Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to the application filed on 11/27/2020.
Claims 1-11 and 13 are pending.

Claim Objections
Claim 7 are objected to because of the following informalities:  the claims lack antecedent basis and the examiner recommends the following changes.  
Regarding claim 7, the examiner suggests amending the claim to: The method as claimed in claim 1, further comprising performing the method by a supervision module of the device to supervise execution ofthe virtual machine, said supervision module commanding the hypervisor to inject a call of a kernel function into the virtual machine.
Appropriate correction is required. Any missed antecedent basis issues should also be corrected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 


Claims 1, 11 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1).

Regarding claim 1, Gu et al. discloses
A method comprising: identifying, by a device, at least one function of an operating system kernel of a virtual machine, said virtual machine comprising an operating system communicating with a hypervisor of a host system, said hypervisor interfacing between the operating system and hardware resources of the host system, said identifying comprising the device performing the following acts (Gu et al. [pg. 495, right column, first paragraph] teaches locating the complete kernel function where Figure 2. Illustrates the Virtual Machine and the Hypervisor.): 
identifying an initial instruction contained in the code of the operating system kernel of the virtual machine (Gu et al. [pg. 492, left column, paragraph 2] teaches recording basic block within kernel space of virtual machine conceptually similar to the initial instruction), 
locating at least one following block of instructions belonging to at least one function of the operating system kernel of the virtual machine by scanning a computer-readable memory, said following block being situated in a memory area that follows the initial instruction (Gu et al. [pg. 494, left column, last paragraph and 495, left column, first paragraph] teaches identifying the kernel function boundaries from , 
locating at least one preceding block of instructions belonging to at least one function of the operating system kernel of the virtual machine by scanning the computer-readable memory, said preceding block being situated in a memory area that precedes the initial instruction (Gu et al. [pg. 494, left column, last paragraph and 495, left column, first paragraph] teaches identifying the kernel function boundaries from the basic block in which the basic block is conceptually similar to the initial instruction. The searching consists of backwards and forwards searching from the basic block, where the backwards searching would be for locating the preceding block of instructions. Further, searching for the kernel function may occur over several memory pages in which the memory page is conceptually similar to a block of instructions. Therefore, once a basic block is found, a preceding memory page is located in order to locate the complete kernel function), 
identifying a first block and a last block of instructions of the function of the operating system kernel from among the at least one following block and at least one preceding block (Gu et al. [pg. 494, left column, last paragraph and 495, left column, first paragraph] teaches identifying the kernel function boundaries and locating , and recording a function start address and a function end address in association with the function of the operating system kernel (Gu et al. [pg. 493, A. Profiling Phase 1)] teaches the profiling recording address ranges of kernel code in which a start and end address would also be recorded),
Gu et al. lacks explicitly disclosing
the function start address being the address of the first instruction of the first block and the function end address being the address of the last instruction of the last block.
Triskin et al. teaches
the function start address being the address of the first instruction of the first block and the function end address being the address of the last instruction of the last block (Tsirkin et al. [0032] teaches the start address of kernel module and the ending memory address of the kernel module in which the kernel module is conceptually similar to the kernel function. Where this is in combination with Gu et al. which taught locating a complete kernel module which may include several memory pages).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gu et al. to incorporate the teachings of Tsirkin et al. to “the function start address being the address of the first instruction of the first block and the function end address being the address of the last 

Regarding claim 11, it’s directed to a device having similar limitations cited in claim 1. Thus claim 11 is also rejected under the same rationale as cited in the rejection of claim 1 above.

Regarding claim 13, it’s directed to a non-transitory computer-readable data medium having similar limitations cited in claim 1. Thus claim 13 is also rejected under the same rationale as cited in the rejection of claim 1 above.

Claims 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Krishnan et al. (US 2014/0157407 A1).

Regarding claim 2, Gu et al. in view of Tsirkin et al. combination teach
The method for identifying at least one function as claimed in claim 1, 
	the combination lacks explicitly
wherein the initial instruction is identified by accessing a specific register of the processor

wherein the initial instruction is identified by accessing a specific register of the processor (Krishnan et al. [0048] teaches examining the machine specific register (MSR) and specifically the SYSENTER_EIP as the initial instruction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Krishnan et al. to “wherein the initial instruction is identified by accessing a specific register of the processor” in order to efficiently and quickly determine the entry point within a virtual machine kernel to correctly hook and update the kernel at the right address.

Claims 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Burger (US 2017/0083337 A1).

Regarding claim 3, the combination teaches
The method as claimed in claim 1, wherein locating the at least one following block, situated in the memory area that follows the initial instruction, comprises:
the combination lacks explicitly 
searching, in the memory area that follows the initial instruction, for a current instruction that follows a block end instruction, said current instruction being the first instruction of the following block, 
searching, in the memory area that follows the first instruction of the following block, for a following block end instruction, said following block end instruction being the last instruction of the following block
Burger teaches
searching, in the memory area that follows the initial instruction, for a current instruction that follows a block end instruction, said current instruction being the first instruction of the following block (Burger [0072] teaches prefetching instruction blocks through using block separator instructions in order to identify the beginning or the end of an instruction block. Therefore, by finding the end of an instruction block, the following instruction will be the beginning of the next block), 
searching, in the memory area that follows the first instruction of the following block, for a following block end instruction, said following block end instruction being the last instruction of the following block(Burger [0072] teaches prefetching instruction blocks through using block separator instructions in order to identify the beginning or the end of an instruction block. Therefore, by finding the end of an instruction block, the following instruction will be the beginning of the next block).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Burger to “searching, in the memory area that follows the initial instruction, for a current instruction that follows a block end instruction, said current instruction . 

Claims 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Karve et al. (US 2016/0378844 A1) and further in view of Burger (US 2017/0083337 A1).

Regarding claim 5, the combination teaches 
The method as claimed in claim 1, wherein the identification of the first block and of the last block of instructions of the kernel function comprises: -6-
the combination lacks 
calculating, for each of the at least one following block and the at least one preceding block, a signature for the instructions of the block , 
searching for said signature in a reference base of block signatures, said reference base containing, for at least one reference operating system, the signatures for the instructions of the blocks that form part of reference functions of said operating system kernel, a signature for the instructions of a block in the base being associated with a name of at least one reference kernel function that contains said block, 
classifying the at least one following block and the at least one preceding block using a block address, and grouping successive blocks and identifying the kernel function that contains said group of blocks, a first block of the group corresponding to the first block of the kernel function and a last block of the group corresponding to the last block of the kernel function
Karve et al. teaches
calculating, for each of the at least one following block and the at least one preceding block, a signature for the instructions of the block (Karve et al. [0075]), 
searching for said signature in a reference base of block signatures (Karve et al. [0075] where blocks are identified using the signatures which are stored in repositories [0077] conceptually similar to the reference base of block signatures), said reference base containing, for at least one reference operating system, the signatures for the instructions of the blocks that form part of the reference functions of said operating system kernel ([0032] teaches a content digest for each VM image which a hash code signature for each data block in the VM image), a signature for the instructions of a block in the base being associated with the name of at least one reference kernel function that contains said block ([0032] teaches global tracker 137 which contains a list of clusters and the signatures are associated with cluster identifiers. In which the concept of associating signatures to identifiers is used in combination with Gu et al. which taught the kernel function.), 

Burger teaches
classifying the at least one following block and the at least one preceding block using a block address, and grouping successive blocks and identifying the kernel function that contains said group of blocks, a first block of the group corresponding to the first block of the kernel function and a last block of the group corresponding to the last block of the kernel function (Burger Fig. 7 and [0104] teach that blocks may be ordered according to block addresses in which this is in combination with Gu et al. and Tsirkin et al.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Burger to “classifying the at least one following block and the at least one preceding block using a block address, and grouping successive blocks and identifying .

Claims 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Carbone et al. (US 9,003,402 B1).

Regarding claim 7, the combination teaches
The method as claimed in claim 1, 
the combination lacks explicitly 
further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine, said supervision module commanding the hypervisor to inject a call of a kernel function into the virtual machine
Carbone et al. teaches
further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine, said supervision module commanding the hypervisor to inject a call of a kernel function into the virtual machine (Carbone et al. [abstract] and Fig. 5).
.

Claims 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Lukacs et al. (US 2015/0013008 A1) and further in view of McCorkendale et al. (US 7,996,836 B1) and further in view of Ignatchenko et al. (US 2015/0039891 A1).

Regarding claim 8, the combination teaches 
The method as claimed in claim 1, 
the combination lacks 
	further comprising performing the method by a supervision module of the device to supervise execution of a kernel function of a virtual machine, said supervision module commanding the hypervisor to set bits associated with an executable nature of the kernel function as non-executable so that an attempt to execute the kernel function of the virtual machine generates an exception and a stop of the virtual machine, said hypervisor receiving a notification related to this exception and informing the supervisor module
Lukacs et al. teaches
further comprising performing the method by a supervision module of the device to supervise execution of a kernel function of a virtual machine (Lukacs et al. [0026] teaches memory introspection engine 40 to malware-protect multiple VMs executing on host system. [0033] Further teaches, the memory introspection engine 40 may evaluate the components and therefore, supervise the virtual machine. Where the memory introspection engine 40 is conceptually similar to the supervision module) [0052] teaches kernel-level process evaluator 50b determines that an evaluated process is attempting to perform certain operations that may be malicious, said supervision module commanding the hypervisor to set bits associated with an executable nature of the kernel function as non-executable (Lukacs et al. [0060] teaches the memory introspection engine 40 instructing the hypervisor 30 to change write permission for a target page.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Lukacs et al. to “further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine, said supervision module commanding the hypervisor to set bits associated with an executable nature of the kernel function as non-executable” in order to efficiently and quickly protect the virtual machine from malware and further make modifications to the virtual machine 
McCorkendale et al. teaches
hypervisor to set bits associated with an executable nature of the kernel function as non-executable so that an attempt to execute the kernel function of the virtual machine generates an exception and a stop of the virtual machine, (McCorkendale et al. [col. 3, lines 64-67 and col. 4, lines 1-12] teaches a hypervisor 202 setting appropriate bits on the exception bitmap 212  where various interrupts may be called and the virtual machine may stop executing)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Lukacs et al. to “hypervisor to set bits associated with an executable nature of the kernel function as non-executable so that an attempt to execute the kernel function of the virtual machine generates an exception and a stop of the virtual machine” in order to efficiently and quickly protect the virtual machine from malware and further make modifications to the virtual machine accordingly. This prevents the system from being hacked and permits just in time shutdown of the virtual machine.
Ignatchenko et al. teaches
said hypervisor receiving a notification related to this exception and informing the supervisor module (Ignatchenko [0115] teaches hypervisor 385 receives a notification about termination of the virtual machine where the termination may provide exception code. Further, the supervisor 160 is notified about the notification for termination where the termination may provide exception code).
.

Claims 9-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over NPL Gu et al. (“Face-Change: Application-Driven Dynamic Kernel View Switching in a Virtual Machine”, 2014) in view of Tsirkin et al. (US 2017/0249236 A1) and further in view of Lukacs et al. (US 2015/0013008 A1) and further in view of Tsirkin (US 2016/0246636 A1).

Regarding claim 9, the combination teaches 
The method as claimed in claim 1, 
the combination lacks 
further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine, said supervision module commanding the hypervisor to inject an activity interception instruction into code of a kernel function so as to receive a notification when said function is executed by the virtual machine
Lukacs et al. teaches
further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine (Lukacs et al. [0026] teaches memory introspection engine 40 to malware-protect multiple VMs executing on host system. [0033] Further teaches, the memory introspection engine 40 may evaluate the components and therefore, supervise the virtual machine. Where the memory introspection engine 40 is conceptually similar to the supervision module), said supervision module commanding the hypervisor to inject an activity interception instruction into code of a kernel function (Lukacs et al. [0056] teaches the memory introspection engine 40 modifying and providing EPT hooks for the OS function. Where the hooking of the kernel function is conceptually similar to injecting code into the kernel function. [0059] teaches that the memory introspection engine 40 may request/command the hypervisor to protect the Virtual machine.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Lukacs et al. to “further comprising performing the method by a supervision module of the device to supervise execution of a virtual machine, said supervision module commanding the hypervisor to inject an activity interception instruction into code of a kernel function” in order to efficiently and quickly protect the virtual machine from malware and further make modifications to the virtual machine accordingly. This prevents the system from being hacked and allows ease in making any updates and modifications necessary.
Tsirkin teaches
 so as to receive a notification when said function is executed by the virtual machine (Tsirkin [0015] teaches that the VM function component may send a notification once it has completed execution. Where Tsirkin modifies Lukacs et al. which taught hooking into the kernel function to modify the code by curing the VM function component in order to notify the completion of the VM function component).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination to incorporate the teachings of Tsirkin to “receive a notification when said function is executed by the virtual machine” in order to reduce computing resources by having the virtual machine continuously ask whether execution of the function has completed. This further efficiently sends a notification once in a timely fashion.

Regarding claim 10, it’s directed to a method claim having similar limitations cited in claim 9 except for specifying that the notification is sent after execution of the function which Tsirkin teaches the VM function component to send a notification once the function has completed the execution. Thus claim 10 is also rejected under the same rationale as cited in the rejection of claim 9 above.

Allowable Subject Matter
Claims 4 and 6 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims after fixing any objections.

Response to Arguments
Applicant's arguments filed 11/27/2020 have been fully considered but they are not persuasive. 
Regarding the remark that FACE-CHANGE does not make it possible to be assured of completeness where the present application determines the functions of the kernel from a memory scan and the scan has the advantage of being exhaustive, the examiner would like to point out that the current claim language does not require obtaining a complete image of the kernel. Rather it requires identifying and locating one function of the operating system kernel in which FACE-CHANGE teaches. FACE-CHANGE clearly states locating the complete kernel function by searching through the memory pages before and after the basic block “To identify function boundaries, we search for a function header signature backwards and forwards from the basic blocks marked in the kernel view configuration. For example, a common function header signature in the x86 Linux kernel is “push ebp; mov ebp, esp” (binary opcodes “0x55 0x89 0xe5”). There is a possibility that one kernel function may cross two memory pages and further, one single instruction may split across pages. In this case, we continue searching from the head of the next page or the tail of the previous page to locate the complete kernel function” taught in pg. 494, left col. last paragraph and pg. 495, left col. first paragraph. Further, by identifying function boundaries and finding the basic block header signatures, computer-readable memory is scanned in order to locate the complete kernel function. Therefore, FACE-CHANGE still reads on the claim even with the current amendment. If the applicant wishes for a complete image of the kernel to be locate then the examiner recommends further amending the claim to clearly 
Regarding the remark how to know that the memory part that is scanned belongs to the kernel in Tsirkin et al., the examiner would like to firstly point out that Tsirkin et al. discloses that the start and end addresses are known for a particular kernel modules regardless of how to know that it does or does not. Next, the examiner would like to point out that this is a 103 rejection and Tsirkin et al. is in combination with FACE-CHANGE which discloses locating a complete kernel function. Therefore, Tsirkin et al. explicitly teaches the concept of scanning memory to find the start address and end address of a particular kernel module which FACE-CHANGE was silent to. Again, the examiner recommends the claimed invention be further amended to identify a first block belonging to first function of the kernel and a last block of instructions belong to a last function of the kernel in order to capture obtaining a complete image of the kernel and assuring completeness.
.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Noor Alkhateeb whose telephone number is (313)446-4909.  The examiner can normally be reached on Monday – Friday 7:30-4:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or (571)272-1000.

/NOOR ALKHATEEB/Patent Examiner, Art Unit 2193                                                                                                                                                                                                        
/Chat C Do/Supervisory Patent Examiner, Art Unit 2193