DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-14 are pending in this office action.
Claims 1 and 8 are amended.
Claims 2 and 9 are cancelled.
Response to Arguments
Applicant’s arguments filed 12/09/2020, with respect to the rejection(s) of claim(s) 1, 3-8, and 10-14 are not persuasive.  
Applicant’s argument:
Applicants respectfully states that the response on page 3 of this Office Action merely relates to inserting a verification/detection/module before the address of a specific instruction, which should not be interpreted as “correcting the memory block whose starting address is the first memory address.” Neither Dang, Fanton nor Joe disclose the feature of “correcting the memory block whose starting address is the first memory address to have an operation of the virtual machine being interrupted when the memory block or the another memory block is called by the virtual machine” of claims 1 and 8 as now amended. Therefore, by referring to Dang, Fanton and Joe, a person skilled in the art still cannot achieve the invention claimed by claims of the present application.
For at least the foregoing reasons, it is respectfully submitted that the independent claims 1 and 8 are patentable over the cited references and are in condition for immediate allowance. Since claims 3-7 depend directly or indirectly on claim 1 and claims 10-14 depend directly or indirectly on claim 8, claims 3-7 and 10-14 are also believed to be allowable for the same reasons set forth above in connection with claims 1 and 8.

Examiner response:
 The issue in the argument is that neither Dang nor Fanton disclose correcting an address. The claimed invention does not specifies how the address is corrected while 
 To check how the correction is made let consult the specification to have an idea about correcting address.
Paragraph [0021] of the instant application:
[0211]” …. With reference to FIG. 4, in20 step S321, the processor 1300 inserts a hypercall instruction before the first memory address in the memory 1200. In step S323, the processor 1300 corrects the first memory address to be a starting address of the hypercall instruction. To be specific, please refer to FIG. SA and FIG. SB, FIG. 5A and FIG. SB are schematic diagrams illustrating implementations of the steps S321 and S322 in FIG. 3, respectively, 6/18according to an exemplary embodiment of the disclosure”;

 Clearly and specifically, an insertion took place, while in the argument above, applicant’s representative denies such insertion as explained in the office action.
 After inserting such hyper call, the correction is to execute the hyper call before the instruction is executed as emphasized in Fig. 5A/B of instant application.

    PNG
    media_image1.png
    600
    954
    media_image1.png
    Greyscale



 In the instant application, ADDR1 execution is based on the outcome of executing address ADDR2.
IN Dang when an application, VM or process is requesting an entry in the page table.i.e is moving to the next instruction address (pointing_instruction/direction), the process does not execute that instruction after the request, but the page fault handler, handles the request before execution the pointing instruction.
So a process executes a sequence of instruction and point to a next instruction, but the next instruction raises and triggers the page fault that should be handled by the fault 40 to allow or deny the process, such access.
 For one ordinary skill in the art, there is a verification/detection/module inserted before the pointing instruction to check if the process can execute the instruction. And an obvious method for one ordinary skill in the art is to insert the call (redirection of call)to the fault handler before the instruction address is executed. (US PG-Pubs 2015/0347263 fig. 2)
	Fanton also in step 320 of fig. 4 execute a determination unit to allow or deny access to the code. Without step 320 malicious code or an authorized execution can affect the program execution and render its security vulnerable.
 Between step 410 and step 445 is step 320. Step 410 has a corresponding address during execution and step 445 has also a corresponding address during execution. Step 320 address is between 410 and 445 addresses, exactly at end of 

    PNG
    media_image2.png
    710
    808
    media_image2.png
    Greyscale

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8 and 10-14 are rejected under 35 U.S.C. 103 as being un-patentable over Dang et al (UIS PG-Pubs  2013/0097355) hereinafter “Dang” in view of Fanton et al (US PG-Pubs 2011/0029772) hereinafter “Fanton”.
As per claim 1, Dang discloses a setting method adapted for a server to run a virtual machine, the setting method comprising:
5 Obtaining a first memory address which is a starting address of a memory block of a memory storing a first service function of the virtual machine in a startup procedure of the virtual machine:
[0034]” In 106, a lockdown feature bit in a domain specific data structure may be set in hypervisor 12. In 108, a hypervisor virtual machine (HVM) (i.e., guest 14) may be started. In 110, guest OS 18 may create page table entries (PTEs) for guest kernel pages 30, with a VMEXIT to hypervisor 12. In 112, rootkit protection module 36 may create PTEs 34 for guest kernel pages 30 in shadow page table 32.”
[0036] In 120, an application 20 in guest OS 14 may attempt to access guest kernel pages 30. Attempting to access guest kernel pages 30 can cause a page fault in 122 (as guest kernel pages 30 have been marked as NOT_PRESENT).


 correcting the memory block whose starting address is the first memory address, to have an operation of the virtual machine being interrupted when the memory block  is called by the virtual machine:
page fault occurs, control transfers from the processor (e.g., processor 22) executing the instruction that caused the page fault to the hypervisor (e.g., hypervisor 12). The hypervisor's page fault handler (e.g., page fault handler 40) can determine the instruction pointer and the faulting address, for example, to determine whether the page fault is an instruction page fault or a data page fault. For example, if the instruction pointer (i.e., the pointer pointing to the memory address, which the processor will next attempt to execute) points to the faulting address, then the page fault is an instruction page fault. 
[0036]”Note that if rootkit protection is not enabled (e.g., guest OS 18 has not booted up and loaded its kernel components) and if the page fault is outside a paged pool and non-paged pool range, then page fault handler 40 may simply fix the page fault and store the page start address for each faulting virtual address (e.g., in paged pool and non-paged pool range) in hash 38. Access may be allowed to these addresses, which are outside the paged pool and non-paged pool range, because kernel drivers are generally loaded within the paged pool and non-paged pool range.
Examiner interpretation:
 A page fault occurs when a process access unmapped block of memory. A fault to check if the page block exist. The hook/trap of the fault handler is an instruction residing between the page table and the mapped memory block. .e. when a process desire access to a specific memory block, the fault handler intercept the request and can deny or allow access to the process. 
The fault handler obviously for one ordinary skill in the art exist and is inserted before the pointing instruction memory address that the process desire to execute. (See 2015/0347263 fig. 2)
Determining, by a management module, whether a script called by the first service function is executable or not, when the operation of the virtual machine is interrupted:
[0038] if the determination in 124 is that the page fault is an instruction fault, page fault handler 40 may check in 132 if the MFN for the faulting virtual address is present in hash (e.g., allow future access/execution) in 134, and mark the page read-only, remove any NX and allow access/execution. If the page is not present in hash 38, it can mean that the page is a new kernel page and page fault handler 40 may deny execution in 136”;

But not explicitly:
 If the script is not executable, interrupting, by the management module, the script called by the first service function; and
If the script is executable, allowing, by the management module, the first service function to execute the script:
Fanton discloses:
If the script is not executable, interrupting, by the management module, the script called by the first service function:
Fig.3/4 step 320 and [0078]”at block 330, a decision has previously been made that the code module in question is not allowed to create a new process and the new process creation request is denied. As described in more detail below, a denial may arise for multiple reasons”.

15 If the script is executable, allowing, by the management module, the first service function to execute the script:
 [0077”at block 345, a decision has previously been made that the code module in question may continue to load and execute in the normal fashion. In one embodiment, this means that the code module is granted access to system resources such as memory, processors, and/or the like”. 

Examiner interpretation:

The sequence 410-320-445 in fig. 4 represents a determination module 320 that is executed after 410 but before 445.i.e the address in the sequence start with memory address of 410, then 320 then 445.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Fanton into teaching of Dang to protect from the unauthorized code execution effectively, by allowing only the execution of the authorized code on the computer systems. Furthermore to protect a computer system from attack by unauthorized or malicious users or software attempting to modify the various whitelist databases or otherwise spoof the system such that unauthorized code would be allowed to run.

As per claim 3, the rejection of claim 1 is incorporated and furthermore Dang discloses:
 Amending an attribute of the memory block whose starting address is the first memory address to be not executable:
[0037] “On the other hand, if an MFN corresponding to the faulting virtual address is not present in hash 38, then the kernel page is new and any attempts to write to it could include code or data. Accordingly, page fault handler 40 may fix the page fault permanently and mark the page NX (no-execute) in 126. This can ensure that minimum page faults occur, while preventing any new kernel pages from being accessed or executed.

As per claim 4, the rejection of claim 1 is incorporated and furthermore Dang does not discloses:

Fantom discloses:
Checking whether the script is recorded in a whitelist or not:
[0075] at decision block 320, a determination may then be made as to whether the code module is authorized to execute. According to one embodiment, a multi-level whitelisting approach may be used. One embodiment of the multi-level whitelisting approach is described in more detail with reference to FIG. 6. Briefly, in accordance with one embodiment, a content authenticator of the code module being loaded may be calculated and compared to the expected value stored in an entry of one or more of the multiple whitelists available. If the entry is found, the authorization determination may base on one or more parameters as to whether the request should be approved; and then control is returned to the operating system. In one embodiment, requests may be unconditionally approved, unconditionally denied, or a decision may need to be made by an authorized user. 

 And5 if the script is recorded in the whitelist, determining the script is executable;
[0077] at block 345, a decision has previously been made that the code module in question may continue to load and execute in the normal fashion. In one embodiment, this means that the code module is granted access to system resources such as memory, processors, and/or the like”.

And if the script is not recorded in the whitelist, determining the script is not executable:
[0078] at block 330, a decision has previously been made that the code module in question is not allowed to create a new process and the new process creation request is denied. As described in more detail below, a denial may arise for multiple reasons. 



As per claim 5, the rejection of claim 4 is incorporated and furthermore Dang does not discloses:
Parsing the script entirely to obtain a checksum; and determining whether the checksum is recorded in the whitelist or not;
Fantom discloses:
Parsing the script entirely to obtain a checksum; and determining whether the checksum is recorded in the whitelist or not;
[0009]” A cryptographic hash value of the code module is generated. A determination is made regarding whether the code module is authorized to be loaded and executed by causing the code module to be authenticated with reference to a multi-level whitelist database architecture including a global whitelist database, a local whitelist database and the in-memory cache.
…
Finally, the code module is allowed to be loaded and executed if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database.”;

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention 

  As per claim 6, the rejection of claim 1 is incorporated and furthermore Dang does not discloses:
Checking whether the script is recorded in a blacklist or not; if the script is recorded in the blacklist, determining the script is not executable; and if the script is not recorded in the blacklist, determining the script is 20 executable:
Fantom discloses:
Checking whether the script is recorded in a blacklist or not; if the script is recorded in the blacklist, determining the script is not executable; and if the script is not recorded in the blacklist, determining the script is 20 executable:
[0048]”the term "whitelist" generally refers to an access control mechanism that may identify a set of one or more code modules approved for execution on one or more computer systems. In some embodiments, a whitelist may also include information identifying a set of one or more code modules that are not approved for execution (e.g., blacklist information). A whitelist may be stored in a memory store or a data store resident in local memory, on a mass storage device, on a remote machine or distributed across one or more remote machines. In some embodiments, a whitelist may also contain information associated with the code modules, such as a file name or file path (e.g., a file name and/or associated extension or a fully qualified path of a file), content authenticator, special file tags, known associations, and/or the like.
  


As per claim 7, the rejection of claim 1 is incorporated and furthermore Dang does not discloses:
parsing the script to obtain a plurality of feature blocks; parsing each of the plurality of feature blocks to obtain a plurality of checksums; and determining whether the plurality of checksums is recorded in the blacklist or not:
Fantom discloses:
parsing the script to obtain a plurality of feature blocks; parsing each of the plurality of feature blocks to obtain a plurality of checksums; and determining whether the plurality of checksums is recorded in the blacklist or not:
[0038] The phrase "content authenticator" generally refers to a result of method for generating an authenticating mark which may be used in verifying digital information, files, code and/or data segments of code modules and/or the like. For example, in some cases a method of content authentication comprises two complimentary algorithms. One for generating the authenticating mark and one for verifying the authenticating mark. In one embodiment, a digital signature is employed as the content authenticator. A digital signature or cryptographic 
…
According to one embodiment, in an effort to increase real-time performance, content authenticators may be generated and validated for only the code segment of a code module representing an executable. In other embodiments, the content authenticators may cover both the code and data segments of code modules representing executables.
Finally, the code module is allowed to be loaded and executed if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database.”;

[0048] a whitelist may also include information identifying a set of one or more code modules that are not approved for execution (e.g., blacklist information)”;

Examiner interpretation: comparing the hash of code segment to the hash in a list (white/black), determines if the code segment is executable or not (approved to be executed).

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Fanton into teaching of Dang to protect from the unauthorized code execution effectively, by allowing only the execution of the authorized code on the computer systems. Furthermore to protect a computer system from attack by unauthorized or malicious users or software attempting to modify the various authenticated whitelist databases or otherwise spoof the system such that unauthorized code would be allowed to run.

Pertinent art:
US-20150220455-A1:
The disclosure protects against accessing and writing to restricted area by determining if an entity attempting a write is not authentic thus disallows the write attempt. And if the entity attempting the write is authentic then the electronic device may proceed to operation at which the electronic device may verify the cryptography signature. This is managed by tracking black/white list.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRAHIM BOURZIK whose telephone number is (571)270-7155.  The examiner can normally be reached on Monday-Friday (8-4:30).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Zhen can be reached on 571-270-2738.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 
/BRAHIM BOURZIK/Examiner, Art Unit 2191                                                                                                                                                                                                        
/WEI Y ZHEN/Supervisory Patent Examiner, Art Unit 2191