to the voice codec and a stereo DAC (digital to analog converter) for a signal path to the baseband block 1210 including audio/voice block 1170 – see [0075]; note that FIG. 2 illustrates inventive integrated circuit chips including chips 1100, 1200, 1300, 1400, 1500 for use in the blocks of the communications system 1000 of FIG. 1 – see [0068] – and FIG. 1 illustrates an improved communications system 1000 with system blocks suitably implemented in fixed, portable, mobile, automotive, seaborne, and airborne, communications, control, set top box, and other apparatus – see [0059-0061] ) . Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include the device wherein the client is an audio or video decoder, as taught by Goss. One would have been motivated to make such a combination in order to provide advanced networking capability for services, software, content, and other services to accommodate and provide security for secure utilization and entertainment appropriate to these and other applications, as recognized by Goss ([0060]). Regarding claim 5, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device wherein the client is a firmware or hardware client (requests may originate from different threads of processes – see [0046]; a simultaneous-multi-threaded (SMT) processor may store mapping information for each thread alongside architectural state stored for the threads; the SMT may also provide mapping registers for the different threads supported in hardware. The tag check may then be performed based on the mapping information stored in a register selected using the thread ID of the instructing triggering the tag check – see [0071], [0072]). Regarding claim 6, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device wherein the client is an untrusted client (software to be executed by a data processing apparatus may typically be written in a high-level programing language and then compiled into code according to the instruction set architecture supported by the apparatus on which the software is to be executed; the enduring prevalence of use of memory-unsafe languages means that in compiled code according to a given instruction set architecture, there may be a large number of memory related errors which may be vulnerable to exploitation by an attacker or other malicious party; errors may include bounds violations, use-after-free errors, use-after-return, use-out-of-scope errors, use-before-initialisation errors, and other memory-related errors which can result in unpredictable behaviour and potentially provide avenues for attackers to exploit – see [0002-0008]; note that requests may originate from different threads of processes – see [0046]). Regarding claim 7, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device further comprising logic to assign the first tag to the first memory page (the tag mapping information specifies a plurality of remapped tag value fields made up of an address tag value that will match the associated guard tag value and permissions information; the address tag value and permissions information may be easily associated with the appropriate guard tag value and this information easily updated or altered for individual items of mapping information - see [0093], Fig. 9). Regarding claim 8, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device wherein the logic to determine whether the client is authorized to access the first memory page comprises: logic to determine whether the client is authorized to access the first memory page based at least in part on the first tag (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64 – see [0093]; to generate the remapped tag 52, guard tag value, 0b0100, is looked up in the mapping information and it can be identified that the corresponding address tag value is 0b10101001 and the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; the remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; if they match, no error response action is performed and if they don’t, an error response action could be carried out – see [0094]). Regarding claim 9, Bramley and Goss disclose all the claimed subject matter of claim 8 above. Furthermore, Bramley discloses the device further comprising: logic to store, in a permission store, a plurality of permission vectors, the permission store comprising a plurality of rows, each of the plurality of rows corresponding to one of the plurality of tags, the plurality of rows comprising a first row corresponding to the first tag, the first row comprising a plurality of fields storing one or more permission vectors for each of a plurality of clients, the plurality of fields comprising a first field storing a first permission vector for the client (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64; tag mapping information specifies a plurality of remapped tag value fields made up of an address tag value that will match the associated guard tag value and permissions information - see [0093]; to generate the remapped tag 52, guard tag value, 0b0100, is looked up in the mapping information and it can be identified that the corresponding address tag value is 0b10101001 and the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write – see [0094]; FIGS. 8 and 9 show examples in which a field is used to store the permissions information for each item of mapping information – see [0095]; see “tag mapping storage 64”, in Fig. 9, wherein each row corresponds to a guard tag, and each row includes a field storing permissions (e.g., read, write, execute) for each guard tag). Regarding claim 10, Bramley and Goss disclose all the claimed subject matter of claim 9 above. Furthermore, Bramley discloses the device further comprising: logic to receive a client identifier of the client; wherein the logic to determine whether the client is authorized to access the first memory page further comprises: logic to identify the first row corresponding to the first tag; logic to identify the first field storing the first permission vector for the client; and logic to determine whether the client is authorized to access the first memory page, based at least in part on the first permission vector (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64; tag mapping information specifies a plurality of remapped tag value fields made up of an address tag value that will match the associated guard tag value and permissions information - see [0093]; to generate the remapped tag 52, guard tag value, 0b0100, is looked up in the mapping information and it can be identified that the corresponding address tag value is 0b10101001 and the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; the remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; if they match, no error response action is performed and if they don’t, an error response action could be carried out – see [0094]; FIGS. 8 and 9 show examples in which a field is used to store the permissions information for each item of mapping information – see [0095]; see “tag mapping storage 64”, in Fig. 9, wherein each row corresponds to a guard tag, and each row includes a field storing permissions (e.g., read, write, execute) for each guard tag). Regarding claim 11, Bramley and Goss disclose all the claimed subject matter of claim 10 above. Furthermore, Bramley discloses the device wherein: the plurality of fields comprises a second field storing a second permission vector for the client; the first permission vector corresponds to a first transaction type; the second permission vector corresponds to a second transaction type; and the logic to determine whether the client is authorized to access the first memory page further comprises: logic to determine that a requested transaction related to the access request is of the first transaction type (guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64; tag mapping information specifies a plurality of remapped tag value fields made up of an address tag value that will match the associated guard tag value and permissions information - see [0093]; to generate the remapped tag 52, guard tag value, 0b0100, is looked up in the mapping information and it can be identified that the corresponding address tag value is 0b10101001 and the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; the remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; if they match, no error response action is performed and if they don’t, an error response action could be carried out – see [0094]; FIGS. 8 and 9 show examples in which a field is used to store the permissions information for each item of mapping information – see [0095]; see “tag mapping storage 64”, in Fig. 9, wherein each row corresponds to a guard tag, and each row includes a field storing permissions (e.g., read, write, execute) for each guard tag; as illustrated in Fig. 9, permissions [i.e., permission vectors] may be for one or a combination of transaction types - that is – read, read and execute, read and write, etc. for a particular guard tag). Regarding claim 12, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device further comprising: logic to receive a requested tag from the client, the requested tag corresponding to the access request; and logic to determine whether the requested tag matches the first tag; wherein the logic to determine whether the client is authorized to access the first memory page comprises logic to determine whether the client is authorized to access the first memory page based on whether the requested tag matches the first tag (it is possible to create more complicated relations between guard tag values and their corresponding address tag values, e.g., varying the mapping based on the thread from which the request originated – see [0046; guard tag 32 is remapped to produce a remapped tag 52 using the mapping information stored by the tag mapping storage circuitry 64; tag mapping information specifies a plurality of remapped tag value fields made up of an address tag value that will match the associated guard tag value and permissions information - see [0093]; to generate the remapped tag 52, guard tag value, 0b0100, is looked up in the mapping information and it can be identified that the corresponding address tag value is 0b10101001 and the allowed types of access to blocks of memory locations associated with that guard tag 52 are read and write; the remapped tag 52 and the address tag 40 are then compared in the tag check and allowed access types indicated by the permission information 54 and the requested access type 44 are compared in a permissions check; if they match, no error response action is performed and if they don’t, an error response action could be carried out – see [0094]; see also [0097], Fig. 11). Regarding claim 15, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses the device, wherein the device is a memory manager (FIG. 1 schematically illustrates an example of a data processing apparatus 2; a memory management unit (MMU) 20 is provided for providing address translation functionality to support memory accesses triggered by the load/store unit 15 – see [0079], Fig. 1) Regarding claim 16, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Bramley does not disclose the device, wherein the device is a system on a chip (SoC). However, Goss discloses the device, wherein the device is a system on a chip (SoC) (SoC (System on a Chip) Secure static RAM – see [0128]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include the device, wherein the device is a system on a chip (SoC), as taught by Goss. One would have been motivated to make such a combination because use of independent on-chip hardware advantageously isolates operations from software-based attacks, as recognized by Goss ([0092]). Regarding claim 17, Bramley and Goss disclose all the claimed subject matter of claim 15 above. Bramley does not disclose the device, wherein the SoC comprises the secure RAM. However, Goss discloses the device, wherein the SoC comprises the secure RAM (SoC (System on a Chip) Secure static RAM – see [0128]; see also [0091-0093]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include the device, wherein the SoC comprises the secure RAM, as taught by Goss. One would have been motivated to make such a combination because use of independent on-chip hardware advantageously isolates operations from software-based attacks, as recognized by Goss ([0092-93]). Regarding claim 18, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Bramley does not disclose the device, wherein the device is a set-top box. However, Goss discloses the device, wherein the device is a set-top box (FIG. 1 illustrates an improved communications system 1000 with system blocks suitably implemented in fixed, portable, mobile, automotive, seaborne, and airborne, communications, control, set top box, and other apparatus – see [0059-0061]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley to include the device, wherein the device is a set-top box, as taught by Goss. One would have been motivated to make such a combination in order to provide advanced networking capability for services, software, content, and other services to accommodate and provide security for secure utilization and entertainment appropriate to these and other applications, as recognized by Goss ([0060]). Regarding claim 20, all limitations correspond to the method performed by the device of claim 2 above. Therefore, claim 20 is being rejected on the same basis as claim 2. Claims 13, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bramley and Goss as applied to claim 2 above, and further in view of Durham et al. (US20200125502A1), hereinafter Durham. Regarding claim 13, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Furthermore, Bramley discloses use-after-free errors, in which an access to a memory location is made after that memory location has already been deallocated or freed in [0004]; and, use-after-return, in which a memory access to an address associated with a variable used within a function (such as a value on a stack) is made after already returning from the function in [0005]. Goss discloses “page wiping” which includes various alternatives to overwrite, erase, or simply change the state of a page-bit that tags or earmarks a page, and other methods to free or make available a page space or slot for a new page. Bramley and Goss do not explicitly disclose the device further comprising: logic to determine that the client has stopped using the first page; logic to mark the first page with a second tag; and logic to return the first page to a system memory heap. However, in the same field of endeavor, Durham discloses a device and method for low memory overhead heap management for memory tagging (see abstract), wherein the device further compris[es]: logic to determine that the client has stopped using the first page; logic to mark the first page with a second tag; and logic to return the first page to a system memory heap (the heap manager may generate a tag for a data block during memory allocation and change the tag to a different value when the memory is released or reallocated; the heap manager may prevent tag reuse, e.g., assignment of the same tag to a particular data block across subsequent allocations of that data block – see [0017]; a heap manager may maintain a history of previous tags as part of the heap management metadata and take the history into account during a memory heap operation (e.g., memory allocation and/or release operation); this allows reuse of a data block immediately after it is released provided that it is possible to assign a tag value that differs from the previous tag values as indicated by the tag history – see [0019], see also [0018]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley and Goss to include the device further comprising: logic to determine that the client has stopped using the first page; logic to mark the first page with a second tag; and logic to return the first page to a system memory heap, as taught by Durham. One would have been motivated to make such a combination to significantly reduce the need for quarantining heap blocks and thus reduce the memory overhead of heap management for memory tagging solutions, as recognized by Durham ([0017-0019]). Regarding claim 14, Bramley, Goss and Durham disclose all the claimed subject matter of claim 13 above. Furthermore, Bramley discloses the device wherein the second tag is a shared tag applied to a plurality of (it can be more efficient to associate each guard tag with a block of multiple memory locations, that is, several adjacent memory locations may share the same guard tag, which can be enough for detecting common forms of memory-related error – see [0041]). Bramley and Goss do not explicitly disclose the shared tag being applied specifically to unused memory pages. However, Durham discloses a shared tag applied to unused memory pages (tags may then simply be used to prevent use-after-free attacks; if the tag values stored in memory are also encrypted as the data as shown herein, the memory tags themselves become dependent on the object's size and location in memory, allowing the heap manager 104 to freely assign the same tag values for different object sizes, over time (multiple allocations and frees), occupying the same locations in memory – emphasis added, see [0067]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley and Goss to include a shared tag applied to unused memory pages, as taught by Durham. One would have been motivated to make such a combination to prevent use-after-free attacks, as recognized by Durham ([0067]). Regarding claim 19, Bramley and Goss disclose all the claimed subject matter of claim 2 above. Bramley and Goss do not explicitly disclose the device wherein the first memory page is fragmented. However, Durham discloses a device and method for low memory overhead heap management for memory tagging (see abstract), wherein the first memory page is fragmented (the block that is identified or generated to fulfill the request may be assigned a tag that is not a part of the tag history of the block; the tag may be assigned in response to the memory allocation request (e.g., when a new block is created due to fragmentation or defragmentation, when a block is allocated for the first time, or when a block is reallocated) – see [0040-0041]; see also [0050], Fig. 4). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the device in Bramley and Goss to include the device, wherein the first memory page is fragmented, as taught by Durham. One would have been motivated to make such a combination to provide flexible data allocation if an incoming memory request may request a large data block when only small data blocks are available, as recognized by Durham ([0045]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Park et al. (US 20220398349 A1) - SYSTEM ON CHIP INCLUDING SECURE PROCESSOR AND SEMICONDUCTOR SYSTEM INCLUDING THE SAME - Includes a secure processor with a RAM in a secure environment, and a tag table on external volatile memory. Hendrickson et al. (US 20230289453 A1) - FAIRLY UTILIZING MULTIPLE CONTEXTS SHARING CRYPTOGRAPHIC HARDWARE – Includes secure SRAM and tags/identifiers store in SRAM. Del Giudice et al. (US 20220343034 A1) - SYSTEM ON A CHIP AND METHOD GUARANTEEING THE FRESHNESS OF THE DATA STORED IN AN EXTERNAL MEMORY – Includes secure volatile memory (e.g., RAM) and RAM in system-on-chip. Cong et al. (US 20190196977 A1) - TECHNOLOGY FOR MANAGING MEMORY TAGS – Includes tag maps in RAM. Kerchaw et al. (US 20080046762 A1) - PROTECTING SYSTEM CONTROL REGISTERS IN A DATA PROCESSING APPARATUS – Includes page table entries in secure RAM. Freeman et al. (US 20070283115 A1) - MEMORY PROTECTION IN A COMPUTER SYSTEM EMPLOYING MEMORY VIRTUALIZATION – Includes assigning a unique identifier to an application, process, or thread when memory is allocated; the identifier may represent a page or segment number of the allocation memory block, or an identifier of a memory unit or subsystem. Carter et al. (US 5845331 A) - MEMORY SYSTEM INCLUDING GUARDED POINTERS – Includes guarded pointers address memory locations to which access is restricted; each guarded pointer identifies a protected segment in memory and an address within the protected segment. Chen et al. (US 20060265733 A1) - METHOD AND APPARATUS FOR SECURITY POLICY AND ENFORCING MECHANISM FOR A SET-TOP BOX SECURITY PROCESSOR – Includes set-top box secure RAM. Deming et al. (US 9569348 B1) - METHOD FOR AUTOMATIC PAGE TABLE COMPRESSION – Includes page table entries (PTEs); PTEs PTE may also include fields that define the attributes of the particular virtual memory page, e.g., read-only, privileged, and data format. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DORIANNE ALVARADO DAVID whose telephone number is (571)272-4228. The examiner can normally be reached 9:00am-5:00pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DORIANNE ALVARADO DAVID/Examiner, Art Unit 2499