DETAILED ACTION
This communication responsive to the Application No. 18/779,134 filed on 07/22/2024. Claims 1-22 are pending and are directed towards DETECTION OF MALICIOUS CODE BY FORCING EXECUTION VIOLATION.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Claim Rejections - 35 U.S.C §103
Applicants’ arguments regarding claims 1-22 are rejected under 35 U.S.C. § 103 have been fully considered and are not persuasive. Applicant argues that Pavlyushchik discloses “memory allocation request” and not “a call to an OS function... requesting an execution privilege for a memory region”. Examiner disagrees.
Pavlyushchik discloses a thread request that the OS allocate a memory page, that each page may have R/W/X attributes, and that for exploit use the allocated page must have both W and X attributes. Further, Pavlyushchik discloses that an interceptor module tracks such memory requests by intercepting the request to allocate the page. The intercepted call is not merely a generic allocation request, it is a request for a memory page having executable permissions. This sufficiently teaches “a call to an OS function… requesting an execution privilege for a memory region”. Additionally, Pavlyushchik in claim 6, states that the recording is performed only in response to a request for allocation of the first potion of memory having both, write privileges, and execution privileges. These passages directly undermine applicant’s interpretation of separating allocation from requesting an execution privilege because Pavlyushchik’s relevant allocation request is the one that includes execution privilege. Applicants’ claim 1 does not require a separate OS API whose sole purpose is to add execute permission after allocation, a request for memory with X permission is still a call requesting execution privilege for that region.
Applicant also argues that Pavlyushchik does not disclose “in response to intercepting the call, removing the execution privilege requested by the call”. Examiner disagrees.
Pavlyushchik explicitly discloses this. Pavlyushchik states that when the interceptor sees a requested page with W and X attributes, it saves the page information and then at stage 308 removes the X attribute, so the code in that page cannot be executed. Claim 7 states that the system initially enables write while disabling execute, which is analogous to removing the requested execution privilege in response to the intercepted request. Additionally, applicant emphasizes on Pavlyushchik alternating W/X regime. Pavlyushchik alternating permission after exception handling also discloses the fact that, upon interception of the request for W+X memory, the interceptor initially removes X. The alternating regime is an additional operational detail after the initial interception and privilege removal and hence is not inconsistent with the claimed sequence.
Applicant also states that Pavlyushchik’s trigger is only a generic allocation event, but Pavlyushchik places the interceptor in the OS path. It discloses that the interceptor may be implemented as an OS driver, as a modification of the memory dispatcher of the operating system or as part of a hypervisor. This is sufficient to support examiner’s reading that the intercepted event is an OS memory-management function call.
Additionally, applicant argues that Tosa does not cure the deficiencies of Pavlyushchik. Tosa teaches exception-driven analysis and it also reinforces the logic of removing execution permission so an attempted execution faults and can be analyzed. Tosa states that a hypervisor configures memory access permission so that an attempt to execute a target function violates the permission, and that the resulting exception causes a switch to a computer security program configured to determine whether the violation is indicative of a computer security threat. Hence, Tosa discloses detecting an exception caused by code starting to run without execution privilege and then checking whether the code is malicious or benign. Tosa teaches marking the memory page containing part of a target function as non-executable or non-readable. When a process issues a call to the target function, the call results in an attempt to execute code from that page, the processor determines that the attempt violates the page’s access permissions and generates a virtualization exception, which is then delivered to a handler. Further, a callback can notify the security application every time an attempt is made to execute the target function, and that the security application can determine whether the attempt is indicative of a security threat. This is the sort of exception-triggered benign/malicious evaluation the examiner relied on.
Pavlyushchik in view of Tosa address the same anti-malware problem using access-permission manipulation and exception-driven inspection. Pavlyushchik intercepts OS memory-allocation requests for W+X pages and initially disables X so execution cannot proceed unchecked. Tosa teaches configuring memory permissions so execution attempts fault and are handed to a security component that evaluates whether the event indicates a threat. Hence, it is valid to combine these teachings to ensure that requested executable memory is first stripped of execute permission and then analyzed if execution is attempted.
To better map the limitations of claim 1, intercepting a call to an operating-system (OS) function, the call requesting an execution privilege for a memory region (Pavlyushchik discloses a thread requesting that the OS allocate a memory page. The page may have R/W/X attributes, exploit- relevant pages must have both W and X and the interceptor intercepts the requests to allocate the page. The relevant request is one for allocation of memory having both write and execution privileges).
In response to intercepting the call, removing the execution privilege requested by the call (Pavlyushchik discloses that if the page has W and X attributes, the interceptor removes the X attribute at stage 308 and initial state as W is enables and X is disabled).
Upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, checking whether the executable code in the memory region is malicious or benign (Tosa discloses marking the relevant page non-executable so that a call to the target function attempts to execute code from a page lacking execute permission, causing a virtualization exception, after which the security component determines whether the violation is indicative of a computer security threat).
In conclusion, Pavlyushchik is not limited to a generic allocation request separated from execute permissions, but the intercepted request is for memory having execution privilege and the interceptor initially removes that execute privilege. Tosa then adds the exception-triggered threat analysis, and in any event reinforces the same technical approach of forcing an execution fault by withholding execute permission and using that fault by withholding execute analysis. Hence, the rejection is valid and is maintained.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4,6,7,11-15,17,18 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Pavlyushchik et al. (US 20130227680 A1), hereinafter referred to as Pavlyushchik, in view of Tosa et al. (US 20150199514 A1), hereinafter referred to as Tosa.
As per claim 1, Pavlyushchik discloses a method for detecting malicious code, comprising:
in a computer, intercepting a call to an operating-system (OS) function, the call requesting an execution privilege for a memory region; (A request by a process thread running in the computer system for allocation of a first portion of memory, and then adjusting the memory access control so that either write or execute privilege is disabled, Pavlyushchik, para [0009])
in response to intercepting the call, removing the execution privilege requested by the call; and (The memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled, Pavlyushchik, para [0009]).
However, Pavlyushchik does not explicitly disclose the limitation:
upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, checking whether the executable code in the memory region is malicious or benign
Tosa discloses:
upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, checking whether the executable code in the memory region is malicious or benign (The security application may thus detect an attempt by a software entity to perform a certain action, such as writing to a disk file, or accessing a memory space used by another entity. The security application may then analyze the attempt to determine, for instance, if it is indicative of a security threat, Tosa, para [0005])
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 2, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
Furthermore, Tosa discloses:
the OS function comprises a memory allocation function that allocates the memory region, or a memory access control function that controls access privileges of the memory region (Target functions may include, among others, functions of guest OS 34 performing operations such as memory allocation, Tosa, para [0036]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 3, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
Furthermore, Tosa discloses:
the OS function comprises an application programming interface (API) memory management function that calls a corresponding OS memory management function (An application or a code module (e.g., DLL) containing the function targeted for hooking is loaded into memory and prepared for execution, Tosa, para [0037]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 4, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
Furthermore, Tosa discloses:
intercepting the call comprises calling a callback handler that depending on a source of the call handles (i) removal of the execution privilege and (Handler 42 identifies the target function which triggered the exception according to details of the exception, and launches an appropriate callback routine 50, Tosa, para [0052])
(ii) checking of the executable code in the memory region (At step 326 determines whether the respective exception is triggered by an actual attempt to execute the target function and in step 328, handler 42 may identify the target function, and redirect execution to the appropriate callback (step 330), Tosa, para [0053]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 6, Pavlyushchik and Tosa disclose the method according to claim 4, wherein
Furthermore, Tosa discloses:
calling the callback handler comprises hooking the OS function to the callback handler, and passing control to the callback handler upon intercepting the call (Some security solutions protect a host system by intercepting a call to a specific function, using any of a multitude of techniques as hooking. Security application 40 associates a callback routine to each target function, the callback routine will be executed instead (or before) executing its respective target function, Tosa, para [0051])
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 7, Pavlyushchik and Tosa disclose the method according to claim 4, wherein
Furthermore, Tosa discloses:
calling the callback handler comprises hooking to the callback handler an exception handler that is called when the exception occurs, and passing control to the callback handler via the exception handler upon detecting the exception (Handler 42 identifies the target function which triggered the exception according to details of the exception, and launches an appropriate callback routine 50, Tosa, para [0052], Step 328, handler 42 may identify the target function, and redirect execution to the appropriate callback (step 330), Tosa, para [0053])
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 11, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
Furthermore, Pavlyushchik discloses:
checking whether the executable code in the memory region is malicious or benign comprises checking one or more portions of the executable code using one or both of (i) code checking rules, and (ii) behavioral threat protection (BTP) rules (The risk assessment can be performed by checking the memory page for the presence of known exploit signatures. The risk assessment can be done using heuristic analysis or emulation methods, Pavlyushchik, para [0032]).
As per claim 12, Pavlyushchik discloses a computer, comprising:
a memory comprising a memory region; and (Memory access control, Pavlyushchik, para [0009])
a processor, configured to: (Module can be executed on the processor(s), Pavlyushchik, para [0026])
intercept a call to an operating-system (OS) function, the call requesting an execution privilege for a memory region; (A request by a process thread running in the computer system for allocation of a first portion of memory, and then adjusting the memory access control so that either write or execute privilege is disabled, Pavlyushchik, para [0009])
in response to intercepting the call, remove the execution privilege requested by the call; and (The memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled, Pavlyushchik, para [0009]).
However, Pavlyushchik does not explicitly disclose the limitation:
upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, check whether the executable code in the memory region is malicious or benign
Tosa discloses:
upon detecting an exception that occurs due to an executable code in the memory region starting to run without the execution privilege, check whether the executable code in the memory region is malicious or benign (The security application may thus detect an attempt by a software entity to perform a certain action, such as writing to a disk file, or accessing a memory space used by another entity. The security application may then analyze the attempt to determine, for instance, if it is indicative of a security threat, Tosa, para [0005]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 13, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
Furthermore, Tosa discloses:
the OS function comprises a memory allocation function that allocates the memory region, or a memory access control function that controls access privileges of the memory region (Target functions may include, among others, functions of guest OS 34 performing operations such as memory allocation, Tosa, para [0036]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 14, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
Furthermore, Tosa discloses:
the OS function comprises an application programming interface (API) memory management function that calls a corresponding OS memory management function (An application or a code module (e.g., DLL) containing the function targeted for hooking is loaded into memory and prepared for execution, Tosa, para [0037]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 15, Pavlyushchik and Tosa disclose the computer according to claim 12, the processor is configured to
Furthermore, Tosa discloses:
intercept the call by calling a callback handler that depending on a source of the call handles (i) removal of the execution privilege and (ii) checking of the executable code in the memory region (At step 326 determines whether the respective exception is triggered by an actual attempt to execute the target function and in step 328, handler 42 may identify the target function, and redirect execution to the appropriate callback (step 330), Tosa, para [0053]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 17, Pavlyushchik and Tosa disclose the computer according to claim 15, wherein the processor is configured to
Furthermore, Tosa discloses:
call the callback handler by hooking the OS function to the callback handler, and passing control to the callback handler upon intercepting the call (Some security solutions protect a host system by intercepting a call to a specific function, using any of a multitude of techniques as hooking. Security application 40 associates a callback routine to each target function, the callback routine will be executed instead (or before) executing its respective target function, Tosa, para [0051]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 18, Pavlyushchik and Tosa disclose the computer according to claim 15, wherein the processor is configured
Furthermore, Tosa discloses:
to call the callback handler by hooking to the callback handler an exception handler that is called when the exception occurs, and passing control to the callback handler via the exception handler upon detecting the exception (Handler 42 identifies the target function which triggered the exception according to details of the exception, and launches an appropriate callback routine 50, Tosa, para [0052], Step 328, handler 42 may identify the target function, and redirect execution to the appropriate callback (step 330), Tosa, para [0053]).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa in order to effectively detect malicious code (See Tosa, para [0005])
As per claim 22, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
Furthermore, Pavlyushchik discloses:
the processor is configured to check whether the executable code in the memory region is malicious or benign by checking one or more portions of the executable code using one or both of (i) code checking rules, and (ii) behavioral threat protection (BTP) rules (The risk assessment can be performed by checking the memory page for the presence of known exploit signatures. The risk assessment can be done using heuristic analysis or emulation methods, Pavlyushchik, para [0032]).
Claims 5,9,16,20 are rejected under 35 U.S.C. 103 as being unpatentable over Pavlyushchik et al. (US 20130227680 A1), hereinafter referred to as Pavlyushchik, in view of Tosa et al. (US 20150199514 A1), hereinafter referred to as Tosa in further view of Zhou et al. (US 8539578 B1), hereinafter referred to as Zhou.
As per claim 5, Pavlyushchik and Tosa disclose the method according to claim 4, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
calling the callback handler comprises registering the callback handler to an instrumentation callback feature of the OS that passes control to the callback handler upon intercepting the call and upon detecting the exception
Zhou discloses:
calling the callback handler comprises registering the callback handler to an instrumentation callback feature of the OS that passes control to the callback handler upon intercepting the call and upon detecting the exception (An exception handler may be established 906. The handler may be designed to flag (or catch) an exception that is raised due to a page protection attribute. For example, an AddVectorExceptionHandler API may be called to establish a Vectored Exception Handler (VEH), Zhou, col 8, lines 1-5. VEH is registered via an API to intercept exceptions caused by guard-page violations. That corresponds to registering a callback (the VEH) with the OS mechanism for exceptions similar to the instrumentation callback feature)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with defending an attack from the execution of shellcode (Zhou). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Zhou in order to improve the security of computing devices (See Zhou, col 8, lines 1-5)
As per claim 9, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the executable code in the memory region comprises a shellcode that is not mapped to any file in a disk of the computer
Zhou discloses:
the executable code in the memory region comprises a shellcode that is not mapped to any file in a disk of the computer (If, however, it is determined 912 that the execution code is not located in a code section (e.g., the content of the base address pointed to by the EIP does not begin with `MZ`), the execution code may be prevented 916, the execution code may be assumed to be shellcode and may be blocked or prevented 916 from executing, Zhou, col 8, lines 57-63. It checks whether the execution code is in standard code section (by checking MZ header) and if not, treats it as shellcode and blocks it. This implies detecting code in memory-only regions and is analogous to checking not in a code section).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with defending an attack from the execution of shellcode (Zhou). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Zhou in order to improve the security of computing devices (See Zhou, col 8, lines 1-5)
As per claim 16, Pavlyushchik and Tosa disclose the computer according to claim 15, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the processor is configured to call the callback handler by registering the callback handler to an instrumentation callback feature of the OS that passes control to the callback handler upon intercepting the call and upon detecting the exception
Zhou discloses:
the processor is configured to call the callback handler by registering the callback handler to an instrumentation callback feature of the OS that passes control to the callback handler upon intercepting the call and upon detecting the exception (An exception handler may be established 906. The handler may be designed to flag (or catch) an exception that is raised due to a page protection attribute. For example, an AddVectorExceptionHandler API may be called to establish a Vectored Exception Handler (VEH), Zhou, col 8, lines 1-5. VEH is registered via an API to intercept exceptions caused by guard-page violations. That corresponds to registering a callback (the VEH) with the OS mechanism for exceptions similar to the instrumentation callback feature)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with defending an attack from the execution of shellcode (Zhou). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Zhou in order to improve the security of computing devices (See Zhou, col 8, lines 1-5)
As per claim 20, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the executable code in the memory region comprises a shellcode that is not mapped to any file in a disk of the computer
Zhou discloses:
the executable code in the memory region comprises a shellcode that is not mapped to any file in a disk of the computer (If, however, it is determined 912 that the execution code is not located in a code section (e.g., the content of the base address pointed to by the EIP does not begin with `MZ`), the execution code may be prevented 916, the execution code may be assumed to be shellcode and may be blocked or prevented 916 from executing, Zhou, col 8, lines 57-63. It checks whether the execution code is in standard code section (by checking MZ header) and if not, treats it as shellcode and blocks it. This implies detecting code in memory-only regions and is analogous to checking not in a code section).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with defending an attack from the execution of shellcode (Zhou). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Zhou in order to improve the security of computing devices (See Zhou, col 8, lines 1-5)
Claims 8, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Pavlyushchik et al. (US 20130227680 A1), hereinafter referred to as Pavlyushchik, in view of Tosa et al. (US 20150199514 A1), hereinafter referred to as Tosa in further view of Vega et al. (US 20060005200 A1), hereinafter referred to as Vega.
As per claim 8, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the OS function comprises an intermediate OS function in an intermediate processing layer that mediates between 32-bit processing and 64-bit processing
Vega discloses:
the OS function comprises an intermediate OS function in an intermediate processing layer that mediates between 32-bit processing and 64-bit processing (A virtualized computing systems and methods for transitioning in real-time between LONG SUPER-MODE and LEGACY SUPER-MODE in the x86-64 architecture, placing the transition code for performing the processor mode context switch on this page, jumping to this page, disabling the memory management unit (MMU) of the x86-64 computer hardware, modifying the mode control register to set either the LONG SUPER-MODE bit or LEGACY SUPER-MODE bit, loading a new page table, and reactivating the MMU of the x86-64 computer hardware, Vega, Abstract. This describes a transition mechanism to mediate between execution modes (32-bit and 64-bit) at the hardware/ MMU level)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with transitioning in real time between LONG SUPER-MODE and LEGACY SUPER-MODE of virtualized computing systems (Vega). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Vega in order to effectively switch back and forth between LONG SUPER-MODE and LEGACY SUPER-MODE in the x86-64 architecture (See Vega, Abstract)
As per claim 19, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the OS function comprises an intermediate OS function in an intermediate processing layer that mediates between 32-bit processing and 64-bit processing
Vega discloses:
the OS function comprises an intermediate OS function in an intermediate processing layer that mediates between 32-bit processing and 64-bit processing (A virtualized computing systems and methods for transitioning in real-time between LONG SUPER-MODE and LEGACY SUPER-MODE in the x86-64 architecture, placing the transition code for performing the processor mode context switch on this page, jumping to this page, disabling the memory management unit (MMU) of the x86-64 computer hardware, modifying the mode control register to set either the LONG SUPER-MODE bit or LEGACY SUPER-MODE bit, loading a new page table, and reactivating the MMU of the x86-64 computer hardware, Vega, Abstract. This describes a transition mechanism to mediate between execution modes (32-bit and 64-bit) at the hardware/ MMU level)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with transitioning in real time between LONG SUPER-MODE and LEGACY SUPER-MODE of virtualized computing systems (Vega). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Vega in order to effectively switch back and forth between LONG SUPER-MODE and LEGACY SUPER-MODE in the x86-64 architecture (See Vega, Abstract)
Claims 10,21 are rejected under 35 U.S.C. 103 as being unpatentable over Pavlyushchik et al. (US 20130227680 A1), hereinafter referred to as Pavlyushchik, in view of Tosa et al. (US 20150199514 A1), hereinafter referred to as Tosa in further view of Epstein et al. (US 9256552 B2), hereinafter referred to as Epstein
As per claim 10, Pavlyushchik and Tosa disclose the method according to claim 1, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the executable code in the memory region comprises code that was loaded to the memory region from a disk of the computer
Epstein discloses:
the executable code in the memory region comprises code that was loaded to the memory region from a disk of the computer (Intercepting an OPEN system call, intercepting the READ or MMAP system call, modifying the READ or MMAP system call to comprise a memory allocation call, populating the allocated memory with the contents, Epstein, col 24, lines 27-34. This indicates that the executable pages that would normally be mapped from disk (via MMAP or read) are instead intercepted and allocated/populated manually in memory. It indicates code or data being loaded into memory from a disk file, mediated by interception)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with establishing different memory access permissions (Epstein). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Epstein in order to effectively improve the resistance of virtualized computer programs against various kinds of unauthorized use or attacks (See Epstein, col 24, lines 27-34)
As per claim 21, Pavlyushchik and Tosa disclose the computer according to claim 12, wherein
However, Pavlyushchik in view of Tosa does not explicitly disclose:
the executable code in the memory region comprises code that was loaded to the memory region from a disk of the computer
Epstein discloses:
the executable code in the memory region comprises code that was loaded to the memory region from a disk of the computer (Intercepting an OPEN system call, intercepting the READ or MMAP system call, modifying the READ or MMAP system call to comprise a memory allocation call, populating the allocated memory with the contents, Epstein, col 24, lines 27-34. This indicates that the executable pages that would normally be mapped from disk (via MMAP or read) are instead intercepted and allocated/populated manually in memory. It indicates code or data being loaded into memory from a disk file, mediated by interception)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Pavlyushchik and Tosa with Zhou by protecting of a computer system against exploits (Pavlyushchik) and enabling a host system to efficiently perform computer security activities when operating in a hardware virtualization configuration (Tosa) with establishing different memory access permissions (Epstein). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Pavlyushchik and Tosa with Epstein in order to effectively improve the resistance of virtualized computer programs against various kinds of unauthorized use or attacks (See Epstein, col 24, lines 27-34)
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAGHAVENDER CHOLLETI whose telephone number is (703) 756-1065. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Respectfully submitted,
/RAGHAVENDER NMN CHOLLETI/Examiner, Art Unit 2492
/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492