Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is the initial office action that has been issued in response to patent application, 19/037,403, filed on 01/27/2025. Claims 1-20 are currently pending and have been considered below. Claims 1 and 11 are independent claims.
Priority
This application is a CON of PCT/US2023/071030, filed 07/26/2023
PCT/US2023/071030 has PRO 63/369,555, filed 07/27/2022.
Drawings
The drawings file on 01/27/2025 are accepted by the examiner.
Information Disclosure Statement
Information Disclosure Statement
The information disclosure statements (IDS’s) submitted on 06/04/2025 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gschwind(US Publication No. 2022/0222338 A1) in view of Gupta(US Publication No. 20180314504 A1)
Regarding Claim 1:
Gschwind discloses:
A system for enforcing policy without collateral damage using an agent sandbox, the system comprising or more computer processors;(Gschwind, [0038], FIG. 1 illustrates an embodiment of a computer system (100) for local and global entry points for a target function. Computer system (100) comprises a processor (102) in communication with a main memory (104) across a bus (122).)
one or more non-transitory computer readable storage media(Gschwind, [0086], the computer program product may include a computer readable storage medium (or media) having computer readable program instructions );
and program instructions stored on the one or more non-transitory computer readable storage media for execution by at least one of the one or more computer processors,(Gschwind, [0082], program modules (1420), may be stored in memory (1406), [0086], The computer program product may include a computer readable storage medium (or media) having computer readable program instructions, [0038], Computer system (100) comprises a processor (102) in communication with a main memory (104) across a bus (122)., b. The primary thread of the new process is created in a suspended state, )
load on the child agent process a shared library using code inherited from a statically linked address space of the parent agent process(Gschwind, [0004], building shared libraries, [0034], A dynamic shared objected (DSO) is an object file that is intended to be used simultaneously (or shared by), [0006], A static linker combines one or more separately compiled object files derived from distinct source files into a single module, [0035], Callers of that routine may use the local entry point if caller and callee reside in the same DSO and share the same TOC pointer value, [0036], The programming code that loads the symbol address will include relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader.);
Gschwind does not discloses:
the program instructions including instructions to: fork execution from a parent agent process into a child agent process
interpose each standard C library (libc) wrapper function on the child agent process on a corresponding libc call
and for each libc call: parse a message on the parent agent process to determine if the libc call with one or more exact arguments is allowed by policy
responsive to determining that the libc call with the one or more exact arguments is allowed by policy, proceed with the execution
and responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminate the child agent process
Gupta discloses:
the program instructions including instructions: fork execution from a parent agent process into a child agent process;(Gupta, [201-203], The malware first creates a new process to host the malicious code in suspended mode. a. This is done by calling CreateProcess and setting the Process Creation Flag to CREATE_SUSPENDED
receive on the child agent process a target-specific object code of a capability from the parent agent process);
interpose each standard C library (libc) wrapper function on the child agent process on a corresponding libc call(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; (ii) redirect a user system table to the created wrapper functions, (ii)redirect a user system table to the created wrapper functions;(iii)extract arguments from respective system function definitions within the created wrapper functions;(iv) call system functions referenced by the respective system function definitions);
and for each libc call: parse a message on the parent agent process to determine if the libc call with one or more exact arguments is allowed by policy(Gupta, [0009], call system functions referenced by the respective system function definitions; [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions, (v) analyze the extracted arguments upon execution of the called system functions, [0010], the parameters include at least one of… and arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions.);
responsive to determining that the libc call with the one or more exact arguments is allowed by policy, proceed with the execution(Gupta, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions; (iv) call system functions referenced by the respective system function definitions; and (v) analyze the extracted arguments upon execution of the called system);
and responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminate the child agent process(Gupta, [0009], (v) analyze the extracted arguments upon execution of the called system functions for an indication of a memory permissions change request, [0010], the parameters include at least one of: a timestamp… arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions. [0006], (iii) terminating a process upon which the code injection attack is hosted, [0005], …implementing a protection action…).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamic loader relocation and executable reference management to ensure controlled child-process execution, monitored libc/system-call execution, redirected execution flow, and runtime protection enforcement as taught by Gupta in order to enhance runtime monitoring and protection of dynamically linked shared-library execution.
The motivation is to ensure dynamically linked libc/system-call execution is monitored, redirected, and terminated when prohibited execution behavior is detected.
Regarding Claim 2:
The system of claim 1, Gschwind in view of Gupta disclose wherein the parent agent process opens a set of one or more pipes to serve as a messaging conduit between the parent agent process and the child agent process(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. the parameters include at least one of: a timestamp, an operating system name and version, a process identifier, a thread identifier, a memory page identifier, a system call number, a system call name or property, and arguments and return value…[0201], The malware first creates a new process to host the malicious code in suspended mode.).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for communication between dynamically linked execution components to ensure monitored communication of intercepted system-call information between a parent execution component and a child execution component as taught by Gupta in order to enhance runtime analysis and policy enforcement during dynamically linked shared-library execution.
The motivation is to ensure intercepted libc/system-call information and associated arguments are communicated for runtime monitoring and protection analysis before execution proceeds.
Regarding Claim 3:
The system of claim 2, Gschwind in view of Gupta disclose wherein fork execution from the parent agent process into the child agent process further comprises one or more of the following program instructions, stored on the one or more non-transitory computer readable storage media, to: close all file-handles on the child agent process except those implementing a conduit to the parent agent process(Gupta, [0201], The malware first creates a new process to host the malicious code in suspended mode, [0203], The primary thread of the new process is created in a suspended state, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. [0006], (ii) dropping a handle associated with a thread upon which the code injection attack is hosted, ).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked execution management to ensure selective handle management and maintained communication between monitored execution components during child-process execution as taught by Gupta in order to enhance controlled runtime communication and restricted execution-resource access during dynamically linked shared-library execution.
The motivation is to ensure only authorized communication resources remain available during monitored child-process execution while reducing unauthorized execution-resource access.
Regarding Claim 4:
The system of claim 3, Gschwind in view of Gupta disclose wherein fork execution from the parent agent process into the child agent process further comprises one or more of the following program instructions, stored on the one or more non-transitory computer readable storage media, to: block execution on the child agent process until the message from the parent agent process is received(Gupta,[0201], The malware first creates a new process to host the malicious code in suspended mode. [0203], The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called. [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis.).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked execution management to ensure selective handle management and maintained communication between monitored execution components during child-process execution as taught by Gupta in order to enhance controlled runtime communication and restricted execution-resource access during dynamically linked shared-library execution.
The motivation is to ensure only authorized communication resources remain available during monitored child-process execution while reducing unauthorized execution-resource access.
Regarding Claim 5:
The system of claim 2, Gschwind in view of Gupta disclose wherein load on the child agent process the shared library using code inherited from the statically linked address space of the parent agent process further comprises one or more of the following program instructions, stored on the one or more non- transitory computer readable storage media, to: load the shared library on the child agent process using a behavior to that mimics a system loader, wherein the child agent process uses the code inherited from the statically linked address space of the parent agent process(Gschwind, [0034], A dynamic shared objected (DSO) is an object file, [0036], relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader. [0006], A static linker combines one or more separately compiled object files… [0035], Callers of that routine may use the local entry point if caller and callee reside in the same DSO and share the same TOC pointer value.);
and perform one or more appropriate fixups on the shared library(Gshwind, [0036], the relocations will be resolved by the static linker and/or dynamic loader. [0005], a global offset table (GOT), [0007], a procedure linkage table (PLT), [0036], An indirect function call takes place)
set one or more permissions bits on one or more pages of memory obtained from an operating system (OS) kernel(Gupta, [0005], a memory permissions change request, [0010], the RMP kernel driver component…a memory page identifier, [0012], memory allocation or deallocation requests, memory write requests…);
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamic loader relocation and shared-library execution to ensure memory permissions associated with dynamically loaded executable pages are monitored and modified through kernel-level memory-permissions management as taught by Gupta in order to enhance runtime protection and controlled execution of dynamically linked executable code.
The motivation is to ensure executable memory pages associated with dynamically linked shared libraries are protected from unauthorized execution and memory-modification behavior.
Regarding Claim 6:
The system of claim 5, Gschwind in view of Gupta disclose wherein the one or more appropriate fixups are applied to a global offset table and a procedure linkage table to ensure that each global symbol and each global executable reference a first address of the global symbol already found in the statically linked address space of the parent agent process(Gschwind, [0005], a global offset table (GOT), [0007], a procedure linkage table (PLT), [0036], the relocations will be resolved by the static linker and/or dynamic loader.).
Regarding Claim 7:
The system of claim 6, Gschwind in view of Gupta disclose write a second address of a wrapper function that matches a function signature of the libc call exactly, (Gschwind, [0036], the function pointer variable, relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader.)
wherein the appropriate fixups for a libc call that invokes a system call further comprises one or more of the following program instructions, stored on the one or more non-transitory computer readable storage media(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; [0010], a system call number, a system call name or property. [0016], The computer program product comprises one or more non-transitory computer-readable storage devices and program instructions stored on at least one of the one or more storage devices.),
wherein a specific wrapper function exists for each libc call that calls one or more system calls(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; (ii) redirect a user system table to the created wrapper functions).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for relocation resolution and executable reference management to ensure redirected executable references resolve to wrapper-function addresses corresponding to specific system calls as taught by Gupta, including creating wrapper functions around respective system function definitions and redirecting system-function execution to the created wrapper functions, in order to enhance monitored libc/system-call interception and runtime protection during dynamically linked shared-library execution.
The motivation is to ensure each libc/system call is redirected to a corresponding wrapper function for monitored execution and runtime policy enforcement.
Regarding Claim 8:
The system of claim 7, Gschwind in view of Gupta disclose wherein parse the message on the parent agent process to determine if the libc call with the one or more exact arguments is allowed by the policy comprises one or more of the following program instructions, stored on the one or more non- transitory computer readable storage media, send the message from the child agent process to the parent agent process using any pipe of the set of the one or more pipes, wherein the message indicates an exact libc call along with the exact arguments the capability intends to execute(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis… a system call number, a system call name or property, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions… (v) analyze the extracted arguments upon execution of the called system functions. [0010], communicate parameters to the RMP);
and parse the message on the parent agent process to determine if the libc call with the one or more exact arguments is allowed by policy(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. a system call number, a system call name or property, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked executable reference management to ensure communication of intercepted libc/system-call information and associated arguments between monitored execution components for runtime analysis and policy determination as taught by Gupta, including communicating parameters associated with system calls, arguments, and return values to an endpoint agent for analysis, in order to enhance runtime monitoring and protection during dynamically linked shared-library execution.
The motivation is to ensure exact libc/system-call information and associated arguments are communicated and analyzed before execution proceeds to enforce runtime protection policies.
Regarding Claim 9:
The system of claim 1, Gschwind in view of Gupta disclose wherein fork execution from the parent agent process into the child agent process further comprises one or more of the following program instructions, stored on the one or more non-transitory computer readable storage media, duplicate an entire address space of the parent agent process into the child agent process(Gupta, [0207, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware's sections to the target process memory space. [0204], unmapping the memory of the target process. [0208], SetThreadContext to reorient the entry point to a new code section that it has written);
and vector execution on the child agent process to a proper instruction just after the fork execution(Gupta, [0208], the malware calls SetThreadContext to reorient the entry point to a new code section that it has written. [0209], the malware resumes the suspended thread by calling ResumeThread to take the process out of suspended state. [0201],The malware first creates a new process to host the malicious code in suspended mode ).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked shared-library execution and executable reference management to ensure executable memory sections and execution context information are copied into a created secondary execution process as taught by Gupta, including allocating memory within a target process and writing executable sections into the target process memory space, in order to enhance controlled execution of dynamically linked executable code within a monitored child execution environment.
The motivation is to ensure dynamically linked executable code and associated execution context are available within a monitored secondary execution process for controlled runtime execution and protection enforcement.
Regarding Claim 10:
The system of claim 1, Gschwind in view of Gupta disclose wherein responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminate the child agent process further comprises one or more of the following program instructions, stored on the one or more non- transitory computer readable storage media, to: a planner of termination of the execution of the child agent process to de-emphasize execution of a requested libc call with one or more given arguments from occurring in future plans(Gupta, [0007], store, in a database, system status indicators related to the received representations… historical information related to protection actions. [0009], (v) analyze the extracted arguments upon execution of the called system functions for an indication of a memory permissions change request, [0010], the parameters include at least one of: a timestamp… arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions. [0006], (iii) terminating a process upon which the code injection attack is hosted, [0014], implement a security event management strategy by logging kernel events including protection actions launched. [0005], declare a code injection attack…implementing a protection action…).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked executable reference management to ensure prohibited libc/system-call execution behavior and associated protection actions are logged and utilized during subsequent runtime execution-management operations as taught by Gupta, including storing historical protection-action information and implementing security event management strategies, in order to enhance future runtime protection and execution-control decisions during dynamically linked shared-library execution.
The motivation is to ensure previously prohibited libc/system-call behavior influences future runtime execution-management and protection decisions.
Regarding Claim 11:
Gschwind discloses:
A computer-implemented method for enforcing policy without collateral damage using an agent sandbox, the computer-implemented method comprising, forking, by one or more computer processors,(Gschwind, [0082], program modules (1420), may be stored in memory (1406), [0086], The computer program product may include a computer readable storage medium (or media) having computer readable program instructions, [0038], Computer system (100) comprises a processor (102) in communication with a main memory (104) across a bus (122)., b. The primary thread of the new process is created in a suspended state, ) ,
receiving, by the one or more computer processors, on the child agent process a target- specific object code of a capability from the parent agent process(Gschwind, [0004], building shared libraries, [0034], A dynamic shared objected (DSO) is an object file that is intended to be used simultaneously (or shared by), [0006], A static linker combines one or more separately compiled object files derived from distinct source files into a single module, [0035], Callers of that routine may use the local entry point if caller and callee reside in the same DSO and share the same TOC pointer value, [0036], The programming code that loads the symbol address will include relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader.);
loading, by the one or more computer processors, on the child agent process a shared library using code inherited from a statically linked address space of the parent agent process(Gschwind, [0004], building shared libraries, [0034], A dynamic shared objected (DSO) is an object file that is intended to be used simultaneously (or shared by), [0006], A static linker combines one or more separately compiled object files derived from distinct source files into a single module, [0035], Callers of that routine may use the local entry point if caller and callee reside in the same DSO and share the same TOC pointer value, [0036], The programming code that loads the symbol address will include relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader.);
Gschwind does not disclose:
execution from a parent agent process into a child agent process
interposing by the one or more computer processors, each standard C library (libc) wrapper function on the child agent process on a corresponding libc cal:
and for each libc call: parsing, by the one or more computer processors, a message on the parent agent process to determine if the libc call with one or more exact arguments is allowed by policy
responsive to determining that the libc call with the one or more exact arguments is allowed by policy, proceeding, by the one or more computer processors, with the execution
and responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminating, by the one or more computer processors, the child agent process
Gupta discloses:
execution from a parent agent process into a child agent process(Gupta, [201-203], The malware first creates a new process to host the malicious code in suspended mode. a. This is done by calling CreateProcess and setting the Process Creation Flag to CREATE_SUSPENDED
receive on the child agent process a target-specific object code of a capability from the parent agent process);
interposing by the one or more computer processors, each standard C library (libc) wrapper function on the child agent process on a corresponding libc call(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; (ii) redirect a user system table to the created wrapper functions, (ii)redirect a user system table to the created wrapper functions;(iii)extract arguments from respective system function definitions within the created wrapper functions;(iv) call system functions referenced by the respective system function definitions);
and for each libc call: parsing, by the one or more computer processors, a message on the parent agent process to determine if the libc call with one or more exact arguments is allowed by policy(Gupta, [0009], call system functions referenced by the respective system function definitions; [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions, (v) analyze the extracted arguments upon execution of the called system functions, [0010], the parameters include at least one of… and arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions.);
responsive to determining that the libc call with the one or more exact arguments is allowed by policy, proceeding, by the one or more computer processors, with the execution(Gupta, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions; (iv) call system functions referenced by the respective system function definitions; and (v) analyze the extracted arguments upon execution of the called system);
and responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminating, by the one or more computer processors, the child agent process(Gupta, [0009], (v) analyze the extracted arguments upon execution of the called system functions for an indication of a memory permissions change request, [0010], the parameters include at least one of: a timestamp… arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions. [0006], (iii) terminating a process upon which the code injection attack is hosted, [0005], …implementing a protection action…).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamic loader relocation and executable reference management to ensure controlled child-process execution, monitored libc/system-call execution, redirected execution flow, and runtime protection enforcement as taught by Gupta in order to enhance runtime monitoring and protection of dynamically linked shared-library execution.
The motivation is to ensure dynamically linked libc/system-call execution is monitored, redirected, and terminated when prohibited execution behavior is detected.
Regarding Claim 12:
The computer-implemented method of claim 11, Gschwind in view of Gupta disclose wherein the parent agent process opens a set of one or more pipes to serve as a messaging conduit between the parent agent process and the child agent process(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. the parameters include at least one of: a timestamp, an operating system name and version, a process identifier, a thread identifier, a memory page identifier, a system call number, a system call name or property, and arguments and return value…[0201], The malware first creates a new process to host the malicious code in suspended mode.).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for communication between dynamically linked execution components to ensure monitored communication of intercepted system-call information between a parent execution component and a child execution component as taught by Gupta in order to enhance runtime analysis and policy enforcement during dynamically linked shared-library execution.
The motivation is to ensure intercepted libc/system-call information and associated arguments are communicated for runtime monitoring and protection analysis before execution proceeds.
Regarding Claim 13:
The computer-implemented method of claim 12, Gschwind in view of Gupta disclose wherein forking execution from the parent agent process into the child agent process further comprises, by the one or more computer processors, all file-handles on the child agent process except those implementing a conduit to the parent agent process(Gupta, [0201], The malware first creates a new process to host the malicious code in suspended mode, [0203], The primary thread of the new process is created in a suspended state, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. [0006], (ii) dropping a handle associated with a thread upon which the code injection attack is hosted, ).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked execution management to ensure selective handle management and maintained communication between monitored execution components during child-process execution as taught by Gupta in order to enhance controlled runtime communication and restricted execution-resource access during dynamically linked shared-library execution.
The motivation is to ensure only authorized communication resources remain available during monitored child-process execution while reducing unauthorized execution-resource access.
Regarding Claim 14:
The computer-implemented method of claim 11, Gschwind in view of Gupta disclose wherein forking execution from the parent agent process into the child agent process further comprises: blocking, by the one or more computer processors, execution on the child agent process until the message from the parent agent process is received(Gupta,[0201], The malware first creates a new process to host the malicious code in suspended mode. [0203], The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called. [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis.).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked execution management to ensure selective handle management and maintained communication between monitored execution components during child-process execution as taught by Gupta in order to enhance controlled runtime communication and restricted execution-resource access during dynamically linked shared-library execution.
The motivation is to ensure only authorized communication resources remain available during monitored child-process execution while reducing unauthorized execution-resource access.
Regarding Claim 15:
The computer-implemented method of claim 12, Gschwind in view of Gupta disclose wherein loading on the child agent process the shared library using code inherited from the statically linked address space of the parent agent process further: loadin, by the one or more computer processors, the shared library on the child agent process using a behavior to that mimics a system loader, wherein the child agent process uses the code inherited from the statically linked address space of the parent agent process(Gschwind, [0034], A dynamic shared objected (DSO) is an object file, [0036], relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader. [0006], A static linker combines one or more separately compiled object files… [0035], Callers of that routine may use the local entry point if caller and callee reside in the same DSO and share the same TOC pointer value.);
setting, by the one or more computer processors, one or more permissions bits on one or more pages of memory obtained from an operating system (OS) kernel(Gupta, [0005], a memory permissions change request, [0010], the RMP kernel driver component…a memory page identifier, [0012], memory allocation or deallocation requests, memory write requests…); ;
and performing, by the one or more computer processors, one or more appropriate fixups on the shared library(Gshwind, [0036], the relocations will be resolved by the static linker and/or dynamic loader. [0005], a global offset table (GOT), [0007], a procedure linkage table (PLT), [0036], An indirect function call takes place).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamic loader relocation and shared-library execution to ensure memory permissions associated with dynamically loaded executable pages are monitored and modified through kernel-level memory-permissions management as taught by Gupta in order to enhance runtime protection and controlled execution of dynamically linked executable code.
The motivation is to ensure executable memory pages associated with dynamically linked shared libraries are protected from unauthorized execution and memory-modification behavior.
Regarding Claim 16:
The computer-implemented method of claim 15, Gschwind in view of Gupta disclose wherein the one or more appropriate fixups are applied to a global offset table and a procedure linkage table to ensure that each global symbol and each global executable reference a first address of the global symbol already found in the statically linked address space of the parent agent process(Gschwind, [0005], a global offset table (GOT), [0007], a procedure linkage table (PLT), [0036], the relocations will be resolved by the static linker and/or dynamic loader.).
Regarding Claim 17:
The computer-implemented method of claim 15, Gschwind in view of Gupta disclose wherein the appropriate fixups for a libc call that invokes a system call further comprises: writing, by the one or more computer processors(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; [0010], a system call number, a system call name or property. [0016], The computer program product comprises one or more non-transitory computer-readable storage devices and program instructions stored on at least one of the one or more storage devices.),
a second address of a wrapper function that matches a function signature of the libc call exactly(Gschwind, [0036], the function pointer variable, relocations referring to the symbol, and the relocations will be resolved by the static linker and/or dynamic loader.),
wherein a specific wrapper function exists for each libc call that calls one or more system calls(Gupta, [0009], (i) create wrapper functions around respective system function definitions for the events; (ii) redirect a user system table to the created wrapper functions).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for relocation resolution and executable reference management to ensure redirected executable references resolve to wrapper-function addresses corresponding to specific system calls as taught by Gupta, including creating wrapper functions around respective system function definitions and redirecting system-function execution to the created wrapper functions, in order to enhance monitored libc/system-call interception and runtime protection during dynamically linked shared-library execution.
The motivation is to ensure each libc/system call is redirected to a corresponding wrapper function for monitored execution and runtime policy enforcement
Regarding Claim 18:
The computer-implemented method of claim 17, Gschwind in view of Gupta disclose wherein parsing the message on the parent agent process to determine if the libc call with the one or more exact arguments is allowed by policy comprises: sending, by the one or more computer processors, the message from the child agent process to the parent agent process using any pipe of the set of the one or more pipes, wherein the message indicates an exact libc call along with the exact arguments the capability intends to execute(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis… a system call number, a system call name or property, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions… (v) analyze the extracted arguments upon execution of the called system functions. [0010], communicate parameters to the RMP);
and parsing, by the one or more computer processors, the message on the parent agent process to determine if the libc call with the one or more exact arguments is allowed by policy(Gupta, [0010], the RMP kernel driver component is configured to communicate parameters to the RMP user endpoint agent for analysis. a system call number, a system call name or property, [0009], (iii) extract arguments from respective system function definitions within the created wrapper functions).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked executable reference management to ensure communication of intercepted libc/system-call information and associated arguments between monitored execution components for runtime analysis and policy determination as taught by Gupta, including communicating parameters associated with system calls, arguments, and return values to an endpoint agent for analysis, in order to enhance runtime monitoring and protection during dynamically linked shared-library execution.
The motivation is to ensure exact libc/system-call information and associated arguments are communicated and analyzed before execution proceeds to enforce runtime protection policies.
Regarding Claim 19:
The computer-implemented method of claim 11, Gschwind in view of Gupta disclose wherein forking execution from the parent agent process into the child agent process further comprises:duplicating by the one or more computer processors, an entire address space of the parent agent process into the child agent process(Gupta, [0207, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware's sections to the target process memory space. [0204], unmapping the memory of the target process. [0208], SetThreadContext to reorient the entry point to a new code section that it has written);
and vectoring, by the one or more computer processors, execution on the child agent process to a proper instruction just after the fork execution(Gupta, [0208], the malware calls SetThreadContext to reorient the entry point to a new code section that it has written. [0209], the malware resumes the suspended thread by calling ResumeThread to take the process out of suspended state. [0201],The malware first creates a new process to host the malicious code in suspended mode ).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked shared-library execution and executable reference management to ensure executable memory sections and execution context information are copied into a created secondary execution process as taught by Gupta, including allocating memory within a target process and writing executable sections into the target process memory space, in order to enhance controlled execution of dynamically linked executable code within a monitored child execution environment.
The motivation is to ensure dynamically linked executable code and associated execution context are available within a monitored secondary execution process for controlled runtime execution and protection enforcement.
Regarding Claim 20:
The computer-implemented method of claim 11, Gschwind in view of Gupta disclose wherein responsive to determining that the libc call with the one or more exact arguments is not allowed by policy, terminating the child agent process further comprises: notifying by the one or more computer processors, a planner of termination of the execution of the child agent process to de-emphasize execution of a requested libc call with one or more given arguments from occurring in future plans(Gupta, [0007], store, in a database, system status indicators related to the received representations… historical information related to protection actions. [0009], (v) analyze the extracted arguments upon execution of the called system functions for an indication of a memory permissions change request, [0010], the parameters include at least one of: a timestamp… arguments and return values for the system functions referenced by the respective system function definitions encompassed by the created wrapper functions. [0006], (iii) terminating a process upon which the code injection attack is hosted, [0014], implement a security event management strategy by logging kernel events including protection actions launched. [0005], declare a code injection attack…implementing a protection action…).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Gschwind’s Compiling optimized entry points for local use only function pointers by enhancing Gschwind’s systems for dynamically linked executable reference management to ensure prohibited libc/system-call execution behavior and associated protection actions are logged and utilized during subsequent runtime execution-management operations as taught by Gupta, including storing historical protection-action information and implementing security event management strategies, in order to enhance future runtime protection and execution-control decisions during dynamically linked shared-library execution.
The motivation is to ensure previously prohibited libc/system-call behavior influences future runtime execution-management and protection decisions
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939. The examiner can normally be reached on M-F, 8 AM TO 5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MAYASA SHAAWAT/
Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433