DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to preliminary amendment filed on 10/28/2024.
Applicant amended claims 10, 26-29, and 33 in the preliminary amendment. Claims 12-25, 30-32 are cancelled.
Claims 1-11, 26-29 and 33 present for examination.
Information Disclosure Statement
It is hereby acknowledged that the following papers have been received and placed of record in the file:
Information Disclosure Statement(s) as received on 10/28/2024 is/are considered by the Examiner.
Claim Objections
Claim 28 is objected to because of the following informalities:
Claim 28 uses acronyms without stating what the acronyms stand for or represent. For example, claim 28 recites “FPGAs” in line 2. It should read “field-programmable gate arrays (FPGAs)”. This needs to be done for each first occurrence of an acronym in the Claims.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 3-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 3, claim limitation recites “C0,j, …, CM-1,j” in line 3, which renders the claim vague and indefinite. Please define “C0,j, …, CM-1,j”.
Claim 4 recites the limitation "the hardware circuitry" in line 2. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 4, claim limitation recites “<C0,j, …, CM-1,j>” in line 3, which renders the claim vague and indefinite. Please define “<C0,j, …, CM-1,j>”.
Claim 6 recites the limitation "the hardware circuitry" in line 2. There is insufficient antecedent basis for this limitation in the claim.
Claim 9 recites the limitation "the binary representation(s)" in line 3. There is insufficient antecedent basis for this limitation in the claim.
Claim 9 recites the limitation "the binary representation Ai" in line 9. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 10, claim limitation recites “Ai’ to Ci’” in line 6, which renders the claim vague and indefinite. Please define “Ai’ to Ci’”.
Regarding claim 11, claim limitation recites “C’i’” in line 3, which renders the claim vague and indefinite. Please define
All dependent claims are rejected as having the same deficiencies as the claims they depend from.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-11, 26-29, and 33 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sutherland (WO 2020/150351 A1).
Regarding claim 1, Sutherland discloses
A method implemented by tag processing hardware (tag processing hardware 140, page 5), the method comprising acts of:
receiving information relating to one or more instructions executed by a host system (page 5, lines 3-10: tag processing hardware 140 may be provided to ensure that instructions being executed by the host processor 110 comply with one or more policies; the tag processing hardware 140 may include any suitable circuit component or combination of circuit components);
using the information relating to the one or more instructions to construct an input pattern (page 19, lines 4-7: the tag processing hardware 140 may construct an input metadata pattern; & page 53, lines 3-5: processing the metadata input based on the one or more classification bits comprises: using the metadata input to construct an input for looking up a rule cache storing one or more allowed metadata input patterns);
processing, in hardware, the input pattern to obtain at least one indicator (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED);
determining whether the at least one indicator matches at least one parameter, wherein the at least one parameter is selected based on one or more policies being enforced by the tag processing hardware (page 19, lines 10-14: the metadata label RED is associated with the address register R0, but the metadata label GREEN is associated with the application memory address 0x1234; because of this mismatch, the tag processing hardware may indicate to the host processor that the store instruction violates the access control policy and therefore should not be allowed; & page 21, line 34 – page 22, line 4: the hardware accelerator 500 may compare selected portions of the metadata inputs (e.g., <<RED>> and <<GREEN>>) to determine if there is a match, and may provide a comparison output accordingly; if at least one of the comparison bits is not set to 1, then the hardware accelerator 500 may forward the metadata inputs (or selected portions thereof, e.g., <<RED>> and <<GREEN>>, without comparison bits) to the rule cache 144 for further processing); and
in response to determining that the at least one indicator does not match the at least one parameter, sending a signal to the host system to indicate a violation of the one or more polices (page 19, lines 10-14: the metadata label RED is associated with the address register R0, but the metadata label GREEN is associated with the application memory address 0x1234; because of this mismatch, the tag processing hardware may indicate to the host processor that the store instruction violates the access control policy and therefore should not be allowed).
Regarding claim 2, Sutherland discloses the method as described in claim 1. Sutherland further discloses
the input pattern comprises M input slots, where M>=1 (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED; & page 53, lines 3-5: processing the metadata input based on the one or more classification bits comprises: using the metadata input to construct an input for looking up a rule cache storing one or more allowed metadata input patterns);
for each I = 0, …, M-1:
the i-th input slot comprises a binary representation Ci of a metadata label Li (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED); and
the binary representation Ci comprises a bit string of length N, where N >= 1 (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED).
Regarding claim 3, Sutherland discloses the method as described in claim 2. Sutherland further discloses
the at least one indicator comprises an indicator computed based at least in part on C0,j, …, CM-1,j for some j = 0, …, N-1 (page 19, lines 10-14: the metadata label RED is associated with the address register R0, but the metadata label GREEN is associated with the application memory address 0x1234; because of this mismatch, the tag processing hardware may indicate to the host processor that the store instruction violates the access control policy and therefore should not be allowed; & page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED).
Regarding claim 4, Sutherland discloses the method as described in claim 3. Sutherland further discloses
the hardware circuitry is configured to multiply an VxM matrix H with a result of transposing <C0,j, …, CM-1,j>, where V >= 1 (page 34, line 30 – page 35, line 22: by contract, with M separate rules each involving just one variable, M x N rule cache entries may be sufficient; the inventors have recognized and appreciated that, where M is constant (e.g., two variables, one for access control and the other for information flow), M x N grows more slowly than NM as N (the number of distinct color values) grows).
Regarding claim 5, Sutherland discloses the method as described in claim 4. Sutherland further discloses
the matrix H is selected based on the one or more policies being enforced by the tag processing hardware (page 34, line 30 – page 35, line 22: by contract, with M separate rules each involving just one variable, M x N rule cache entries may be sufficient; the inventors have recognized and appreciated that, where M is constant (e.g., two variables, one for access control and the other for information flow), M x N grows more slowly than NM as N (the number of distinct color values) grows; for instance, a composite rule cache entry may be constructed as a matrix of M rows, where each row corresponds to a respective policy rule and stores a constituent rule cache entry for that policy rule).
Regarding claim 6, Sutherland discloses the method as described in claim 1. Sutherland further discloses
processing, via the hardware circuitry, the input pattern to obtain an output pattern (page 15, lines 29-32: rule cache 144 in the example of FIG. 1 may map input tags to output tags; & page 53, lines 10-13: using the metadata input to construct an input for looking up a rule cache storing one or more entries that map metadata input patterns to metadata output patterns).
Regarding claim 7, Sutherland discloses the method as described in claim 6. Sutherland further discloses
the input pattern comprises M input slots, where M>=1 (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED; & page 53, lines 3-5: processing the metadata input based on the one or more classification bits comprises: using the metadata input to construct an input for looking up a rule cache storing one or more allowed metadata input patterns);
for each I = 0, …, M-1:
the i-th input slot comprises a binary representation Ci of a metadata label Li (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED); and
the binary representation Ci comprises a bit string of length N, where N>= 1 (page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED); and
the output pattern comprises K output slows, where K >= 1 (page 15, lines 29-32: map input tags to output tags, and, in some embodiments, the input tags may be metadata memory addresses where binary representations of metadata are stored, as opposed to the binary representations themselves);
for each k = 0, …, K-1:
the k-th output slot comprises a binary representation Ok of a metadata label Uk (page 15, lines 29-32: map input tags to output tags, and, in some embodiments, the input tags may be metadata memory addresses where binary representations of metadata are stored, as opposed to the binary representations themselves; & page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED); and
the binary representation Ok comprises a bit string of length N’, where N’>= 1 (page 15, lines 29-32: map input tags to output tags, and, in some embodiments, the input tags may be metadata memory addresses where binary representations of metadata are stored, as opposed to the binary representations themselves; & page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED).
Regarding claim 8, Sutherland discloses the method as described in claim 7. Sutherland further discloses
N’ is different from N (page 15, lines 29-32: map input tags to output tags, and, in some embodiments, the input tags may be metadata memory addresses where binary representations of metadata are stored, as opposed to the binary representations themselves; & page 21, lines 4-7: the tag register corresponding to the address register R0 stores a binary representation of the metadata label RED, augmented with a comparison bit that is set to 1; this is shown in FIG. 4 as <<RED>>*1, and may indicate that a comparison (e.g., equality checking) is to be performed on the metadata symbol RED).
Regarding claim 9, Sutherland discloses the method as described in claim 7. Sutherland further discloses
the hardware circuitry comprises an output function block configured to process the binary representation(s) C0, …, CM-1 to obtain the binary representation(s) O0, …, Ok-1 (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory);
the hardware circuitry further comprises a conversion block configured to process binary representation(s) A0, …, AM-1 to obtain the binary representation(s) C-, …, CM-1 (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory); and
for each i = 0, …, M-1:
the binary representation Ai comprises a bit string of length N’ (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory).
Regarding claim 10, Sutherland discloses the method as described in claim 9. Sutherland further discloses
the conversion block comprises a first conversion table and a second conversion table different from the first conversion table (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory);
the first conversion table is configured to map Ai to Ci for some i = 0, …, M-1 (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory); and
the second conversion table is configured to map Ai’ to Ci’ for some i’ = 0, …, M-1 that is different from I (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory).
Regarding claim 11, Sutherland discloses the method as described in claim 10. Sutherland further discloses
the conversion block further comprises a third conversion table (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory); and
the third conversion table is configured to map C’i to Ai for each i = 0, …, M-1 (page 38, lines 3-34: a tag map table may be configured to allow multiple fetches of metadata on a single input application memory address; the fetched metadata may then be used to perform multiple lookups in a rule cache; the tag map table entry 1000A stores, in an “Offset” field, a first offset value to be added to an input address in an application memory to obtain a first address in a metadata memory).
Regarding claims 26 and 33, the limitations of claims 26 and 33 are rejected in the analysis of claim 1 above and these claims are rejected on that basis.
Regarding claim 27, Sutherland discloses the system as described in claim 26. Sutherland further discloses
the processing hardware comprises one or more processors programmed by executable instructions (page 2, lines 20-23: a system is provided, comprising circuitry and/or one or more processors programmed by executable instructions).
Regarding claim 28, Sutherland discloses the system as described in claim 26. Sutherland further discloses
the processing hardware comprises one or more FPGAs programmed by bitstreams (page 8, lines 24-26: the policy processor 150 may include configurable processing unit, such as a microprocessor, a field-programmable gate array (FPGA), and/or any other suitable circuitry).
Regarding claim 29, Sutherland discloses the system as described in claim 26. Sutherland further discloses
the processing hardware comprises one or more logic circuits fabricated into semiconductors (page 58, lines 10-16: circuit configurations in Field Programmable Gate Arrays or other semiconductor devices).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
DeHon et al. (US 2020/0089500 A1). Perform metadata tag compression in security policy enforcement system; send a set of data elements along with an index element that identifies one or more metadata tags, and send one or more of the metadata tags identified by the index element.
Kennedy (US 2011/0209196 A1). A policy tag is used for policy enforcement; a policy measure is used to address an actual or potential policy or rule violation.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAYLEE J HUANG whose telephone number is (571)272-0080. The examiner can normally be reached Monday-Friday 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Kaylee Huang
01/10/2026
/KAYLEE J HUANG/Primary Examiner, Art Unit 2447