DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 10/29/2020. Claims 1-6, 9-11, and 13 have been amended. Claims 16-19 are added. Claims 1-19 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see pages 6-8, filed 10/29/2020, with respect to the rejections of claims 1-4 and 6-14 under 35 U.S.C. 102(a)(1)&(a)(2) have been considered but are not persuasive. Thus, the rejections are sustained.

On pages 6-7 of the Remarks, Applicant asserts that the Office Action is in one instance relying on the "execution unit" to teach the claimed "predetermined unit," and in the next instance relying on "relocation metadata" to teach the claimed "predetermined unit. This appears to be impermissible piecemeal examination. The predetermined unit cannot both be the relocation metadata and the execution unit. The Examiner respectfully disagrees.
In this regard, Panchenko describes, as cited in the Non-final action issued 07/30/2020, that 
In block 202 of process 200, computer 160A receives relocation metadata 150 comprising, for each of a plurality of execution units within executable file 140, a mapping from executable file 140 to an address space range (see para. [0063]).  

execution units teaches predetermined units; and receiving relocation metadata teaches identifying predetermined units since the metadata and the units are mapped each other. (See page 3, emphasis added)) In other words, the Examiner noted that receiving relocation metadata teaches identifying predetermined units, but does not stated that relocation metadata teaches predetermined units. 
As disclosed in Panchenko and cited above, the relocation metadata 150 comprises a mapping from executable file 140 to an address space range, for each of a plurality of execution units within executable file 140. Thus, “computer 160A receives relocation metadata 150” means “computer 160A receives information (i.e., mapping) for each of a plurality of execution units within executable file 140, and further, which means “computer 160A comes to know information (i.e., mapping) for each of a plurality of execution units within executable file 140.” Meanwhile, the claim does not specifically define the term “identifying.” Thus, under the broadest reasonable interpretation, the term “identifying” can be interpreted as “knowing”, or equivalent meaning. As such, “receiving [relocation metadata]” teaches “identifying [predetermined units]”. 

On page 7 of the Remarks, Applicant asserts that no part of the rejection explains how either the relocation metadata and/or the execution unit are predetermined, as claimed. However, Applicant’s arguments are moot here since the term “predetermined units” has been removed from the amended claim. 

On page 7 of the Remarks, Applicant asserts that the Panchenko reference does not teach aspects related to assigning locations for sub-images. The office action at pages 3-4 appear to correlate "generating augmented relocation metadata" with assigning locations for the units. Previously, the office action said that the "predetermined units" were "execution units" (see page 3), but this language corresponds with metadata, not the described execution unit. The Examiner respectfully disagrees.
In this regard, Panchenko describes, as cited in the Non-final action issued 07/30/2020, that 
BTRS application 164 augments relocation metadata 150 with data from the randomized order provided by randomization function 165, generating augmented relocation metadata 180. Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory… (see para. [0048], emphasis added).  

Panchenko further describes that 
In block 204 of process 200, for at least one of execution units 142A-142C, BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. Thus, block 204 applies randomization function 165 to randomize the mapping of at least one of the binary atoms 152A-152C. Relocation metadata 150 is updated accordingly and written as augmented relocation metadata 180 (see para. [0074], emphasis added)

As stated above, the relocation metadata 150 comprises a mapping from executable file 140 to an address space range, for each of a plurality of execution units within executable file 140, and the augmented relocation metadata 180 is an updated one of relocation metadata 150. Thus, the augmented relocation metadata 180 comprises a randomly located address space range relocated for at least one of execution units, from which "generating augmented relocation metadata" means relocating the address space range for at least one of execution units. Here, the term “relocating” corresponds to “assigning.” Furthermore, FIG. 1C of Panchenko discloses relocated addresses for execution units 142. As such, "generating augmented relocation metadata" of Panchenko teaches “assigning locations for the units (sub-images).” 

On page 7 of the Remarks, Applicant asserts that applying a randomization while loading a file into memory does not presume that the locations were not designated prior to the load time, and nothing in the Panchenko reference teaches that the locations were not designated prior to the load time. The Examiner respectfully disagrees.
As stated above, the relocation metadata 150 is updated to the augmented relocation metadata 180 by replacing address space ranges. For example, as illustrated in FIG. 1C, virtual addresses 0x00010000 to 0x00010FFF of the execution unit 142A (i.e., binary atom 152A points to 142A) is relocated into virtual addresses 0x12011000 to 0x12011FFF of the execution unit 172A (i.e., binary atom 182A points to 172A). Here, the relocated virtual addresses 0x12011000 to 0x12011FFF of the execution unit 172A (i.e., binary atom 182A points to 172A) is different from virtual addresses 0x00010000 to 0x00010FFF of the execution unit 142A (i.e., binary atom 152A points to 142A). That is, the relocated address of each execution unit is different from the location used before (i.e., locations non-designated before). Moreover, since randomization is applied while the executable file 140 is being loaded into memory, it is inherent that randomly assigned addresses are different from locations used before loading, that is, randomly assigned addresses are locations being non-designated prior to the load time. 
In view of the above and as will be discussed below, the Examiner asserts that Panchenko fully teach and suggest at least each of the limitations recited in claims 1, 6 and 9, and thus the rejection is maintained.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 3-4, 6-13 and 16-19 are rejected under 35 U.S.C. 102(a)(1)&(a)(2) as being anticipated by Panchenko et al. (US 2015/0047049 A1; hereinafter, “Panchenko”).

Regarding claim 1:
Panchenko teaches:
A method comprising:
providing anti-propagation protection for a machine executable module to be executed on a computer (para. [0024]: method for providing a binary translation and randomization system for application security is presented. … which comprises, for each of a plurality of execution units in an executable file; para. [0026]: embodiments provide a computer apparatus … to carry out the foregoing methods), comprising, at a load time associated with the module (para. [0048]: … the randomization may be applied while the executable file 140 is being loaded into memory. --- It is noted that while the executable file 140 is being loaded teaches at a load time with the module):
parsing the executable module into a plurality of sub-images of the module (para. [0073]: control flow analyzer 166 may analyze each of execution units 142A-142C in executable file 140 to identify the atom relocations for each corresponding binary atom 152A-152C, which may be provided from binary analysis or from relocation metadata that is already present in executable file 140; para. [0063]: In block 202 of process 200, computer 160A receives relocation metadata 150 comprising, for each of a plurality of execution units within executable file 140, a mapping from executable file 140 to an address space range; see also FIG. 1A and 1C. --- It is noted that executable file 140 teaches the executable module; execution units 142 teaches a plurality of sub-images; analyze each of execution units 142A-142C in executable file 140 teaches parsing the executable module into a plurality of sub-images; also executable file 140 in FIG. 1C shows parsed structure of the executable file and units), wherein the executable module includes data that represents entry and exit points for each sub-image (para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including … a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset …; para. [0068]: … As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function. Binary atom 152B points to execution unit 142B, which is mapped into virtual address range 0x00011000 to 0x00011FFF and corresponds to the foo( ) function. Binary atom 152C points to execution unit 142C, which is mapped into virtual address range 0x00012000 to 0x00012FFF and corresponds to the bar( ) function. --- It is noted that FIC. 1C discloses executable file 140, and execution units 142A-C (corresponding binary atom 152A-C), and the execution units 142 are included in the executable file 140; also each unit (e.g., execution unit 142A) is mapped into virtual address range 0x00010000 to 0x00010FFF; here, virtual address 0x00010000 which is the beginning address pointed by binary atom 152A teaches entry point and virtual address 0x00010FFF which is the ending address pointed by binary atom 152A teaches exit point; further noted that the claim does not specifically define what the entry and exit points are, in this regard, the specification describes (see para. [0011]) “entry and exit points (addresses point to by pointers…)” so, in light of the specification, the beginning address (0x00010000) teaches entry point, and the ending address (0x00010FFF) teaches exit point; thus, (the parsed) executable file 140 includes data representing entry and exit points for each execution unit, which teaches the executable module includes data that represents entry and exit points for each sub-image); and
assigning locations for the sub-images relative to each other in a memory of the computer, the locations being non-designated prior to the load time (FIG. 1C & para. [0048]: BTRS application 164 augments relocation metadata 150 with data from the randomized order provided by randomization function 165, generating augmented relocation metadata 180. Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory…; para. [0074]: In block 204 of process 200, for at least one of execution units 142A-142C, BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range … Relocation metadata 150 is updated accordingly and written as augmented relocation metadata 180.; para. [0075]: In the example shown in FIG. 1C, the mapping of all three binary atoms 152A-152C is randomized. The mapping of execution unit 142A or main( ) into virtual addresses 0x00010000 to 0x00010FFF by binary atom 152A is randomized into the new mapping of binary atom 182A, which maps a relocated execution unit 172A into virtual addresses 0x12011000 to 0x12011FFF. The mapping of execution unit 142B or foo( ) into virtual addresses 0x00011000 to 0x00011FFF by binary atom 152B is randomized into the new mapping of binary atom 182B, which maps a relocated execution unit 172B into virtual addresses 0x12010000 to 0x12010FFF. The mapping of execution unit 142C or bar( ) into virtual addresses 0x00012000 to 0x00012FFF by binary atom 152C is randomized into the new mapping of binary atom 182C, which maps a relocated execution unit 172C into virtual addresses 0x12012000 to 0x12012FFF. --- It is noted that header and binary atom in generating augmented relocation metadata 180 and corresponding randomized executable file 170 in FIG. 1C teaches assigning locations for the sub-images; in other words, relocation metadata 150 is updated to augmented relocation metadata 180 by replacing address space ranges; for example, virtual addresses 0x00010000 to 0x00010FFF of the execution unit 142A (-- binary atom 152A points to 142A) is relocated into virtual addresses 0x12011000 to 0x12011FFF of the execution unit 172A (-- binary atom 182A points to 172A) as disclosed in FIG. 1C, which teaches assigning locations for the sub-images; also the relocated virtual addresses 0x12011000 to 0x12011FFF of the execution unit 172A (-- binary atom 182A points to 172A) is different from virtual addresses 0x00010000 to 0x00010FFF of the execution unit 142A, so which teaches the locations being non-designated prior to the load time; further as disclosed in FIG. 1C, the virtual addresses of the binary atoms (execution units) are different each other, so which teaches assigning locations relative to each other in a memory of the computer).

Regarding claim 3:
Panchenko teaches:
The method of claim 1, further comprising:
Panchenko teaches:
identifying a plurality of load time fixups for the sub-images of the module (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0066]: a program control flow graph 158 may be constructed to identify the program control structures of executable file 140, thereby allowing units of executable file 140 to be identified for relocation; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created. --- It is noted that header 181 and binary atoms 182 of augmented relocation metadata 180 and teaches load time fixups for the sub-images of the module, here, the randomization may be applied while being loaded into memory teaches load time; a program control flow graph 158 identify the program control structures of executable file 140, thereby allowing units of executable file 140 to be identified for relocation, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus header 181 and binary atoms 182 are identified when relocating, which teaches identifying the fixups), wherein each fixup includes a pointer to and address to be updated based on randomly assigned addresses of the sub-images (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0069]: While FIG. 1C only shows virtual addresses for image data, the file offsets for image data as stored in executable file 140 are also identified by the binary atoms and the atom relocations. Additionally, file relocations 156 may establish the file offsets and thus the ordering of execution units 142A-142C within executable file 140. Further, while each execution unit 142A-142C corresponds to entire code functions in FIG. 1C, execution units may also correspond to smaller chunks of code such as control flow basic blocks; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT; para. [0063]: relocation metadata 150 may be maintained and received from various locations such as metadata database 163, a non-loadable portion of executable file 140, or a separate file. --- It is noted that header 181 of augmented relocation metadata 180 includes atom relocations, and file relocations, a virtual address offset, file offset, and binary atom 152A points to execution unit 142A teaches each fixup includes a pointer to and address to be updated; and randomize the location of data that reference locations to addresses in the execution units teaches based on based on randomly assigned addresses of the sub-images).

Regarding claim 4:
Panchenko teaches:
 	The method of claim 3, further comprising:
Panchenko teaches:
replacing an address specified by executable code associated with a sub-image of the sub-images, the address being associated with a fixup of the plurality of fixups (FIG. 1C & para. [0064]]: Randomized executable file 170 includes execution unit 172A, execution unit 172B, execution unit 172C, and data unit 176A. Execution unit 172A includes object code 174A, object code 174B, and object code 174C. Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C. With respect to FIG. 1C, like numbered elements may correspond to the same elements from FIG. 1A. Additionally, while 32-bit addresses are shown in FIG. 1C, any size address space may be supported; para. [0074]:  BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. Thus, block 204 applies randomization function 165 to randomize the mapping of at least one of the binary atoms 152A-152C. Relocation metadata 150 is updated accordingly and written as augmented relocation metadata 180; para. [0067]: If only executable file 140 is available, then control flow analyzer 166 may utilize a static binary analysis of executable file 140 to construct a conservative program control flow graph 158 that only identifies the targets of transfer instructions in executable file 140 in more general terms; para. [0080]: In the case where only executable file 140 is available, relying on heuristics alone may be undesirable. In this case, code in randomized executable file 170 that performs control transfers using data references to code may be replaced with lookup functions that use a lookup table placed in a randomly positioned data segment. --- It is noted that FIG. 1C teaches that addresses specified by the codes associated with units in executable file 140 are replaced as in randomized executable file 170; and each address is associated with augmented relocation metadata 180).

Regarding claim 6:
Panchenko teaches:
An article comprising a non-transitory computer readable storage medium to store instructions that when executed by a computer cause the computer to (para. [0026]: embodiments provide a computer apparatus and a computer-readable medium configured to carry out the foregoing methods):
(FIG. 1C & para. [0063]: If only a pre-compiled executable file 140 is available, then control flow analyzer 166 may perform a binary analysis of executable file 140 to generate relocation metadata 150; para. [0073]: Thus, control flow analyzer 166 may analyze each of execution units 142A-142C in executable file 140 to identify the atom relocations for each corresponding binary atom 152A-152C, which may be provided from binary analysis or from relocation metadata that is already present in executable file 140; para. [0054]: The executable files can thus be considered to be organized into a tree hierarchy. --- It is noted that perform a binary analysis of executable file 140 teaches statically analyze machine executable instructions associated with a first executable module; and which, as illustrated in FIF. 1C has a tree hierarchy);
at load time, construct a table of fixups (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0066]: a program control flow graph 158 may be constructed to identify the program control structures of executable file 140, thereby allowing units of executable file 140 to be identified for relocation; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT. This data randomization can help to prevent attacks such as return-to-PLT/GOT. --- It is noted that header 181 and binary atoms 182 of augmented relocation metadata 180 teaches a table of fixups; data includes switch tables, VTBL, PLT, and GOT teaches a table of fixups; the randomization may be applied while the executable file 140 is being loaded into memory, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus which teaches at load time), wherein each fixup identifies an address whose associated memory content is to be updated to reflect a randomly assigned location (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0069]: While FIG. 1C only shows virtual addresses for image data, the file offsets for image data as stored in executable file 140 are also identified by the binary atoms and the atom relocations. Additionally, file relocations 156 may establish the file offsets and thus the ordering of execution units 142A-142C within executable file 140. Further, while each execution unit 142A-142C corresponds to entire code functions in FIG. 1C, execution units may also correspond to smaller chunks of code such as control flow basic blocks; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT; para. [0063]: relocation metadata 150 may be maintained and received from various locations such as metadata database 163, a non-loadable portion of executable file 140, or a separate file. --- It is noted that header 181 of augmented relocation metadata 180 includes a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and as disclose in FIG. 1C, binary atoms 182 also includes corresponding relocation and offset addresses, which each fixup identifies an address whose associated memory content; the addresses are used to randomize executable file, which teaches to be updated to reflect a randomly assigned location);
parse the first executable module into a plurality of sub-images (para. [0073]: control flow analyzer 166 may analyze each of execution units 142A-142C in executable file 140 to identify the atom relocations for each corresponding binary atom 152A-152C, which may be provided from binary analysis or from relocation metadata that is already present in executable file 140; para. [0063]: In block 202 of process 200, computer 160A receives relocation metadata 150 comprising, for each of a plurality of execution units within executable file 140, a mapping from executable file 140 to an address space range; see also FIG. 1A and 1C. --- It is noted that executable file 140 teaches the first executable module; execution units 142 teaches a plurality of sub-images; analyze each of execution units 142A-142C in executable file 140 teaches parsing the executable module into a plurality of sub-images; also executable file 140 in FIG. 1C shows parsed structure of the executable file and units) and identify the fixups associated with the plurality of sub-images based at least in part on the call tree (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0066]: a program control flow graph 158 may be constructed to identify the program control structures of executable file 140, thereby allowing units of executable file 140 to be identified for relocation; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created; FIG. 1C & para. [0063]: If only a pre-compiled executable file 140 is available, then control flow analyzer 166 may perform a binary analysis of executable file 140 to generate relocation metadata 150; [0081]: BTRS application 164 generates an image, or randomized executable file 170 from executable file 140 using augmented relocation metadata 180; para. [0054]: The executable files can thus be considered to be organized into a tree hierarchy. --- It is noted that header 181 and binary atoms 182 of augmented relocation metadata 180 and teaches load time fixups associated with the plurality of sub-images; a program control flow graph 158 identify the program control structures of executable file 140, thereby allowing units of executable file 140 to be identified for relocation, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus header 181 and binary atoms 182 are identified when relocating, which teaches identifying based at least in part on the call tree); and
provide a second executable module comprising the sub-images, data representing the boundaries of the sub-images and data representing the fixups (para. [0054]: The executable files can thus be considered to be organized into a tree hierarchy. --- It is noted that multiple executable files are disclosed, so another executable file of the executable files teaches a second executable module; and the another files is inherently analyzed as the same way in the executable file 140, 170, and of which units and codes teaches sub-images; and header 181 and binary atoms 182 of augmented relocation metadata 180 teaches data representing the fixups; FIG. 1C teaches address boundaries of the units and codes, which teaches boundaries of the sub-images).

Regarding claim 7:
Panchenko teaches:
 	The article of claim 6, the storage medium storing instructions that when executed by the computer cause the computer to:
Panchenko further teaches:
combine at least one other sub-image from at least one other execution module with at least one sub-image of the plurality of sub-images to provide the second execution module (para. [0078]: Note that while execution units 172A-172C are all consolidated into a single “.new_text” code segment in the mappings of augmented relocation metadata 180, alternative embodiments may place the execution units into separate code segments, up to a maximum separation of one code segment per execution unit. Each of these code segments may then be placed in random page-aligned start addresses in the virtual address space, providing even higher levels of entropy; para. [0045]: the ordering of execution units within code segments is also randomized. --- It is noted that one execution unit of one code segment teaches one sub-image of the plurality of sub-images (of the first executable module); another execution unit of another code segment teaches one other sub-image of one other execution module; and further another code segment teaches the second execution module; thus, place the execution units into separate code segments, up to a maximum separation of one code segment per execution unit teaches combine at least one other sub-image from at least one other execution module with at least one sub-image of the plurality of sub-images. Also, noted that the clam does not have specific limitation to “combine”. So, for the sake of examination purpose, it is interpreted as randomly assigning the combination a memory address in light of paragraph [0030] of the Specification).

Regarding claim 8:
Panchenko teaches:
 	The article of claim 6, the storage medium storing instructions that when executed by the computer cause the computer to:
Panchenko teaches:
for a given sub-image of the plurality of sub-images, identify at least an entry point to the given sub-image based at least in part on the call tree (para. [0077]: While execution units 172A-172C may be stored directly adjacent to each other in randomized executable file 170, binary atoms 182A-182C may map execution units 172A-172C to page-aligned addresses in virtual memory. However, the start addresses of the execution units may be offset from the start of the page to provide additional entropy; para. [0054]: The executable files can thus be considered to be organized into a tree hierarchy. --- It is noted that for example, start addresses of the execution units teaches an entry point to the given sub-image; and FIG. 1C teaches starting addresses of the units and codes, and further teaches based in a tree hierarchy).

Regarding claim 9:
Panchenko teaches:
 	An apparatus (FIG. 3: a computer system 300) comprising:
(FIG. 3: a computer system 300) comprising a hardware processor (FIG. 3: a processor 304), a run time component (FIG. 3: a processor 304) and a load time component (FIG. 1A: runtime loader 162 and BTRS application 164) and
a memory (FIG. 3: memory 306),
wherein:
the load time component loads an executable module to be executed by the run time component into the memory (para. [0048]: BTRS application 164 augments relocation metadata 150 with data from the randomized order provided by randomization function 165, generating augmented relocation metadata 180. Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … After a translation of randomized executable file 170 is completed, randomized executable file 170 may then be loaded into memory for execution; para. [0053]: Runtime loader 162 includes BTRS application 164; para. [0084]: Main memory 306 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 304. --- It is noted that BTRS application 164 teaches the load time component, which loads executable file for into memory for execution; and executable file teaches an executable module; instructions to be executed by processor teaches executed by a runtime component);
the load time component constructs a table of fixups (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT. This data randomization can help to prevent attacks such as return-to-PLT/GOT; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created. --- It is noted that BTRS application 164 teaches the load time component, as stated above; header 181 and binary atoms 182 of augmented relocation metadata 180 teaches a table of fixups; data includes switch tables, VTBL, PLT, and GOT teaches fixups is a table type; the randomization may be applied while the executable file 140 is being loaded into memory, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus which teaches a table of fixups is constructed at load time), wherein each fixup identifies an address whose associated memory content is to be updated to reflect a randomly assigned location (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0069]: While FIG. 1C only shows virtual addresses for image data, the file offsets for image data as stored in executable file 140 are also identified by the binary atoms and the atom relocations. Additionally, file relocations 156 may establish the file offsets and thus the ordering of execution units 142A-142C within executable file 140. Further, while each execution unit 142A-142C corresponds to entire code functions in FIG. 1C, execution units may also correspond to smaller chunks of code such as control flow basic blocks; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT; para. [0063]: relocation metadata 150 may be maintained and received from various locations such as metadata database 163, a non-loadable portion of executable file 140, or a separate file. --- It is noted that header 181 of augmented relocation metadata 180 includes a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and as disclose in FIG. 1C, binary atoms 182 also includes corresponding relocation and offset addresses, which each fixup identifies an address whose associated memory content; the addresses are used to randomize executable file, which teaches to be updated to reflect a randomly assigned location);
the load time component randomly assigns locations for sub-images of the executable module relative to each other in the memory (FIG. 1C & para. [0048]: BTRS application 164 augments relocation metadata 150 with data from the randomized order provided by randomization function 165, generating augmented relocation metadata 180. Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory…; para. [0081]: BTRS application 164 generates an image, or randomized executable file 170 from executable file 140 using augmented relocation metadata 180; FIG. 1C & para. [0048]: BTRS application 164 augments relocation metadata 150 with data from the randomized order provided by randomization function 165, generating augmented relocation metadata 180. Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory…; para. [0074]: In block 204 of process 200, for at least one of execution units 142A-142C, BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range … Relocation metadata 150 is updated accordingly and written as augmented relocation metadata 180; para. [0075]: In the example shown in FIG. 1C, the mapping of all three binary atoms 152A-152C is randomized. The mapping of execution unit 142A or main( ) into virtual addresses 0x00010000 to 0x00010FFF by binary atom 152A is randomized into the new mapping of binary atom 182A, which maps a relocated execution unit 172A into virtual addresses 0x12011000 to 0x12011FFF. The mapping of execution unit 142B or foo( ) into virtual addresses 0x00011000 to 0x00011FFF by binary atom 152B is randomized into the new mapping of binary atom 182B, which maps a relocated execution unit 172B into virtual addresses 0x12010000 to 0x12010FFF. The mapping of execution unit 142C or bar( ) into virtual addresses 0x00012000 to 0x00012FFF by binary atom 152C is randomized into the new mapping of binary atom 182C, which maps a relocated execution unit 172C into virtual addresses 0x12012000 to 0x12012FFF.. --- It is noted that the relocation metadata 150 is updated to augmented relocation metadata 180 by replacing address space ranges; for example, virtual addresses 0x00010000 to 0x00010FFF of the execution unit 142A (-- binary atom 152A points to 142A) is relocated into virtual addresses 0x12011000 to 0x12011FFF of the execution unit 172A (-- binary atom 182A points to 172A) as disclosed in FIG. 1C, which teaches assigning locations for the sub-images of the executable module; units and codes generated from the executable file illustrated in FIG. 1C teaches sub-images of the executable module; and FIG. 1C teaches locations are relative to each other); and
the load time component loads the sub-images into the randomly assigned locations of the memory (para. [0048]: Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … After a translation of randomized executable file 170 is completed, randomized executable file 170 may then be loaded into memory for execution; [0081]: BTRS application 164 generates an image, or randomized executable file 170 from executable file 140 using augmented relocation metadata 180. --- It is noted that units and codes of randomized executable file 170 illustrated in FIG. 1C teaches sub-images; and the addresses are randomly assigned location in the memory).

Regarding claim 10:
Panchenko teaches:
 	The apparatus of claim 9. 
Panchenko further teaches:
wherein the load time component retrieves data identifying the sub-images and the fixups associated with the sub-images (para. [0081]: BTRS application 164 generates an image, or randomized executable file 170 from executable file 140 using augmented relocation metadata 180. Since the majority of the analysis work was already carried out in blocks 202 and 204, block 206 is a relatively straightforward relocation process, fixing control flow instructions and writing data to the proper positions as dictated by augmented relocation metadata 180. For example, object code 174A-174C will be patched to branch to the correct addresses for the randomly repositioned foo( ) function at 0x12010000 and the randomly repositioned bar( ) function at 0x12012000. Other data structures such as the dynamic symbol table, exception tables, and optional debugging information may also be updated in randomized executable file 170 according to augmented relocation metadata 180. --- It is noted that FIG. 1C illustrated that an image and/or randomized executable file 170 are generated from executable file 140 using augmented relocation metadata, which teaches retrieves data identifying sub-images and fixups).

Regarding claim 11:
Panchenko teaches:
 	The apparatus of claim 9, wherein the executable module comprises …
Panchenko further teaches:
	… a module loaded on demand (para. [0029]: If computers 160A-160C are general purpose computers, then executable file 140 might be a web browser or a document reader … executable file 140 may also include linked shared library functions and calls to external libraries, such as dynamic link libraries and operating system libraries. --- It is noted that for example, a web browser can be loaded on demand).

Regarding claim 12:
Panchenko teaches:
 	The apparatus of claim 9, wherein the load time component …
Panchenko further teaches:
	… loads the sub-images into the memory in response to a bootup of the computer, in response to a user action, or in response to a system call (para. [0048]: Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … After a translation of randomized executable file 170 is completed, randomized executable file 170 may then be loaded into memory for execution; para. [0054]: These client-specific executable files are then distributed to the respective computer clients, which also have a BTRS environment that further randomizes the client-specific executable files per execution (or by some other basis such as per-user or per-customer; para. [0081]: BTRS application 164 generates an image, or randomized executable file 170 from executable file 140 using augmented relocation metadata 180. --- It is noted that randomized executable file (units and codes) may then be loaded into memory teaches load the sub-images into the memory; further randomizes by per execution implies in response to a bootup of the computer, also further randomizes by per-user implies in response to a user action).

Regarding claim 13:
Panchenko teaches:
 	The apparatus of claim 9, wherein the load time component …
Panchenko teaches:
	… constructs the table of fixups at load time (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT. This data randomization can help to prevent attacks such as return-to-PLT/GOT; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created. --- It is noted that header 181 and binary atoms 182 of augmented relocation metadata 180 teaches a table of fixups; data includes switch tables, VTBL, PLT, and GOT teaches fixups is a table type; the randomization may be applied while the executable file 140 is being loaded into memory, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus which teaches construct the table of fixups at load time).
	
Regarding claim 14:
Panchenko teaches:
 	The apparatus of claim 9, wherein the load component …
Panchenko teaches:
	… replaces addresses associated with the fixups (para. [0074]: BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. --- It is noted that for example, FIG. 1C teaches replaces addresses associated with the units and codes, which teaches replaces addresses associated with the fixups).

Regarding claim 17:
Panchenko teaches:
The article of claim 6, 
Panchenko further teaches:
wherein the instructions to parse the first executable module include instructions that when executed by the computer cause the computer to produce the plurality of sub-images (para. [0073]: control flow analyzer 166 may analyze each of execution units 142A-142C in executable file 140 to identify the atom relocations for each corresponding binary atom 152A-152C, which may be provided from binary analysis or from relocation metadata that is already present in executable file 140; para. [0063]: In block 202 of process 200, computer 160A receives relocation metadata 150 comprising, for each of a plurality of execution units within executable file 140, a mapping from executable file 140 to an address space range; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data --- It is noted that analyze each of execution units 142A-142C in executable file 140 teaches parsing the executable module; also executable file 140 in FIG. 1C shows parsed structure of the executable file and units), where each sub-image includes one or multiple entry points and one or multiple exit points (para. [0068]: … As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function. Binary atom 152B points to execution unit 142B, which is mapped into virtual address range 0x00011000 to 0x00011FFF and corresponds to the foo( ) function. Binary atom 152C points to execution unit 142C, which is mapped into virtual address range 0x00012000 to 0x00012FFF and corresponds to the bar( ) function. --- It is noted that FIC. 1C discloses executable file 140, and execution units 142A-C (binary atom 152A-C), and the execution units 142 are included in the executable file 140; also each unit (e.g., execution unit 142A) is mapped into virtual address range 0x00010000 to 0x00010FFF; here, virtual address 0x00010000 teaches entry point and virtual address 0x00010FFF teaches exit point). 

Regarding claim 18:
Panchenko teaches:
The article of claim 1, 
Panchenko further teaches:
including at load time, constructing a table of fixups (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT. This data randomization can help to prevent attacks such as return-to-PLT/GOT; para. [0048]: In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory, and therefore a separate randomized executable file 170 may not be created. --- It is noted header 181 and binary atoms 182 of augmented relocation metadata 180 teaches a table of fixups; data includes tables teaches fixups is a table type; the randomization may be applied while the executable file 140 is being loaded into memory, and a program control flow graph 188 perform the same function with a program control flow graph 158 when relocating, thus which teaches a table of fixups is constructed at load time), wherein each fixup identifies an address whose associated memory content is to be updated to reflect the assigned locations (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0069]: While FIG. 1C only shows virtual addresses for image data, the file offsets for image data as stored in executable file 140 are also identified by the binary atoms and the atom relocations. Additionally, file relocations 156 may establish the file offsets and thus the ordering of execution units 142A-142C within executable file 140. Further, while each execution unit 142A-142C corresponds to entire code functions in FIG. 1C, execution units may also correspond to smaller chunks of code such as control flow basic blocks; para. [0079]: For additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT; para. [0063]: relocation metadata 150 may be maintained and received from various locations such as metadata database 163, a non-loadable portion of executable file 140, or a separate file. --- It is noted that header 181 of augmented relocation metadata 180 includes a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and as disclose in FIG. 1C, binary atoms 182 also includes corresponding relocation and offset addresses, which each fixup identifies an address whose associated memory content; the addresses are used to randomize executable file, which teaches to be updated to reflect a randomly assigned location). 

Regarding claim 19:
Panchenko teaches:
The article of claim 3, 
Panchenko further teaches:
wherein the fixups include pointers to addresses internal and external to an image of the executable module (FIG. 1C & para. [0064]: Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including a size of relocation metadata 150 and header 151, version and file identifiers and checksums, a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset, and size of an image deployment zone when executable file 140 is loaded into virtual memory, and other data; para. [0068]: As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function; para. [0029]: Besides binary code generated from source code 168, executable file 140 may also include linked shared library functions and calls to external libraries. --- It is noted that header 181 and binary atoms 182 of augmented relocation metadata 180 and teaches fixups; binary atom 152A points to execution unit 142A teaches includes a pointer; binary atom 152A points to execution unit 142A teaches pointers to addresses internal; calls to external libraries teaches pointers to addresses external; and executable file 140 teaches an image of the executable module).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Panchenko et al. (US 2015/0047049 A1; hereinafter, “Panchenko”) in view of Saarinen (US 2014/0359325 A1; hereinafter, “Saarinen”).

Regarding claim 2:
Panchenko teaches:
The method of claim 1, wherein assigning the locations comprises …
Panchenko further teaches:
… randomly assigning the locations … (FIG. 1C & para. [0048]: Augmented relocation metadata 180 is then used to translate executable file 140 into randomized executable file 170. … In some embodiments, the randomization may be applied while the executable file 140 is being loaded into memory. --- It is noted that randomization may be applied teaches the location is assigned randomly).
Panchenko is silent about teaches:
	… using a random dumber generator.
Saarinen teaches:
	… using a random dumber generator (para. [0122]: The forming of the input address space may be done completely in random, or there may be a function used in the forming of the input addresses. The function used to assign the locations their addresses may be a random function, that is, at least part of the function may be based on a random number generator).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Pachenko’s system by enhancing Pachenko’s system 
In this regard, Panchenko describes that for additional security, it may be desirable to randomize the location of data that reference locations to addresses in the execution units. A non-exhaustive list of such data includes switch tables, function pointers, VTBL, PLT, and GOT. (para. [0079]).
The motivation is to improve application and system security by using a random number generator to obtain a truly random number when the units and codes are allocated in the memory addresses by the randomization.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Panchenko et al. (US 2015/0047049 A1; hereinafter, “Panchenko”) in view of Forin et al. (US 2009/0133042 A1; hereinafter, “Forin”).

Regarding claim 5:
Panchenko teaches:
 	The method of claim 3, further comprising:
Panchenko teaches:
replacing an address specified by executable code associated with a sub-image of the sub-images with an indirect jump, the address being associated with a fixup of the plurality of fixups (FIG. 1C & para. [0064]]: Randomized executable file 170 includes execution unit 172A, execution unit 172B, execution unit 172C, and data unit 176A. Execution unit 172A includes object code 174A, object code 174B, and object code 174C. Augmented relocation metadata 180 includes header 181, binary atom 182A, binary atom 182B, binary atom 182C, file relocations 186, and program control flow graph 188. Binary atom 182A includes atom relocation 184A, atom relocation 184B, and atom relocation 184C. With respect to FIG. 1C, like numbered elements may correspond to the same elements from FIG. 1A. Additionally, while 32-bit addresses are shown in FIG. 1C, any size address space may be supported; para. [0074]:  BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range. Thus, block 204 applies randomization function 165 to randomize the mapping of at least one of the binary atoms 152A-152C. Relocation metadata 150 is updated accordingly and written as augmented relocation metadata 180; para. [0067]: If only executable file 140 is available, then control flow analyzer 166 may utilize a static binary analysis of executable file 140 to construct a conservative program control flow graph 158 that only identifies the targets of transfer instructions in executable file 140 in more general terms; para. [0080]: In the case where only executable file 140 is available, relying on heuristics alone may be undesirable. In this case, code in randomized executable file 170 that performs control transfers using data references to code may be replaced with lookup functions that use a lookup table placed in a randomly positioned data segment. --- It is noted that FIG. 1C teaches that addresses specified by the codes associated with units in executable file 140 are replaced as in randomized executable file 170; and each address executable file 170 is associated with augmented relocation metadata 180; also control transfers using data references to code teaches jump; and use a lookup table teaches indirect; thus, code that performs control transfers using data references to code may be replaced with lookup functions that use a lookup table teaches replacing an address specified by executable code with an indirect jump). 
Panchenko is silent about: 
“… an indirect jump…”
Forin, in the same field of endeavor, teaches:
… an indirect jump … (para. [0336]: In FIG. 46A, the image FOO.EXE imports a symbol from the shared library file LIBRARY.DLL by first jumping from the call in the text section to a location (0X66) in the import table (JUMP 1) and then from 0X66 in the import section to 0X99 in LIBRARY.DLL (JUMP 2). The information retrieved is then returned to the text section (JUMP 3. Such indirect jumping has already been described with reference to FIGS. 43-45. In the event FOO.EXE is to run on a system having no virtual memory, the linker bypasses the import table by changing the call in the text section to 0X99 and modifying the jump instruction to a direct jump instruction. The result is illustrated in FIG. 46B, showing the direct jumps from the text section of FOO.EXE to LIBRARY.DLL and back again. --- It is noted that a location (0X66) corresponds to the data references to code of Panchenko which teaches an address specified by executable code; the import table corresponds to a lookup table of Panchenko; and FIG. 46A teaches indirect jump).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Pachenko’s augmented relocation metadata by enhancing to replace an address associates with the codes with indirect jump algorithm, as taught by Forin, in order to cope with dynamic changes of the address by the randomization. 
In this regard, Forin describes that in order to be able to run multiple programs at once in a system that does not provide multiple address spaces, the programs have to be placed at different addresses in the same space. When memory is allocated dynamically, a program might not land at a predetermined address (para. [0304]), and indirectly jumping through the import section confines all of the address transformations required for sharing of memory in a virtual memory system to a single section (the import section) (para. [0329]).
The motivation is to allow the program control flow to land at a predetermined address even when the units and codes are allocated dynamically in the memory addresses by the randomization.

Regarding claim 15:
Panchenko teaches:

Panchenko further teaches:
	… replaces addresses associated with the fixups with indirect or direct jumps (para. [0074]: BTRS application 164 modifies the corresponding mapping of binary atoms 152A-152C to replace the instructions within the address space range with a relocated copy of the instructions at a randomly located address space range; para. [0067]: 0067. If only executable file 140 is available, then control flow analyzer 166 may utilize a static binary analysis of executable file 140 to construct a conservative program control flow graph 158 that only identifies the targets of transfer instructions in executable file 140 in more general terms; para. [0080]: In the case where only executable file 140 is available, relying on heuristics alone may be undesirable. In this case, code in randomized executable file 170 that performs control transfers using data references to code may be replaced with lookup functions that use a lookup table placed in a randomly positioned data segment. --- It is noted that for example, FIG. 1C teaches replaces addresses associated with the units and codes, which teaches replaces addresses associated with the fixups; also control transfers using data references to code teaches jump; and use a lookup table teaches indirect; thus, code that performs control transfers using data references to code may be replaced with lookup functions that use a lookup table teaches replacing an address associated with the fixups with an indirect jump).
Panchenko is silent about: 
“… an indirect jump…”
Forin, in the same field of endeavor, teaches:
… an indirect jump … (para. [0336]: In FIG. 46A, the image FOO.EXE imports a symbol from the shared library file LIBRARY.DLL by first jumping from the call in the text section to a location (0X66) in the import table (JUMP 1) and then from 0X66 in the import section to 0X99 in LIBRARY.DLL (JUMP 2). The information retrieved is then returned to the text section (JUMP 3. Such indirect jumping has already been described with reference to FIGS. 43-45. In the event FOO.EXE is to run on a system having no virtual memory, the linker bypasses the import table by changing the call in the text section to 0X99 and modifying the jump instruction to a direct jump instruction. The result is illustrated in FIG. 46B, showing the direct jumps from the text section of FOO.EXE to LIBRARY.DLL and back again. --- It is noted that a location (0X66) corresponds to the data references to code of Panchenko which teaches an address specified by executable code; the import table corresponds to a lookup table of Panchenko; and FIG. 46A teaches indirect jump).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Pachenko’s augmented relocation metadata by enhancing to replace an address with indirect jump algorithm, as taught by Forin, in order to cope with dynamic changes of the address by the randomization. 
In this regard, Forin describes that in order to be able to run multiple programs at once in a system that does not provide multiple address spaces, the programs have to be placed at different addresses in the same space. When memory is allocated dynamically, a program might not land at a predetermined address (para. [0304]), and indirectly jumping through the import section confines all of the address transformations required for sharing of memory in a virtual memory system to a single section (the import section) (para. [0329]).
Thus, the motivation is to allow the program control flow to land at a predetermined address even when the units and codes are allocated dynamically in the memory addresses by the randomization.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Panchenko et al. (US 2015/0047049 A1; hereinafter, “Panchenko”) in view of Pettet et al. (US 4,694,420 A; hereinafter, “Pettet”).

Regarding claim 14:
Panchenko teaches:
 	The apparatus of claim 6, wherein the instructions to statically analyze the machine executable instructions include instructions that when executed by the computer cause the computer to: 
Panchenko teaches:
…
analyze a call tree constructed from the assembly code to identify entry and exit points of the assembly code (FIG. 1C & para. [0064]: If only a pre-compiled executable file 140 is available, then control flow analyzer 166 may perform a binary analysis of executable file 140 to generate relocation metadata 150; para. [0054]: The executable files can thus be considered to be organized into a tree hierarchy; para. [0072]: Moreover, while the list of binary atoms in relocation metadata 150 is shown to be a single level list, other embodiments may nest binary atoms within binary atoms to form a hierarchy of code blocks; para. [0065]: Turning specifically to relocation metadata 150, header 151 may provide all the information to successfully parse relocation metadata 150, including … a number of binary atoms, atom relocations, and file relocations, a virtual address offset, file offset …; para. [0068]: … As shown in FIG. 1C, binary atom 152A points to execution unit 142A, which is mapped into virtual address range 0x00010000 to 0x00010FFF and corresponds to the main( ) function. Binary atom 152B points to execution unit 142B, which is mapped into virtual address range 0x00011000 to 0x00011FFF and corresponds to the foo( ) function. Binary atom 152C points to execution unit 142C, which is mapped into virtual address range 0x00012000 to 0x00012FFF and corresponds to the bar( ) function. --- It is noted that control flow analyzer 166 may perform a binary analysis teaches analyze a call tree constructed from the assembly code; for example, virtual address 0x00010000 and virtual address 0x00010FFF of execution unit 1402A in FIC. 1C teaches entry point and exit point; the virtual addresses are generated by control flow analyzer 166 and/or compiler, which teaches identify entry and exit points of the assembly code). 
Panchenko is silent about:
perform a binary-to-assembly code conversion to convert compiled code into assembly code.
Pettet teaches:
perform a binary-to-assembly code conversion to convert compiled code into assembly code (Abstract: An inverse assembly method for converting binary executable microprocessor code into corresponding assembly language mnemonics provides for the storage of all the possible binary codes and corresponding assembly language mnemonics in a plurality of tables set up in a decision tree form which corresponds to the format of a user document provided by the manufacturer of a target microprocessor).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Pachenko’s system by enhancing Pachenko’s system to perform inverse assembly, as taught by Pettet, in order to obtain assembly language instructions from the pre-compiled executable files. 
In this regard, Pettet describes that the microprocessor executes the binary codes produced by the assembler. Execution of these binary codes may be monitored by a logic analyzer. In order to debug the code, it is necessary that the binary codes (executed by the microprocessor) be re-converted to the original set of assembly language instructions, that is, be inverse assembled into the corresponding set of assembly language mnemonics, for interpretation thereof by the user.
The motivation is to perform a binary analysis of executable file by converting it to assembly language mnemonics when only a pre-compiled executable file is available. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Gong et al. (US 2015/0261576 A1) discloses a security technique randomly arranges the positions of key data areas if a program, including the base of the executable and the positions of the stack, heap, and libraries in a process's address space, in order to prevent an attacker from reliably jumping to a particular exploited function in memory. Friedman et al. (US10,108,798 B1) discloses a method comprising receiving, by a processor, program code and automatically generating a chronomorphic binary (e.g., a binary the changes throughout execution time) for the program code. The method further includes storing the chronomorphic binary in an executable memory space and diversifying the executable memory space for the chronomorphic binary during runtime of the program code. 
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR PATEL can be reached on (571)-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        




/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491