DETAILED ACTION
This action is in response amendments/arguments filed 11/24/2020.  Claims 1-20 are pending with claims 1, 12 and 18 having been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 11/24/2020 have been fully considered. 
A) Applicant's arguments with respect to the 102 rejection of amended claims 1 and 12 that Satish does not teach “determining, using the first label and the second label whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code” have been fully considered but they are not persuasive.
Regarding A) Satish teaches “determining, using the first label and the second label whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code”
Satish teaches in column 1 line 30-33 i.e. A control flow graph (CFG) is a graphical representation of all possible execution paths for a program. Each node (i.e. claimed label) in the graph represents a piece of code with one or more jump targets, and one or more jumps. 

Satish column 3 lines 40-62 goes on to state i.e. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action….Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. 
This clearly teaches that when exception 115 is thrown the exception handler 117 refers to the CFG 109 to determine if the jump is part of the legal flow of control for the program. It does this by comparing the node (i.e. claimed first label) of the current code page in the CFG that it is currently executing with the node (i.e. claimed second label)  of the jump code page to determine if jump is part of the legal flow of control of the program.  Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target 
B) Applicant's arguments with respect to the 103 rejection of amended claims 18 that Satish does not teach “upon suspending the execution of the virtual, machine execute the executable program and receive a call originating from the first subset to a function in a section of the executable program code in the second subset” have been fully considered but they are not persuasive.
Regarding B) In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Satish was only used to teach the limitation of execute the executable program and receive a call originating from the first subset to a function in a section of the executable program code in the second subset (see Satish column 3 lines 34-52 i.e. Because all of the code pages 103 other than the one containing the entry point are initially set to be non-executable, whenever the flow of control jumps from one code page 103 to another, an exception 115 is thrown. In response to these exceptions 115, the exception handler 117 refers to the CFG 109 to determine if the jump is part of the legal flow of control for the program). Franz was used to teach the limitation of suspend execution of the virtual machine in column 8 lines 4-10 i.e. The operating system calls the SIGSEGV signal handler each time a processor instruction tries to write to a protected page, as long as the page is protected. However, this occurs before the actual 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to emulate the instruction that the program to trying to write to as a way to make the page writable while keeping the origin page content so that the emulate page can be compared to the origin page content to see if the page was modified. Therefore one would have been motivated to have emulated the page.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 2, 5, 6, 8, 12 and 15 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated  by Satish et al (US 8,645,923).
With respect to claim 1 Satish teaches a method comprising: 
loading each of a plurality of sections of an executable program code into a respective page of memory of a plurality of pages of memory (see Satish column 1 lines 
configuring one or more permissions for a first page of the memory including a first section of the executable program code to enable execution of the first section of the executable program code loaded into the first page, the first section associated with a first label (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable); 
configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code loaded into the second page, the second section associated with a second label (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be 
determining, using the first label and the second label whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code Satish column 3 lines 40-62 goes on to state i.e. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action….Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected. The code page 103 from which the control flow jumped is to be set back to non-executable and column 1 lines 30-33 i.e. A control flow graph (CFG) is a graphical representation of all possible execution paths for a program. Each node (i.e. claimed label) in the graph represents a piece of code with one or more jump targets, and one or more jumps)  and
responsive to a determination that a transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these 

With respect to claim 2 Satish teaches the method of claim 1, further comprising: identifying, using one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another; or identifying, using the one or more annotations, the one or more sections of the plurality of sections of the executable program code that are not allowed to transition to one another (see Satish column 3 lines 1-20 i.e. control flow graph). 

With respect to claim 5 Satish teaches the method of claim 1, further comprising, responsive to the determination that the transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the first page to disable execution of the first section of the executable program code (see Satish column 3 lines 53-62 i.e. The code page 103 from which the control flow jumped is to be set back to non-executable, and this can be done in one of various ways as described in detail below).
With respect to claim 6 Satish teaches the method of claim 1, wherein, at any time, a single page of the plurality of pages of memory is configured with permissions that enable execution of a section of the plurality of sections of the executable program code loaded to the single page and remaining pages of the plurality of pages are 
With respect to claim 8 Satish teaches the method of claim 1, further comprising, responsive to a determination that the transition from the first section to the second section is not allowed, terminating execution of the executable program code (see Satish column 1 lines i.e. In response to an exception resulting from an attempted jump between code pages, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected, as per the control flow graph and the pages corresponding to them. If the attempted jump is not expected, it is determined that the program is attempting malicious activity, and appropriate action is taken. Such action can include steps such as not permitting the attempted jump to execute, transmitting an alert to a central security service, transmitting an alert to a user, activating anti-malware software, terminating the program and/or modifying the program). 
	With respect to claim 12 Satish teaches a method comprising: 

determining whether a transition is allowed from a first label associated with a first section of the plurality of sections of the executable program code to a second label associated with a second section of the plurality of sections of the executable program code in view of the transition table (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be 
wherein the first section is associated with enabled execution and the second section is associated with disabled execution (see Satish column 3 lines 34-40 i.e. Because all of the code pages 103 other than the one containing the entry point are initially set to be non-executable, whenever the flow of control jumps from one code page 103 to another, an exception 115 is thrown. In response to these exceptions 115, the exception handler 117 refers to the CFG 109 to determine if the jump is part of the legal flow of control for the program); and 
responsive to a determination that the transition from the first label to the second label is allowed, changing one or more permissions of a first page of memory including the first section to disable execution of the first section and changing one or more permissions of a second page of memory including the second section to enable execution of the second section (see Satish column 3 lines 53-62 i.e. The code page 103 from which the control flow jumped is to be set back to non-executable, and this can be done in one of various ways as described in detail below). 
With respect to claim 15. The method of claim 12, further comprising, responsive to a determination that the transition from the first label to the second label is not allowed, terminating execution of the executable program code (see Satish column 1 lines i.e. In response to an exception resulting from an attempted jump between code pages, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected, as per the control flow graph and the pages corresponding to them. If the attempted jump is not expected, it is determined that the . 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 4, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Krten et al (US 2015/0113640).
	With respect to claim 3 Satish does not teach with respect to claim 3 the method of claim 2, further comprising: associating a plurality of labels to the plurality of sections of the executable program code; and maintaining a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations. 
Krten teaches further comprising: associating a plurality of labels to the plurality of sections of the executable program code; and maintaining a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations (see Krten figure 7 and paragraph 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.
	
	With respect to claim 4, Satish does not teach the method of claim 3, further comprising using the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code.
Krten teaches further comprising using the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.
With respect to claim 11 Satish does not teach the method of claim 1, wherein the determination that the transition from the first section to the second section is allowed during execution of the executable program code is made using a transition table comprising at least one mapping of an allowable transition from the first label associated with the first section to the second label associated with the second section. Krten teaches wherein the determination that the transition from the first section to the second section is allowed during execution of the executable program code is made using a transition table comprising at least one mapping of an allowable transition from the first label associated with the first section to the second label associated with the second section (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 

With respect to claim 17 Satish does not teach the method of claim 12, further comprising: identifying, using one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another; associating the plurality of labels to the plurality of sections of the executable program code; and creating the transition table in view of the one or more annotations. 
Krten teaches further comprising: identifying, using one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another; associating the plurality of labels to the plurality of sections of the executable program code; and creating the transition table in view of the one or more annotations (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 


Claims 7, 9, 13, 14, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Franz et al (9,250,937).
With respect to claim 7 Satish teaches the method of claim 1, further comprising: 
using a transition table to determine whether the transition from the first section to the second section is allowed, wherein the transition table comprises at least one mapping of an allowable transition from the first label associated with the first section to the second label associated with the second section (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected). 
Satish does not teach receiving a page fault in response to an attempt to execute the transition.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to used page faults. While Satish does not teach page faults in Satish all pages are set to non-executable and are only set to executable when the handler determines that the target page is allowed based on the control flow graph. Franz teaches that the jump to the non-executable page would generate a page fault to invoke the handler to check the control flow graph. Therefore one would have been motivated to have generate a page fault to invoke the handler.

With respect to claim 9 Satish does not teach the method of claim 1, further comprising, responsive to a determination that the transition from the first section to the second section is not allowed: suspend execution of the executable program code; clone the executable program code to a virtual machine operating as a sandbox; and transfer control to the virtual machine to execute the executable program code to carry out the transition. 
Franz teaches further comprising, responsive to a determination that the transition from the first section to the second section is not allowed: suspend execution 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to emulate the instruction that the program to trying to write to as a way to make the page writable while keeping the origin page content so that the emulate page can be compared to the origin page content to see if the page was modified. Therefore one would have been motivated to have emulated the page.
With respect to claim 13 Satish teaches the method of claim 12, further comprising: 
executing the second section (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected); 

Satish does not teach receiving a page fault in response to an attempt to transition from the second section to the first section during execution of the second section.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to used page faults. While Satish does not teach page faults in Satish all pages are set to non-executable and are only set to executable when the handler determines that the target page is allowed based on the control flow graph. Franz teaches that the jump to the non-executable page would generate a page fault to invoke the handler to check the control flow graph. Therefore one would have been motivated to have generate a page fault to invoke the handler.
With respect to claim 14 Satish does not teach the method of claim 12, further comprising receiving a page fault in response to an attempt to execute the transition. 
Franz teach further comprising receiving a page fault in response to an attempt to execute the transition (see Franz column 5 lines 37-48 i.e. The library installs a handler for the segmentation fault signal (SIGSEGV in Linux), which is raised whenever a processor instruction attempts to access memory it does not have permission for. Whenever the processor attempts to execute a non-executable page, it triggers a page fault in the MMU).

With respect to claim 16 Satish does not teach the method of claim 12, further comprising, responsive to a determination that the transition from the first section to the second section is not allowed: suspend execution of the executable program code; clone the executable program code to a virtual machine operating as a sandbox; and transfer control to the virtual machine to execute the executable program code to carry out the transition. 
Franz teaches further comprising, responsive to a determination that the transition from the first section to the second section is not allowed: suspend execution of the executable program code; clone the executable program code to a virtual machine operating as a sandbox; and transfer control to the virtual machine to execute the executable program code to carry out the transition (see Franz column 8 lines 4-10 i.e. The operating system calls the SIGSEGV signal handler each time a processor instruction tries to write to a protected page, as long as the page is protected. However, this occurs before the actual instruction writes the data; we have to either emulate the 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to emulate the instruction that the program to trying to write to as a way to make the page writable while keeping the origin page content so that the emulate page can be compared to the origin page content to see if the page was modified. Therefore one would have been motivated to have emulated the page.

With respect to claim 18 Satish teaches a system comprising: a memory device storing instructions (see Satish figure 1); and a processing device coupled to the memory device (see Satish column 5 lines 61-67), wherein the processing device executes the instructions to: 
load a first subset of one or more sections of executable program code into separate pages of memory, wherein the one or more sections of the executable program code implement an executable program (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable. The exact implementation mechanics for setting code pages 103 of a program 101 to be non-executable can vary between operating systems and hardware platforms. Typically, the value of a specific bit determines whether a given code page 103 is executable or not. Note that in some 
execute the executable program and receive a call originating from the first subset to a function in a section of the executable program code in the second subset; suspend execution of the executable program (see Satish column 3 lines 34-52 i.e. Because all of the code pages 103 other than the one containing the entry point are initially set to be non-executable, whenever the flow of control jumps from one code page 103 to another, an exception 115 is thrown. In response to these exceptions 115, the exception handler 117 refers to the CFG 109 to determine if the jump is part of the legal flow of control for the program); and 
resume execution and transition  to execute the function in the section of the executable program code in the second subset (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101). 
Satish does not teach instantiate a virtual machine and load a second subset of the one or more sections of the executable program code to the virtual machine; and suspend execution of the virtual machine; 
Franz teaches instantiate a virtual machine and load a second subset of the one or more sections of the executable program code to the virtual machine; and suspend execution of the virtual machine (see Franz column 8 lines 4-10 i.e. The operating system calls the SIGSEGV signal handler each time a processor instruction tries to 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to emulate the instruction that the program to trying to write to as a way to make the page writable while keeping the origin page content so that the emulate page can be compared to the origin page content to see if the page was modified. Therefore one would have been motivated to have emulated the page.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Franz et al (9,250,937) in view of Krten et al (US 2015/0113640).
With respect to claim 20 Satish does not teach the system of claim 18, wherein: the virtual machine includes a transition table comprising mappings that specify allowable transitions between a first plurality of labels associated with a portion of the second subset of the one or more sections of the executable program code and a second plurality of labels associated with a second portion of the second subset of the one or more sections of the executable program code; and the virtual machine uses the transition table to determine whether transitions between sections of the second subset are allowed.
Krten teaches wherein: the virtual machine includes a transition table comprising mappings that specify allowable transitions between a first plurality of labels associated 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.

Allowable Subject Matter
Claim 10 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
With respect to claim 19 the prior art does not teach the method of claim 9, wherein the virtual machine is loaded with just the second section of the executable program code.


Other Prior Art
Benameur et al “Systems and methods for enforcing secure software execution” teaches  computer-implemented method for enforcing secure software execution may include (1) providing at least one known benign input to an executable file that is susceptible to abnormal code execution, (2) observing a series of function calls made by the executable file as the executable file processes the known benign input, (3) storing the series of function calls as a control flow graph that represents known safe function call pathways for the executable file, and (4) forcing a subsequent execution of the executable file to follow the series of function calls stored in the control flow graph to protect the executable file against abnormal code execution. Various other methods, systems, and computer-readable media

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492