Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Claim 1, 8 and 15 as drafted, recite a process that, under its broadest reasonable interpretation, covers steps that could reasonably be performed in the mind, including with the aid of pen and paper, but for the recitation of generic computer components. That is, the limitations “determining whether the current state of the operating system matches a verified state of the operating system based on the first metadata and based on second metadata indicative of the verified state” and “verifying compliance of the operating system with the functional safety standard” as drafted, is a process that, under its broadest reasonable interpretation, recite the abstract idea of mental processes. These limitations encompass a human mind carrying out these functions through observation, evaluation, judgment and /or opinion, or even with the aid of pen and paper. Thus, these limitations recite and fall within the “Mental Processes” grouping of abstract ideas.
This judicial exception is not integrated into a practical application. The claims recites the following additional elements “a processing device” and “a memory device including instructions that are executable by the processing device for causing the processing device to perform operations comprising” and “receiving first metadata indicative of a current state of an operating system”, “the operating system being usable to execute one or more software services”, “the operating system being associated with a functional safety standard”, “the second metadata being stored in an operating system software bill of material (SBOM)”, and “executing, via the operating system, the one or more software services”. The additional elements “a processing device” and “a memory device including instructions that are executable by the processing device for causing the processing device to perform operations comprising” are merely instructions to implement an abstract idea on a computer, or merely using a generic computer or computer components as a tool to perform the abstract idea. See MPEP 2106.05(f). The additional elements “receiving first metadata indicative of a current state of an operating system”, “the operating system being usable to execute one or more software services”, “the operating system being associated with a functional safety standard”, “the second metadata being stored in an operating system software bill of material (SBOM)”, and “executing, via the operating system, the one or more software services” do nothing more than add insignificant extra solution activity to the judicial exception, such as data gathering and outputting the results of the abstract idea, to perform a task. See MPEP 2106.05(g). Accordingly, the additional elements recited in the claims do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea, thus fail to integrate the abstract idea into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements “a processing device” and “a memory device including instructions that are executable by the processing device for causing the processing device to perform operations comprising” are generic computer components and instructions used as the tools to perform the abstract idea. See MPEP 2106.05(f). As to the additional elements “receiving first metadata indicative of a current state of an operating system”, “the operating system being usable to execute one or more software services”, “the operating system being associated with a functional safety standard”, “the second metadata being stored in an operating system software bill of material (SBOM)”, and “executing, via the operating system, the one or more software services”, the courts have identified gathering data and displaying the output of the abstract idea is well-understood, routine, conventional activity. See MPEP 2106.05(d). Accordingly, the additional elements recited in the claims cannot provide an inventive concept. Thus, the claims are not patent eligible.
Claim 2, 9 and 16 as drafted, recite a process that, under its broadest reasonable interpretation, covers steps that could reasonably be performed in the mind, including with the aid of pen and paper, but for the recitation of generic computer components. That is, the limitation “generating a plurality of software component SBOMs, wherein each software component SBOM of the plurality of software component SBOMs comprises additional metadata associated with each software component of a plurality of software components, wherein the operating system comprises the plurality of software components” as drafted, is a process that, under its broadest reasonable interpretation, recite the abstract idea of mental processes. These limitations encompass a human mind carrying out these functions through observation, evaluation, judgment and /or opinion, or even with the aid of pen and paper. Thus, these limitations recite and fall within the “Mental Processes” grouping of abstract ideas.
Claim 3, 10 and 17 as drafted, recite a process that, under its broadest reasonable interpretation, covers steps that could reasonably be performed in the mind, including with the aid of pen and paper, but for the recitation of generic computer components. That is, the limitation “generating the operating system SBOM using the plurality of software component SBOMs, wherein the second metadata in the operating system SBOM comprises the additional metadata associated with each software component of the of the plurality of software components” as drafted, is a process that, under its broadest reasonable interpretation, recite the abstract idea of mental processes. These limitations encompass a human mind carrying out these functions through observation, evaluation, judgment and /or opinion, or even with the aid of pen and paper. Thus, these limitations recite and fall within the “Mental Processes” grouping of abstract ideas.
Claim 4, 11 and 18 recites the additional element “based on determining that the current state of the operating system does not match the verified state, updating at least one software component of the operating system” which does nothing more than add insignificant extra solution activity to the judicial exception, such as data gathering and outputting the results of the abstract idea, to perform a task. See MPEP 2106.05(g). Accordingly, the additional elements recited in the claims do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea, thus fail to integrate the abstract idea into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The courts have identified gathering data and displaying the output of the abstract idea is well-understood, routine, conventional activity. See MPEP 2106.05(d). Accordingly, the additional elements recited in the claims cannot provide an inventive concept. Thus, the claims are not patent eligible.
Claim 5, 12 and 19 recites the additional element “based on determining that the current state of the operating system does not match the verified state, generating an alert and transmitting the alert to a user device associated with the operating system” which does nothing more than add insignificant extra solution activity to the judicial exception, such as data gathering and outputting the results of the abstract idea, to perform a task. See MPEP 2106.05(g). Accordingly, the additional elements recited in the claims do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea, thus fail to integrate the abstract idea into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The courts have identified gathering data and displaying the output of the abstract idea is well-understood, routine, conventional activity. See MPEP 2106.05(d). Accordingly, the additional elements recited in the claims cannot provide an inventive concept. Thus, the claims are not patent eligible.
Claim 6, 13 and 20 recites the additional element “providing access for the one or more software services associated with the operating system to one or more SBOM application programming interfaces” which does nothing more than add insignificant extra solution activity to the judicial exception, such as data gathering and outputting the results of the abstract idea, to perform a task. See MPEP 2106.05(g). Accordingly, the additional elements recited in the claims do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea, thus fail to integrate the abstract idea into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The courts have identified gathering data and displaying the output of the abstract idea is well-understood, routine, conventional activity. See MPEP 2106.05(d). Accordingly, the additional elements recited in the claims cannot provide an inventive concept. Thus, the claims are not patent eligible.
Claim 7 and 14 further defines “the second metadata” as part of the “receiving” function set forth in the claims from which they depend, thus, are also considered to do nothing more than add insignificant extra solution activity to the judicial exception, such as data gathering and outputting the results of the abstract idea, to perform a task, which do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea, thus fail to integrate the abstract idea into a practical application. See MPEP 2106.05(g). Further, the courts have identified gathering data and displaying the output of the abstract idea is well-understood, routine, conventional activity. See MPEP 2106.05(d). Accordingly, the additional elements recited in the claims cannot provide an inventive concept. Thus, the claims are not patent eligible.
Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim 1 is rejected under 35 USC 101. The claimed invention is directed to non-statutory subject matter. Claim 1 recites “processing device and memory device” under BRI can include transitory type of medium in view of spec paragraph 31-33 which provides “non-limiting examples” which is open ended. Therefore, the system claim is non- statutory.
Claims 2-7 are also rejected under 35 USC 101 for failing to cure the deficiency from their respective parent claim by dependency.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-3, 5-10, 12-17, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Duggan (US 2023/0359744 A1) in view of Pearson (US 11,436,317 B2).
Regarding Claim 1, Duggan (US 2023/0359744 A1) teaches
A system comprising: a processing device; and a memory device including instructions that are executable by the processing device for causing the processing device to perform operations comprising:
receiving first metadata indicative of a current state of an operating system, (Para [0020], “The method 200 starts at step 202 with obtaining software code and a SBOM corresponding to the software code… the server can obtain the SBOM from at least one of a software developer device… or a software provider”) Examiner Comments: Duggan’s obtained software code and accompanying SBOM data reflect the current composition (i.e., current state) of the underlying software/operating system in use, which reads on receiving the claimed first metadata.
the operating system being usable to execute one or more software services, and (Para [0011], “The software code can also be executed on the software service platform 106 to provide software service to the client device 108. Examples of the software services can include software as a service (SaaS) applications such as SALESFORCE, OFFICE 365, or other software application services”) Examiner Comments: Duggan expressly teaches that the underlying platform (including its operating system) executes software code to provide one or more software services, which directly reads on the claimed limitation.
the operating system being associated with a functional safety standard; (Para [0032], “if a particular functionality complies with IEC 16508, which is an international functional safety standard that provides a framework for safety lifecycle activities, the particular functionality can be determined as less likely to be vulnerable”) Examiner Comments: Duggan expressly contemplates association of the software/system with a functional safety standard (IEC 61508 is referenced), which directly maps to the claimed functional safety standard association.
determining whether the current state of the operating system matches a verified state of the operating system based on the first metadata and based on second metadata indicative of the verified state, the second metadata being stored in an operating system software bill of material (SBOM); and (Para [0025]-[0026], “A SBOM is a nested inventory of its corresponding software code… the SBOM can include one or more of library information, document creation information, package information, file information, snippet information, licensing information, relationship information, and annotations. The library information can include a list of open software libraries and/or closed software libraries used by the software code. For each library, the library information can also include a corresponding vulnerability level indicating whether the library is vulnerable”) Examiner Comments: Duggan teaches storing component-level metadata (versions, hashes, license/security information) in an SBOM that includes a corresponding vulnerability level for each library, which corresponds to second metadata indicative of a verified state stored in the SBOM that is used to determine whether the current state matches the verified state.
based on determining that the current state of the operating system matches the verified state, verifying compliance of the operating system with the functional safety standard and executing, via the operating system, the one or one software services. (Para [0057], “the risk assessment can be compared to rules defined in a security policy to prevent the execution of the software on some client devices”) Examiner Comments: Duggan teaches that when the SBOM-derived risk assessment is consistent with the security/safety policy, execution of the software is permitted, which corresponds to verifying compliance with the functional safety standard and executing the software service via the operating system.
Duggan did not specifically teach
determining whether the current state of the operating system matches a verified state of the operating system based on the first metadata and based on second metadata indicative of the verified state.
However, Pearson (US 11,436,317 B2) teaches
determining whether the current state of the operating system matches a verified state of the operating system based on the first metadata and based on second metadata indicative of the verified state, (Claim 1, “a host computing processing system configured to load the system data within system RAM, the system data being associated with an operating system of the host computing processing system; an external hardware module being configured to monitor the system data before the system data is loaded into the host computing device, and the external hardware module is configured to automatically store validity data in persistent memory of the external hardware module before the system data is loaded into the host computing device responsive to the monitoring of the system data without being remotely modified by the host, wherein the validity data is associated with the system data, and the external hardware module being configured to determine at runtime when there is a security violation based on mutations to the system data by comparing the validity data stored on the external hardware module with the loaded system data on the host computing processing system, wherein the external hardware module is located remotely from the host computing processing system”) Examiner Comments: Pearson expressly teaches comparing currently-loaded operating-system data (current state) against previously-stored validity data (verified state) of the kernel/operating system, which reads on the claimed determination of whether the current state matches the verified state based on first and second metadata.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Duggan’s SBOM-based component analysis with Pearson’s runtime integrity verification in order to extend Duggan’s SBOM-driven compliance/risk evaluation from a build-time analysis into an ongoing, runtime trust mechanism by which the actually-loaded operating-system data is continuously matched against pre-stored validity data, thereby detecting unauthorized mutations to safety-critical operating-system components and ensuring that only an operating system whose runtime state matches its verified state is permitted to execute safety-relevant software services (Pearson [Summary]; Duggan para [0031], [0040]).
Regarding Claim 2, Duggan and Pearson teach
The system of Claim 1.
wherein the operations further comprise generating a plurality of software component SBOMs, wherein each software component SBOM of the plurality of software component SBOMs comprises additional metadata associated with each software component of a plurality of software components, wherein the operating system comprises the plurality of software components. (Duggan, Para [0026], “the SBOM can include one or more of library information, document creation information, package information, file information, snippet information, licensing information, relationship information, and annotations. The library information can include a list of open software libraries and/or closed software libraries used by the software code. For each library, the library information can also include a corresponding vulnerability level”) Examiner Comments: Duggan teaches generating SBOM-encoded library/component information that captures per-component (i.e., per-software-component-SBOM) metadata, which reads on the claimed plurality of software component SBOMs containing additional metadata for each software component.
Regarding Claim 3, Duggan and Pearson teach
The system of Claim 2.
wherein the operations further comprise generating the operating system SBOM using the plurality of software component SBOMs, wherein the second metadata in the operating system SBOM comprises the additional metadata associated with each software component of the of the plurality of software components. (Duggan, Para [0025]-[0026], “A SBOM is a nested inventory of its corresponding software code. The SBOM can include a list of the open source and/or closed source components present in the software code… The library information can include a list of open software libraries and/or closed software libraries used by the software code”) Examiner Comments: Duggan teaches a nested SBOM containing aggregated component metadata derived from individual software components, which reads on the claimed operating system SBOM that incorporates the additional metadata of each software component SBOM.
Regarding Claim 5, Duggan and Pearson teach
The system of Claim 1.
Duggan did not specifically teach
based on determining that the current state of the operating system does not match the verified state, generating an alert and transmitting the alert to a user device associated with the operating system.
However, Pearson (US 11,436,317 B2) teaches
based on determining that the current state of the operating system does not match the verified state, generating an alert and transmitting the alert to a user device associated with the operating system. (Col. 3: ln. 5-30, “Upon detecting the security violation, a reset line of the host may be immediately asserted, followed by a host power down, and the presence of the security violation can be made known to the system operator by common technical means. For example, the security violation may be known via an error light, SNMP message, IPMI alert, or any other means of communicating an error message”) Examiner Comments: Pearson teaches generating a notification (security violation signal) to an operator console/user device when a discrepancy is detected between current and verified state, which reads on the claimed alert generation and transmission.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Duggan with Pearson in order to notify the operator/user device when an integrity violation between current and verified operating-system state is detected, thereby providing operators visibility into the safety-compliance posture of the deployed operating system (Pearson [Summary]).
Regarding Claim 6, Duggan and Pearson teach
The system of Claim 1.
wherein the operations further comprise providing access for the one or more software services associated with the operating system to one or more SBOM application programming interfaces. (Duggan, Para [0064], “any and/or all the components of the computer 300, both hardware and/or software, may interface with each other and/or the interface 302 over the system bus 312 using an API 308 and/or a service layer 310… The service layer 310 provides software services to the computer 300. The functionality of the computer 300 may be accessible for all service consumers using this service layer”) Examiner Comments: Duggan teaches that software services on the platform access SBOM-related functionality via an API/service layer, which reads on the claimed providing access for software services to one or more SBOM APIs.
Regarding Claim 7, Duggan and Pearson teach
The system of Claim 1.
wherein the second metadata comprises a digital signature or a checksum. (Duggan, Para [0026], “The file information can include a file’s important metadata, including its name, checksum licenses, copyright, etc.”) Examiner Comments: Duggan expressly teaches storing checksum metadata in the SBOM file information, which reads on the claimed second metadata comprising a checksum (or digital signature).
Regarding Claims 8-10 and 12-14, these claims recite a method comprising substantially the same limitations as those of the corresponding system Claims 1-3 and 5-7, respectively, and are rejected under the same combination of Duggan in view of Pearson for the same reasons as set forth above with respect to Claims 1-3 and 5-7.
Regarding Claims 15-17, 19 and 20, these claims recite a non-transitory computer-readable medium comprising program code that performs operations substantially the same as those of the corresponding system Claims 1-3, 5 and 6, respectively, and are rejected under the same combination of Duggan in view of Pearson for the same reasons as set forth above.
Claim(s) 4, 11 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Duggan (US 2023/0359744 A1) in view of Pearson (US 11,436,317 B2) and further in view of Kushwaha (US 2020/0218531 A1).
Regarding Claim 4, Duggan and Pearson teach
The system of Claim 1.
Duggan and Pearson did not specifically teach
based on determining that the current state of the operating system does not match the verified state, updating at least one software component of the operating system.
However, Kushwaha (US 2020/0218531 A1) teaches
based on determining that the current state of the operating system does not match the verified state, updating at least one software component of the operating system. (Para [0042]-[0043], “update engine 406 identifies the software state of the ECUs 210 in the vehicle 120 (step 510). The software state indicates the software components presently installed on a vehicle 120… For the OTA update, update engine 406 selects a set (i.e., a grouping of two or more) of updated software components 410-415 for installation in the vehicle 120 (step 512), and generates an update plan for installing the set of updated software components 410-415 in the vehicle 120 (step 514) based on the software state of the vehicle 120 and the authorized software configuration 422 for the vehicle 120”) Examiner Comments: Kushwaha teaches that, based on a comparison between the currently installed software state and the manufacturer-verified authorized software configuration, the system selects and installs updated software components, which directly reads on updating at least one software component of the operating system when the current state does not match the verified state.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Duggan and Pearson’s SBOM-based state-verification with Kushwaha’s software component update mechanism in order to automatically remediate detected divergence between the current software state and the manufacturer-verified authorized configuration by selecting and installing updated software components on the operating system, thereby restoring the operating system to its verified, safety-compliant baseline without requiring manual intervention and ensuring continuing compliance with functional safety requirements (Kushwaha [Summary], paras [0042]-[0043]).
Regarding Claim 11, this claim recites the method counterpart of Claim 4 and is rejected under the same combination of Duggan in view of Pearson and further in view of Kushwaha for the same reasons as set forth above with respect to Claim 4.
Regarding Claim 18, this claim recites the non-transitory computer-readable medium counterpart of Claim 4 and is rejected under the same combination of Duggan in view of Pearson and further in view of Kushwaha for the same reasons as set forth above with respect to Claim 4.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIR SOLTANZADEH whose telephone number is (571)272-3451. The examiner can normally be reached M-F, 9am - 5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Mui can be reached at (571) 272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AMIR SOLTANZADEH/Examiner, Art Unit 2191 /WEI Y MUI/Supervisory Patent Examiner, Art Unit 2191