TAMPER DETECTION SYSTEMS AND METHODS FOR PROGRAMMABLE LOGIC DEVICES

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) are rejected under 103, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant argued in the remark that detecting and locking a securable asset of the PLD in response to an asset tamper attempt, but also resuming the operational state of the PLD based on an updated asset tamper attempt status. That is, the operational state of the PLD at the time of the detection is resumed after the asset tamper attempt has passed. Examiner respectfully disagrees. Lewis discloses cols 3-4, lines 57-67 and lines 1-10 respectively, FIGS. 1, 2, 3 and 4 the present FPGA system 100 is shown in various configurations. The various configurations are substantially identical with the exception of the utilization of the dormant data 230, configuration data 210 and/or null data 220 within the configuration memory device 102. In general, the FPGA system 100 includes an FPGA 101, and a configuration memory device 102 coupled to the FPGA 101 for providing the FPGA 101 with configuration information, wherein the configuration memory device 102 is programmed with configuration data 210, dormant data 230 and/or null data 220. The FPGA system also includes a configuration assist circuit 106 coupled to the FPGA 101 and the configuration memory device 102 for controlling loading of configuration information from the configuration memory device 102 to the FPGA 101. A tamper detection system 310 is further provided. The tamper detection system 310 provides a tamper indication signal 300 to the FPGA 101, wherein when a tamper indication signal is received by the FPGA 101 the configuration data 210 is replaced with the dormant data 230). Jacobson discloses col 8, lines 22-29 The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables , i.e. lock, update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 8, lines 22-31The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 9, lines 10-15 At step 518, the host computer and possibly the interpreter may check the programming status result. For successful programming, process 500 proceeds to step 520 and the host computer disables update mode, causing the programming hardware to resume normal operating mode Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jacobson et al US 7,302,562 in view of Lewis et al US 8,159,259. As per claim 1. Jacobson et al US 7,302,562 discloses a secure programmable logic device (PLD) asset detection management system, comprising: a secure PLD (col 3, lines 8-9 a programmable logic device (PLD) has a hardware component) comprising: a non-volatile memory (NVM), a configuration input/output (I/O), a communication bus, a plurality of programmable logic blocks (PLBs) arranged in a PLD fabric of the secure PLD( fig.2, col 4, lines 59-61 a block diagram of example programmer hardware 202 including an interpreter 204 for configuring the programmer hardware ), and a configuration engine configured to program the PLD fabric according to a configuration image stored in the NVM and/or coupled through [[a]] the configuration I/O to the configuration engine (col 2, lines 5-10determining availability of updated configuration data for a hardware component by a software component; means for enabling an update mode of the hardware component in response to availability of the updated configuration data and col 6, lines 32-43 FIG. 3 is a flow diagram of a process 300 for configuring programmer hardware, in accordance with one or more embodiments of the invention. The programmer hardware includes one or more PLDs that are programmed during configuration of programmer hardware. The programmer hardware may be configured with updated configuration data, for example, to fix discovered defects in the programmer hardware, to allow programming of a new generation of target PLD not supported by the existing programmer hardware configuration, or to add new features to the programmer hardware. ), and wherein the PLBs and/or the configuration engine are: lock, in response to the asset tamper attempt, a securable asset associated with the detected asset attempt, wherein the securable asset comprises the targeted asset, the configuration I/O, and/or the communication bus (col 2, lines 10-20 means for disabling, i.e. lock, the hardware component from programming the target programmable device in response to the update mode being enabled; means for programming at least one programmable device internal to the hardware component with the updated configuration data while the hardware component is in the update mode; means for disabling the update mode of the hardware component in response to completion of programming of the at least one programmable device; and means for programming the target programmable device including configuration data, wherein the target PLD is external to the hardware component. ), unlock the securable asset monitor the secure PLD for an updated asset attempt status, (col 2, lines 32-45 The target interface is further adapted to enable, i.e. unlock, passing of configuration data to the target programmable device in response to the hardware component operating in normal mode and disable passing of configuration data in response to the hardware component operating in update mode. A path selector is coupled to the software component, the programmable device in the hardware component, and the target interface. The path selector is adapted to provide configuration data to the target interface via the at least one programmable device in response to the hardware component operating in normal mode and provide configuration data to the at least one programmable device in response to the hardware component operating in update mode. And col 4, lines 16-32 The update for programmer 110 may contain both replacement software for programmer software 106 and replacement configuration data for PLD 112. The update mode of the programmer hardware 102 may be used to update the configuration of PLD 112 with the replacement configuration data using the replacement software for programmer software 106 followed by replacing programmer software 106 with the replacement software. It will be appreciated that either the replacement software or the replaced software for programmer software 106 may be used to program the PLD 112 with the replacement configuration data, depending on the particular updated features. Also, the update for the programmer 110 may contain certain components of the programmer software 106 and/or certain portions of the configuration data for PLD 112.) resume the operational state of the secure PLD based on the updated asset attempt status (col 8, lines 22-29 The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables , i.e. lock, update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 8, lines 22-31The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 9, lines 10-15 At step 518, the host computer and possibly the interpreter may check the programming status result. For successful programming, process 500 proceeds to step 520 and the host computer disables update mode, causing the programming hardware to resume normal operating mode.). Jacobson does not disclose detect an asset tamper attempt on a target asset of the secure PLD during the operational state of the PLD. However, Lewis discloses an asset tamper attempt on a target asset of the secure PLD during the operational state of the PLD(cols 3-4, lines 57-67 and lines 1-10 respectively, FIGS. 1, 2, 3 and 4 the present FPGA system 100 is shown in various configurations. The various configurations are substantially identical with the exception of the utilization of the dormant data 230, configuration data 210 and/or null data 220 within the configuration memory device 102. In general, the FPGA system 100 includes an FPGA 101, and a configuration memory device 102 coupled to the FPGA 101 for providing the FPGA 101 with configuration information, wherein the configuration memory device 102 is programmed with configuration data 210, dormant data 230 and/or null data 220. The FPGA system also includes a configuration assist circuit 106 coupled to the FPGA 101 and the configuration memory device 102 for controlling loading of configuration information from the configuration memory device 102 to the FPGA 101. A tamper detection system 310 is further provided. The tamper detection system 310 provides a tamper indication signal 300 to the FPGA 101, wherein when a tamper indication signal is received by the FPGA 101 the configuration data 210 is replaced with the dormant data 230). Jacobson and Lewis are both considered to be analogous to the claimed invention because they are in the same field of PLD. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Jacobson to incorporate the teachings of Lewis and provide determining the tamper in the PLD. Doing so would improve the data protection in the FPGA. As per claim 2. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1,Lewis discloses wherein the secure PLD is configured to detect the asset tamper attempt by: detecting, by the configuration engine, an improper command provided to the configuration engine via the configuration I/O and/or other buses of the secure PLD, wherein the improper command comprises an illegal or reserved configuration command (cols 3-4, lines 57-67 and lines 1-10 respectively, FIGS. 1, 2, 3 and 4 the present FPGA system 100 is shown in various configurations. The various configurations are substantially identical with the exception of the utilization of the dormant data 230, configuration data 210 and/or null data 220 within the configuration memory device 102. In general, the FPGA system 100 includes an FPGA 101, and a configuration memory device 102 coupled to the FPGA 101 for providing the FPGA 101 with configuration information, wherein the configuration memory device 102 is programmed with configuration data 210, dormant data 230 and/or null data 220. The FPGA system also includes a configuration assist circuit 106 coupled to the FPGA 101 and the configuration memory device 102 for controlling loading of configuration information from the configuration memory device 102 to the FPGA 101. A tamper detection system 310 is further provided. The tamper detection system 310 provides a tamper indication signal 300 to the FPGA 101, wherein when a tamper indication signal is received by the FPGA 101 the configuration data 210 is replaced with the dormant data 230). As per claim 3. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1, Lewis discloses wherein the illegal or reserved configuration command comprises: an unauthenticated command attempting to access a locked asset without authentication, attempting to enter a manufacturer mode or load a configuration for the secure PLD, attempting to assert one or more manufacturer commands, or attempting to access an illegal memory address, or any undefined command (col 7, lines 35-56 the tamper detection system 310 is a sensor that identifies 1) a change in radiation (indicates the system is being x-rayed); (2) a change in pressure or gaseous content (indicates that an atmospheric seal has been broken); (3) change in a simple switch condition (indicates that an operator has pressed the panic button or that a tamper switch has been triggered). Mercury switches can be used to indicate that a system is being tampered with. More elaborate systems include continuity loops to indicate that a system is still properly assembled or time-based access to indicate that it is the proper time for the device to be used (like the clock control on a bank vault that prohibits the vault being opened before 8:00 AM or after 5:00 PM). In military aircraft, the tamper (or self-destruct) signal is activated when the pilot ejects. In secure computing equipment, the self-destruct is triggered by repeatedly entering an incorrect (invalid) password/user combination. (31) The tamper detection system 310 provides a tamper indication signal 300 to the FPGA 101 to indicate that a tamper event has occurred or is occurring. This input may be implemented in a number of ways and may indicate numerous types of events. The tamper detection system 310 may even be internal to the FPGA 101. In accordance with a preferred embodiment, most of the tamper detection system 310 is implemented in the FPGA 101). As per claim 4. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1, Jacobson discloses wherein the secure PLD is configured to detect the asset tamper attempt by: detecting, by the PLD fabric, an improper command provided to a programmable I/O of the secure PLD that is coupled to the PLD fabric and/or relayed via the configuration engine and/or other buses of the secure PLD ( col 4, lines 16-32 The update for programmer 110 may contain both replacement software for programmer software 106 and replacement configuration data for PLD 112. The update mode of the programmer hardware 102 may be used to update the configuration of PLD 112 with the replacement configuration data using the replacement software for programmer software 106 followed by replacing programmer software 106 with the replacement software. It will be appreciated that either the replacement software or the replaced software for programmer software 106 may be used to program the PLD 112 with the replacement configuration data, depending on the particular updated features. Also, the update for the programmer 110 may contain certain components of the programmer software 106 and/or certain portions of the configuration data for PLD 112). As per claim 5. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1, Jacobson discloses wherein the asset tamper attempt comprises a physical anomaly comprising an anomalous voltage bias, fluctuation, or fluctuation pattern detected on one or more communication buses during operation of the secure PLD and/or a temperature excursion, fluctuation, or fluctuation pattern detected within the secure PLD during operation of the secure PLD ( col 8, lines 22-29 The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables , i.e. lock, update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 8, lines 22-31The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 9, lines 10-15 At step 518, the host computer and possibly the interpreter may check the programming status result.). As per claim 6. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1,Lewis discloses wherein: the tamper detection interrupt assertion comprises an improper configuration command assertion and/or a configuration port lock assertion; and wherein the secure PLD is configured to detect the asset tamper attempt by : generating a tamper detection interrupt assertion associated with the detected asset tamper attempt, setting a tamper detection status register of the configuration engine to indicate the targeted asset and an asset tamper attempt type corresponding to the detected asset tamper attempt, wherein the asset tamper attempt type comprises an attempted read, write, and/or erase access of the targeted asset, and providing: by the configuration engine, the tamper detection interrupt assertion to the PLD fabric, and/or by the PLD fabric, the tamper detection interrupt assertion to the configuration engine, wherein the locking the securable asset comprises locking the configurable I/O, a programmable I/O, and/or other buses of the secure PLD ( col 7, lines 35-60 the tamper detection system 310 is a sensor that identifies 1) a change in radiation (indicates the system is being x-rayed); (2) a change in pressure or gaseous content (indicates that an atmospheric seal has been broken); (3) change in a simple switch condition (indicates that an operator has pressed the panic button or that a tamper switch has been triggered). Mercury switches can be used to indicate that a system is being tampered with. More elaborate systems include continuity loops to indicate that a system is still properly assembled or time-based access to indicate that it is the proper time for the device to be used (like the clock control on a bank vault that prohibits the vault being opened before 8:00 AM or after 5:00 PM). In military aircraft, the tamper (or self-destruct) signal is activated when the pilot ejects. In secure computing equipment, the self-destruct is triggered by repeatedly entering an incorrect (invalid) password/user combination. (31) The tamper detection system 310 provides a tamper indication signal 300 to the FPGA 101 to indicate that a tamper event has occurred or is occurring. This input may be implemented in a number of ways and may indicate numerous types of events. The tamper detection system 310 may even be internal to the FPGA 101. In accordance with a preferred embodiment, most of the tamper detection system 310 is implemented in the FPGA 101). As per claim 7. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1,Jacobson wherein the secure PLD is configured to provide an asset tamper attempt report of the detected asset tamper report to one or more of a secure PLD customer, a secure PLD manufacturer, a secure PLD programmer, a user device assembler, and/or a downstream customer via a communications network coupled to the secure PLD via the configuration I/O or a programmable I/O of the secure PLD, wherein the asset tamper attempt report comprises a copy of a tamper detection status register of the configuration engine, a time associated with the detected asset tamper attempt, a device key associated with the secure PLD, and/or a trace ID associated with the secure PLD (col 8, lines 22-29 The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables , i.e. lock, update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 8, lines 22-31The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 9, lines 10-15 At step 518, the host computer and possibly the interpreter may check the programming status result). As per claim 8. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1, Jacobson discloses wherein the secure PLD is configured to unlock the securable asset associated with the detected asset tamper attempt by: waiting a preselected tamper delay time period after the locking the securable asset; updating a lock status associated with the securable asset to unlock the securable asset ( col 8, lines 22-29 The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables , i.e. lock, update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 8, lines 22-31The status result is checked at step 416. For successful programming of the PLD in the programming hardware, the process 400 proceeds to step 418 and the host disables update mode causing the programming hardware to resume normal operating mode. For unsuccessful programming of the PLD in the programming hardware, the process 400 proceeds to step 420 with user notification of the unsuccessful programming and col 9, lines 10-15 At step 518, the host computer and possibly the interpreter may check the programming status result). As per claim 9. Jacobson and Lewis discloses the secure PLD asset tamper detection management system of claim 1, Jacobson discloses wherein the wherein the secure PLD is configured to unlock the securable asset associated with the detected asset tamper attempt by: detecting an authenticated access to any asset of the secure PLD, wherein the authenticated access comprises an asset tamper recovery command provided to the configuration engine via the configuration I/O and/or other buses of the secure PLD (col 2, lines 32-45 The target interface is further adapted to enable, i.e. unlock, passing of configuration data to the target programmable device in response to the hardware component operating in normal mode and disable passing of configuration data in response to the hardware component operating in update mode. A path selector is coupled to the software component, the programmable device in the hardware component, and the target interface. The path selector is adapted to provide configuration data to the target interface via the at least one programmable device in response to the hardware component operating in normal mode and provide configuration data to the at least one programmable device in response to the hardware component operating in update mode.); and updating a lock status associated with the securable asset to unlock the securable asset(col 4, lines 16-32 The update for programmer 110 may contain both replacement software for programmer software 106 and replacement configuration data for PLD 112. The update mode of the programmer hardware 102 may be used to update the configuration of PLD 112 with the replacement configuration data using the replacement software for programmer software 106 followed by replacing programmer software 106 with the replacement software. It will be appreciated that either the replacement software or the replaced software for programmer software 106 may be used to program the PLD 112 with the replacement configuration data, depending on the particular updated features. Also, the update for the programmer 110 may contain certain components of the programmer software 106 and/or certain portions of the configuration data for PLD 112 ). As per claims 11-19, claims are rejected based on the same rational set forth in the claims 1-9 respectively. Allowable Subject Matter Claims 10 and 20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims into all the dependents claims respectively. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ABU S SHOLEMAN/ Primary Examiner, Art Unit 2496