DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This initial written action is responding to the communication dated on 12/04/2018.
Claims 1-20 are submitted for examination.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Examiner’s Note
Claims 15-20 recites, “computer-readable media”. A review of specification indicates in paragraph 47 that the computer-readable medium is a non-transitory, which is compliant for 35 U.S.C. 101. 

Priority
This application filed on December 04, 2018 claims priority of provisional application 62/612,972 filed on January 02, 2018.


Information Disclosure Statement
The following Information Disclosure Statements in the instant application submitted in compliance with the provisions of 37 CFR 1.97, and thus, have been fully considered:
IDS filed on 24 May 2019.
IDS filed on 06 August 2019
IDS filed on 01 July 2020
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 8-9 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hasse et al. (US PGPUB. # US 2007/0006170, hereinafter “Hasse”), and further in view of Maeda et al. (US PGPUB. # US 2012/0297485, hereinafter “Maeda”).

Referring to Claims 1, 8 and 15:
Regarding Claim 1, Hasse teaches,
A method, comprising: 
identifying a function defined in a binary software component, the function including one or more instructions (¶35, “the data on the call stack regarding a function in which the buffer is corrupted is directly identified by the debugger. In some other cases, the data on the call stack regarding the function in which the buffer is corrupted is identified more indirectly”, i.e. a function is identified); 
performing a binary static analysis of the function to determine whether the function utilizes stack cookie protection based on the one or more instructions including one or more stack cookie handling instructions (Abstract, “Then static analysis is performed in order to determine a possible culprit for the failure”, “Then static analysis is used to determine probable sources (e.g. functions or instructions in a function) for this error”, ¶30, “static analysis of the code is performed”, ¶32, “static analysis is used to identify the likely source of corruption by determining the location of the security cookie in the stack”, ¶33, Fig. 2(200),¶34, “data regarding the function ftheta. with the corrupted security cookie .PHI. is identified, step 200”,¶39, “Static analysis (also known as data flow analysis) is a set of techniques which identify the flow of instructions and data in a computer program without executing the program”, i.e. static analysis of code is performed on function to identify stack cookie); and 
in response to determining that the function utilizes stack cookie protection (Fig. 2(220, 230), ¶37, “Once the security cookie address A.sub..PHI. is determined, the location of the cookie on the stack frame of f.sub..theta. is found in steps 220 and 230”, ¶39, “In step 230, the location .epsilon. on stack where the security cookie .PHI. is placed is obtained”, i.e. it is determined that function utilized a stack cookie), [updating a security report for the binary software component to indicate that the function utilizes stack cookie protection].
Hasse does not teach explicitly,
[in response to determining that the function utilizes stack cookie protection], updating a security report for the binary software component to indicate that the function utilizes stack cookie protection.
However, Maeda teaches,
[in response to determining that the function utilizes stack cookie protection], updating a security report for the binary software component to indicate that the function utilizes stack cookie protection (Fig. 7, ¶115, “The checked-application management unit 1500 manages the check result by updating the attack check result list 1530”, ¶117, ¶121, ¶123, “In the attack check result list 1530, any of the following three values are stored as a check result by an attack check unit 1512: check results "SAFE" and "ATTACKED" indicating whether the application is under attack, and a check result "REQUIRED" indicating that there is need to check if the application is under attack. Here, the check result "SAFE" indicates that a program (application) having a corresponding application identifier is not under attack”, i.e. a security report is updated).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Maeda with the invention of Hasse.
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 8, it is a device claim of above method claim 1 and therefore Claim 8 is rejected with the same rationale as applied against Claim 1 above. In addition, Hasse teaches,
determining that a binary software component was compiled with stack cookie functionality enabled based on metadata included with the binary software component (¶5, “compilers, a special "security cookie" value is stored in the call stack in a location which will allow detection of a buffer overrun”, ¶30-¶31“The data value placed into the thread stack may be known as a "security cookie," a "cookie", or a " canary." In certain of Microsoft Corporation's compilers (e.g. Visual C++.Net) the insertion of a security cookie can be requested at compile time with the /GS compile switch”, ¶33, i.e. examiner submits that compiler stores security cookie in a stack which is determined with during the analysis indicates that software was compiled with the stack cookie and can be determined based on a metadata).

Regarding Claim 15, it is a computer-readable media claim of above method claim 1 and therefore Claim 15 is rejected with the same rationale as applied against Claim 1 above. 

Referring to Claims 2, 9 and 16:
Regarding Claim 2, rejection of Claim 1 is included and for the same motivation Hasse does not teach explicitly,
The method of claim 1, further comprising: 
in response to determining that the function does not utilize stack cookie protection, updating a security report for the binary software component to indicate that the function does not utilize stack cookie protection.
However, Maeda teaches,
The method of claim 1, further comprising: 
in response to determining that the function does not utilize stack cookie protection, updating a security report for the binary software component to indicate that the function does not utilize stack cookie protection (¶107, “it is assumed that the buffer overflow vulnerability is present in the get data body function 1562 on the path 2. In this case”, ¶109, “a caller address and a stack point value at which the application has made the system call request are also stored in association with a check result in an attack check result list 1530 which is used by an attack check determination unit 1510 for the determination”, ¶115, Fig. 7, ¶123, “the check result "REQUIRED" indicates that there is need to check to determine if the program is under attack”, i.e. examiner submits that it is determined that stack cookie is not utilized and hence there a possibility of buffer overflow attack and as a result the report status is updated to “REQUIRED”).

Regarding Claim 9, rejection of Claim 8 is included and Claim 9 is rejected with the same rationale as applied against Claim 2 above.

 Regarding Claim 16, rejection of Claim 15 is included and Claim 16 is rejected with the same rationale as applied against Claim 2 above.

Claims 3-7, 10-14 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hasse et al. (US PGPUB. # US 2007/0006170, hereinafter “Hasse”), and further in view of Maeda et al. (US PGPUB. # US 2012/0297485, hereinafter “Maeda”), and further in view of Shupak et al. (US PGPUB. # US 2005/0144471, hereinafter “Shupak”).

Referring to Claims 3, 10 and 17:
Regarding Claim 3, rejection of Claim 1 is included and combination of  Hasse and Maeda does not teach explicitly,
The method of claim 1, wherein the one or more stack cookie handling instructions are configured, when executed by a processor, to insert a particular data sequence into an execution stack maintained by the processor when the function is called to mark a boundary of stack data associated with the function.
However, Shupak teaches,
The method of claim 1, wherein the one or more stack cookie handling instructions are configured, when executed by a processor, to insert a particular data sequence into an execution stack maintained by the processor when the function is called to mark a boundary of stack data associated with the function (Fig. 2, ¶35, “For every call to setjmp, the compiler 200 emits an entry to a special section such as a table or other storage area or device 202 (e.g., a .setjmp table, as described further below). The compiler 200 records the (setjmp) return address in the .setjmp table 202”, ¶39, “a module built by a compiler will have a .setjmp table comprising a list of the known target or return addresses for the module. Therefore, the compiler knows at compile time which functions are truly target or return addresses”, i.e. examiner submits that .setjmp table is considered as particular data sequence and return address is considered as boundary of stack data associated with a function).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Shupak with the invention of Hasse in view of Maeda.
Hasse in view of Maeda teaches, identifying a function and performing a static analysis on the function to determine whether the function utilize a stack cookie and performing a security analysis and updating a security report. Shupak teaches, inserting .setjmp (data sequence) instruction along with a return address (boundary). KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 10, rejection of Claim 8 is included and Claim 10 is rejected with the same rationale as applied against Claim 3 above.

 Regarding Claim 17, rejection of Claim 15 is included and Claim 17 is rejected with the same rationale as applied against Claim 3 above.

Referring to Claims 4, 11 and 18:
Regarding Claim 4, rejection of Claim 3 is included and for the same motivation combination of  Hasse and Maeda does not teach explicitly,
The method of claim 3, wherein the particular data sequence is generated at compile time.
However, Shupak teaches,
The method of claim 3, wherein the particular data sequence is generated at compile time (Fig. 2, ¶35, “For every call to setjmp, the compiler 200 emits an entry to a special section such as a table or other storage area or device 202 (e.g., a .setjmp table, as described further below). The compiler 200 records the (setjmp) return address in the .setjmp table 202”, ¶39, “a module built by a compiler will have a .setjmp table comprising a list of the known target or return addresses for the module. Therefore, the compiler knows at compile time which functions are truly target or return addresses”, ¶49, “To generate the security cookie, for example, the values in the jmp_buf structure could all be XORed with one another and with the known value, such as a secret or earlier determined cookie value”, i.e. .setjmp table (data sequence) is generated during compile time) .

Regarding Claim 11, rejection of Claim 10 is included and Claim 11 is rejected with the same rationale as applied against Claim 4 above.

 Regarding Claim 18, rejection of Claim 17 is included and Claim 18 is rejected with the same rationale as applied against Claim 4 above.

Referring to Claims 5, 12 and 19:
Regarding Claim 5, rejection of Claim 3 is included and for the same motivation combination of  Hasse and Maeda does not teach explicitly,
The method of claim 3, wherein the one or more stack cookie handling instructions include an instruction to generate the particular data sequence when the function is called.
However, Shupak teaches,
The method of claim 3, wherein the one or more stack cookie handling instructions include an instruction to generate the particular data sequence when the function is called (¶49, “To generate the security cookie, for example, the values in the jmp_buf structure could all be XORed with one another and with the known value, such as a secret or earlier determined cookie value”, ¶50, “The jmp_buf structure is validated by determining if any portion of it was changed. Setjmp captures all the values and calculates a security cookie. Before dispatching”, i.e. particular data sequence is generated when the function is called).

Regarding Claim 12, rejection of Claim 10 is included and Claim 12 is rejected with the same rationale as applied against Claim 5 above.

 Regarding Claim 19, rejection of Claim 17 is included and Claim 19 is rejected with the same rationale as applied against Claim 5 above.

Referring to Claims 6, 13 and 20:
Regarding Claim 6, rejection of Claim 3 is included and for the same motivation combination of  Hasse and Maeda does not teach explicitly,
The method of claim 3, wherein the one or more stack cookie handling instructions are configured, when executed by the processor, to determine whether the particular data sequence remains in the execution stack when the function returns after the function is called.
However, Shupak teaches,
The method of claim 3, wherein the one or more stack cookie handling instructions are configured, when executed by the processor, to determine whether the particular data sequence remains in the execution stack when the function returns after the function is called (¶50, “The jmp_buf structure is validated by determining if any portion of it was changed. Setjmp captures all the values and calculates a security cookie”, ¶51, “when the implementation of longjmp is ready to pass control to the target address in the jmp_buf, it checks to see if the module has a .setjmp section which contains a set of valid return addresses. If a .setjmp section exists, the dispatcher goes to the .setjmp section and determines if the setjmp return address is listed therein, using a binary search, for example. If the setjmp return address is listed, longjmp executes”, i.e. by determining set of valid return addresses in .setjmp indicates that sequence remains in the execution stack).

Regarding Claim 13, rejection of Claim 10 is included and Claim 13 is rejected with the same rationale as applied against Claim 6 above.

 Regarding Claim 20, rejection of Claim 17 is included and Claim 20 is rejected with the same rationale as applied against Claim 6 above.

Referring to Claims 7 and 14:
Regarding Claim 7, rejection of Claim 6 is included and for the same motivation combination of  Hasse and Maeda does not teach explicitly,
The method of claim 6, wherein the one or more stack cookie handling instructions are configured, when executed by the processor, to cause execution of the binary software component to halt in response to determining that the particular data sequence does not remain in the execution stack when the function returns.
However, Shupak teaches,
The method of claim 6, wherein the one or more stack cookie handling instructions are configured, when executed by the processor, to cause execution of the binary software component to halt in response to determining that the particular data sequence does not remain in the execution stack when the function returns (Fig. 3(399), ¶41, “The return address dispatcher then determines from the .setjmp table, at step 340, whether the return address is valid or not. If not, the return address dispatcher assumes the application is under attack and terminates the process' execution, at step 399”, Fig. 4(450), ¶45, “the retrieved cookie is not on the list of valid cookies, it is determined to have been corrupted, in which case the program is aborted, at step 450”, Fig. 5(550), ¶48, “If, however, the retrieved cookie is not on the list of valid cookies, it is determined to have been corrupted, in which case the program is aborted, at step 550”, i.e. execution of program is terminated (halted)).

Regarding Claim 14, rejection of Claim 13 is included and Claim 14 is rejected with the same rationale as applied against Claim 7 above.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Muttik et al. (US PGPUB. # US 2017/0090929) discloses, a processor operable to execute a plurality of instructions forming a program; and a verification engine, operable to: receive an execution control data (ECD) for the program; and monitor execution of only some instructions of the program to ensure that they are consistent with the ECD. In some embodiments, the monitoring engine may include a correctness monitoring unit (CMU) in processor hardware. There is also disclosed one or more computer-readable storage mediums having stored thereon executable instructions for providing a monitoring engine, and a computer-implemented method of providing a monitoring engine.
Gupta et al. (US PGPUB. # US 2016/0212159) discloses, a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.
Enbody et al. (US PGPUB. # US 2008/0140884) discloses, a computer processor protects a protected word in computer readable memory by employing a canary word in the same buffer as the protected word that is protected by a secure bit 
Borde et al. (US PGPUB. # US 2007/0089088) discloses, executing a stack-walk and other operations by dynamically accessing information about the expected location of cookies on a stack. For example, a first function is executed that causes a stack-walk operation to occur. While performing the stack-walk operation, cookie location information for a cookie placed on the stack by a second function different from the first function is accessed. The cookie, if uncorrupted, includes a known value that is used to determine if the stack has been corrupted. Based on the cookie location information, corrupt data representative of the cookie is accessed. A global cookie, which also includes the known value, is also accessed. The known value of the global cookie is then compared with the corrupt data to determine that the stack is corrupted at least up to the location of the corrupt data representative of the cookie.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DARSHAN I DHRUV/           Examiner, Art Unit 2498