DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is responsive to the Amendment filed on 12/14/2020.
Claims 1, 9, 12, and 16 have been amended.
Claims 17-20 have been added.
Claims 1-20 are pending.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-16 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-2, 6-11, and 3-5, respectively, of U.S. Patent No. 10,545,745. Although the claims at issue are not identical, they are not patentably distinct from each other because their inventions are similar to each other. See table below.
Instant Application 16/291,495
Patent No. 10,545,745
1. A method, comprising:
determining unused first instructions in a target application binary;
rewriting the target application binary before runtime execution to reduce binary attack surface area for the runtime execution of the target application binary, comprising performing a first rewriting of the target application binary to overwrite the determined first instructions to remove the unused instructions;
wherein the first rewriting is performed via one of performing static 
wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into main memory before executing the first instruction of the target application;
determining no longer used second instructions in the target application binary; and
rewriting the target application binary after runtime execution of the target application binary comprising performing a second rewriting of the target application binary to overwrite the determined second instructions to remove the no longer used instructions.

determining unused instructions in a target application binary […];
rewriting the target application binary before runtime execution to reduce binary attack surface area for the runtime execution of the target application binary, comprising performing the first rewriting of the target application binary to overwrite the determined first instructions to remove the unused instructions […];
wherein the first rewriting is performed via one of performing static 
wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into main memory before executing the first instruction of the target application;  
determining no longer used instructions in the target application binary […]; and 
rewriting the target application binary after runtime execution of the target application binary comprising performing the second rewriting of the target application binary to overwrite the determined second instructions to remove the no longer used instructions […];

determining the no longer used second instructions in the target application binary comprises monitoring the target application binary during the runtime execution to determine the second instructions to remove from the set of runtime instructions; and

rewriting the target application binary after runtime execution of the target application binary comprises dynamically rewriting the target application binary during runtime execution to overwrite the determined second instructions to remove the no longer used instructions from execution during the runtime execution;
wherein the dynamic rewriting the target application binary during runtime execution is performed on the target application binary residing in the main memory.
    2.  The method of claim 1, wherein: 
determining no longer used instructions in the target application binary further comprises monitoring the target application binary during the runtime execution to determine the second instructions to remove from the set of runtime instructions;  and 
rewriting the target application binary after runtime execution of the target application binary comprises dynamically rewriting the target application binary during runtime execution to overwrite the determined second instructions to remove the no longer used instructions from execution during the runtime execution;  
wherein the dynamic rewriting the target application binary during runtime execution is performed on the target application binary residing in the main memory.
3. The method of claim 1, further comprising profiling the target application binary to determine first instructions, comprising:

processing, using one or more algorithms, the control flow graph to identify all nodes that belong in loops; and
recording all basic blocks that are at beginnings of the loops.


processing, using one or more algorithms, the control flow graph to identify all nodes that belong in loops; and 
recording all basic blocks that are at beginnings of the loops.

overwriting instructions in all basic blocks not in the control flow graph with no operation instructions or trap instructions.
7.  The method of claim 6, wherein the performing the first rewriting of the target application binary further comprises: 
overwriting instructions in all basic blocks not in the control flow graph with no operation instructions or trap instructions.
5. The method of claim 3, wherein monitoring the target application binary during runtime execution to determine second instructions further comprises:
in response to execution of the target application binary reaching recorded basic blocks at beginning of loops, identifying basic block candidates for elimination as all basic blocks not reachable from a current recorded basic block.
8.  The method of claim 6, wherein monitoring the target application binary during runtime execution to determine second instructions further comprises: 
in response to execution of the target application binary reaching recorded basic blocks at beginning of loops, identifying basic block candidates for elimination as all basic blocks not reachable from a current recorded basic block.
6. The method of claim 5, wherein monitoring the target application binary during runtime execution to determine second instructions further comprises: 
executing the target application binary;
determining whether recorded basic blocks are reached; and
performing the identifying basic block candidates in response to a determination recorded basic blocks are reached.
    9.  The method of claim 8, wherein monitoring the target application binary during runtime execution to determine second instructions further comprises: 
executing the target application binary;
determining whether recorded basic blocks are reached; and
performing the identifying basic block candidates in response to a determination recorded basic blocks are reached.
7. The method of claim 6, wherein:
executing the target application binary further comprises executing the target application binary using one of a tracing application or a debugger;
the determining whether recorded basic blocks are reached further comprises setting trap instructions or breakpoints on the recorded basic blocks and determining whether the recorded basic blocks are reached 

executing the target application binary further comprises executing the target application binary using one of a tracing application or a debugger;  
the determining whether recorded basic blocks are reached further comprises setting trap instructions or breakpoints on the recorded basic blocks and determining whether the recorded basic blocks are reached 

overwriting instructions from the identified basic block candidates with no operation or trap instructions.
11.  The method of claim 8, wherein dynamically rewriting the target application binary during runtime execution to remove the determined second instructions further comprises: 
overwriting instructions from the identified basic block candidates with no operation or trap instructions.
9. The method of claim 2, further comprising performing the following during runtime execution of the target application binary:
catching an exception caused by an instruction and indicating one or more removed instructions are being executed;
replacing the instruction that resulted in the caught exception with a corresponding instruction from the target application binary; and
resuming program execution from the replaced instruction.
3.  The method of claim 2, further comprising performing the following during runtime execution of the target application binary: 
catching an exception caused by an instruction and indicating one or more removed instructions are being executed;  
replacing the instruction that resulted in the caught exception with a corresponding instruction from the target application binary; and 
resuming program execution from the replaced instruction.
10. The method of claim 9, wherein replacing the instruction replaces multiple instructions in a basic block, wherein the basic block was previously overwritten by the instruction that resulted in the caught exception and was overwritten by other instructions.
4.  The method of claim 3, wherein replacing the instruction replaces multiple instructions in a basic block, wherein the basic block was previously overwritten by the instruction that resulted in the caught exception and was overwritten by other instructions.
11. The method of claim 2, wherein dynamically rewriting the target application binary during runtime execution to remove the determined second instructions further comprises:
determining during runtime execution loops in the target application binary; and
for loops not reachable from a current loop being executed, overwriting the loops that are not reachable from a current loop being executed with no operation instructions or trap instructions.
5.  The method of claim 2, wherein dynamically rewriting the target application binary during runtime execution to remove the determined second instructions further comprises: 
determining during runtime execution loops in the target application binary; and 
for loops not reachable from a current loop being executed, overwriting the loops that are not reachable from a current loop being executed with no operation instructions or trap instructions.

	
Regarding claims 12-15
Regarding claim 16, it is the computer program product claim as obvious variation of the method of claim 1. Therefore, claim 16 is rejected for the same reasons as claim 1.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 9-10 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding dependent claim 9, lines 2-3, the limitation “[…] performing the following during runtime execution of a version of the target application binary residing in the main memory:” is ambiguous because independent claim 1, lines 11-12, recited “[…] the target application being loaded into the main memory […]”. Therefore, it is unclear whether there are two versions of the target application residing in the main memory (i.e. one is already inside main memory as recited in dependent claim 9 and one is loaded into main memory as recited in independent claim 1) or there is one version of the target application residing in the main memory. In the interest of compact prosecution, the Examiner interprets the limitation as “[…] performing the following during runtime execution of the loaded version of the target application binary residing in the main memory:”
Regarding dependent claim 10, it depends on dependent claim 9. Therefore, dependent claim 10 is rejected based on its dependency of dependent claim 9.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 5-7, 12-14, and 16-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Cui (U.S. Publication No. 2016/0021121).
Regarding claim 1, Cui teaches a method, comprising:
determining unused first instructions (not used feature) in a target application binary (original firmware 310) (Cui, ¶ [0066]-[0070], “[…] At 620, a list can be generated that identifies one or more features of original firmware 310 that are referenced in the configuration file. At 630, the list can then be examined to identify a feature of interest that meets a predetermined criterion. For example, the feature of interest can be identified upon determining one or more of the following: […] F3: A feature that is not used by embedded device 110 […];
rewriting the target application binary before runtime execution (static analysis) to reduce binary attack surface area for the runtime execution of the target application binary, comprising performing the first rewriting (FIG. 6A, step 650) of the target application binary to overwrite the determined first instructions to remove the unused instructions (FIG. 6B, step 605) (Cui, ¶ [0071], “At 640, a static and/or dynamic analysis can be performed on original firmware 310 to identify one or more code segments that implement the feature of interest […] The analysis can be performed on the original host program in order to determine areas of live code […] At 650, the one or more code segments that implement the feature of interest can be removed from original firmware 310 to generate fortified firmware 320.  In this example, code segment 605 is deleted.  Removing the code for the feature of interest can, for example, reduce the potentially vulnerable attack surface of fortified firmware 320.” ¶ [0075], “[…] It should also be noted that the fortified firmware image can, in some embodiments, be created offline prior to the embedded device or system executing the firmware. […]”);
wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in the secondary memory or performing dynamic rewriting of the target application binary residing in a main memory (Cui, ¶ [0071], “At 640, a static and/or dynamic analysis can be performed on original firmware 310 to identify one or more code segments that implement the feature of interest. Each of the identified code segments can include one or more lines of instructions, such as function entry points, function or library routine return instruction locations, any other suitable program instruction or memory location, and/or any suitable combination thereof.” ¶ [0064] “At 540, fortified firmware 320 can be installed or otherwise executed on embedded device 110.  In some embodiments, installing fortified firmware 320 can include flashing firmware memory 280.” ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.  For example, one or more of modifications M1-M5 can be performed by embedded device 110 at runtime.”).
wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into main memory (booted) before executing the first instruction of the target application (Cui, ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.  For example, one or more of modifications M1-M5 can be performed by embedded device 110 at runtime.  In such embodiments, modification M1-M4 can be performed in accordance with a predetermined schedule, such as when embedded device 110 is booted or every in times the embedded device is booted.”);
determining no longer used second instructions (deemed unnecessary feature) in the target application binary (original firmware 310) (Cui, ¶ [0066]-[0070], “[…] At 620, a list can be generated that identifies one or more features of original firmware 310 that are referenced in the configuration file. At 630, the list can then be examined to identify a feature of interest that meets a predetermined criterion. For example, the feature of interest can be identified upon determining one or more of the following: […]; and F4: A feature that is deemed unnecessary by an administrator user.”); and
rewriting the target application binary after runtime execution of the target application binary comprising performing a second rewriting of the target application binary to overwrite the determined second instructions to remove the no longer used instructions (Cui, ¶ [0036], “the monitoring machine or any other suitable component can determine and select function entry points, return instructions, program instruction locations, and/or other locations in the code and reallocate the system resources (e.g., processing and/or memory resources) such that the monitoring machine can execute in a time-shared fashion concurrently with the code of the embedded device. This can, for example, facilitate repeated executions of the monitoring machine without otherwise altering the behavior of the embedded device.” ¶ [0071], “At 640, a static and/or dynamic analysis can be performed on original firmware 310 to identify one or more code segments that implement the feature of interest […] At 650, the one or more code segments that implement the feature of interest can be removed from original firmware 310 to generate fortified firmware 320.  In this example, code segment 605 is deleted.  Removing the code for the feature of interest can, for example, reduce the potentially vulnerable attack surface of fortified firmware 320.”) (After monitoring machine monitor the execution of the firmware, the system modifies the original firmware 310 to generate fortified firmware 320).
Regarding claim 2, the rejection of claim 1 is incorporated and furthermore Cui teaches the method of claim 1, wherein:
determining the no longer used second instructions in the target application binary comprises monitoring the target application binary during the runtime execution to determine the second instructions to remove from the set of runtime instructions; and rewriting the target application binary after runtime execution of the target application binary comprises dynamically rewriting the target application binary during runtime execution to overwrite the determined second instructions to remove the no longer used instructions from execution during the runtime execution (Cui, ¶ [0036], “For example, the monitoring machine or any other suitable component can determine and select function entry points, return instructions, program instruction locations, and/or other locations in the code and reallocate the system resources (e.g., processing and/or memory resources) such that the monitoring machine can execute in a time-shared fashion concurrently with the code of the embedded device. This can, for example, facilitate repeated executions of the monitoring machine without otherwise altering the behavior of the embedded device.” ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.  For example, one or more of modifications M1-M5 can be performed by embedded device 110 at runtime.  In such embodiments, modification M1-M4 can be performed in accordance with a predetermined schedule, such as when embedded device 110 is booted or every in times the embedded device is booted.  In that regard, by performing modifications M1-M4 repeatedly, embedded device 110 can turn itself into a moving target for malicious code designers and other potential attackers.”);
wherein the dynamic rewriting the target application binary during runtime execution is performed on the target application binary residing in the main memory (firmware memory 280) (Cui, ¶ [0064] “At 540, fortified firmware 320 can be installed or otherwise executed on embedded device 110.  In some embodiments, installing fortified firmware 320 can include flashing firmware memory 280.” ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.  For example, one or more of modifications M1-M5 can be performed by embedded device 110 at runtime.”).
Regarding claim 3, the rejection of claim 1 is incorporated and furthermore Cui teaches the method of claim 1, further comprising profiling the target application binary to determine first instructions, comprising:
tracing the target application binary during an execution of the target application binary to create a control flow graph of the target application binary (Cui, ¶ [0089] “At 930, multiple control intercepts 905 (shown in FIGS. 9B-9D) can be distributed throughout the body of original firmware 310.  Each of the control intercepts can include one or more instructions (e.g., branch instructions) that are capable of redirecting the control flow of embedded device 110 from a code segment found in original firmware 310 (e.g., modules 314, 316, 318a or 318b) to monitoring machine 330.”);
processing, using one or more algorithms, the control flow graph to identify all nodes that belong in loops (Cui, ¶ [0036], “[…] For example, the monitoring machine or any other suitable component can determine and select function entry points, return instructions, program instruction locations, and/or other locations in the code and reallocate the system resources (e.g., processing and/or memory resources) such that the monitoring machine can execute in a time-shared fashion concurrently with the code of the embedded device.  This can, for example, facilitate repeated executions of the monitoring machine without otherwise altering the behavior of the embedded device. […]” ¶ [0089], “[…] This allows the monitoring machine to remain agnostic to operating system specifics while executing its payload alongside the original operating system. […]”); and
recording all basic blocks that are at beginnings of the loops (Cui, ¶ [0081], “[…] a monitoring engine 935 that acquires and organizes static and runtime information relating to the host program, and an execution manager 915 that manages resources (e.g., how and when the code and the host program are executed on the processor).”).
Regarding claim 5, the rejection of claim 3 is incorporated and furthermore Cui teaches the method of claim 3, wherein monitoring the target application binary during runtime execution to determine second instructions further comprises:
in response to execution of the target application binary reaching recorded basic blocks at beginning of loops, identifying basic block candidates for elimination as all basic blocks not reachable (dead code) from a current recorded basic block (Cui, ¶ [0090] “As illustrated, intercepts 905a-h can be inserted in various intercept points in original firmware 310. In some embodiments, the locations where the intercepts are inserted can be chosen out of candidate live code segments within firmware 310. The manner in which code segments are classified as live, as well as the number of intercepts chosen from each region (e.g., module) can affect the frequency in which the injected monitoring machine is executed. […] As illustrated in FIG. 9D, when code belonging to original firmware 310 is executed, and one of the intercept points is reached, the control intercept that has been placed at that point redirects the control flow of embedded device 110 to manager 915.  Manager 915 can, in turn, further redirect the control flow of embedded device 110 to payload 925.  When the execution of payload 925 and manager 915 is completed, the control flow of embedded device 110 can return to the point where execution of code belonging to original firmware 310 was left off to execute manager 915 and payload 925.  The execution of code belonging original firmware 310 can continue until another, or the same, intercept point is reached once again.”).
Regarding claim 6, the rejection of claim 5 is incorporated and furthermore Cui teaches the method of claim 5, wherein monitoring the target application binary during runtime execution to determine second instructions (dead code during runtime) further comprises:
executing the target application binary; determining whether recorded basic blocks are reached; and performing the identifying basic block candidates in response to a determination recorded basic blocks are reached (Cui, ¶ [0090] “As illustrated, intercepts 905a-h can be inserted in various intercept points in original firmware 310. In some embodiments, the locations where the intercepts are inserted can be chosen out of candidate live code segments within firmware 310. The manner in which code segments are classified as live, as well as the number of intercepts chosen from each region (e.g., module) can affect the frequency in which the injected monitoring machine is executed. […] As illustrated in FIG. 9D, when code belonging to original firmware 310 is executed, and one of the intercept points is reached, the control intercept that has been placed at that point redirects the control flow of embedded device 110 to manager 915.  Manager 915 can, in turn, further redirect the control flow of embedded device 110 to payload 925.  When the execution of payload 925 and manager 915 is completed, the control flow of embedded device 110 can return to the point where execution of code belonging to original firmware 310 was left off to execute manager 915 and payload 925.  The execution of code belonging original firmware 310 can continue until another, or the same, intercept point is reached once again.”).
Regarding claim 7, the rejection of claim 6 is incorporated and furthermore Cui teaches the method of claim 6, wherein:
executing the target application binary further comprises executing the target application binary using one of a tracing application or a debugger (monitoring machine) (Cui, ¶ [0036] “[…] the monitoring machine or any other suitable component can determine and select function entry points, return instructions, program instruction locations, and/or other locations in the code and reallocate the system resources (e.g., processing and/or memory resources) such that the monitoring machine can execute in a time-shared fashion concurrently with the code of the embedded device.”);
the determining whether recorded basic blocks are reached further comprises setting trap instructions or breakpoints on the recorded basic blocks and determining whether the recorded basic blocks are reached in response to the trap instructions or breakpoints being reached (Cui, ¶ [0090] “As illustrated, intercepts 905a-h can be inserted in various intercept points in original firmware 310. In some embodiments, the locations where the intercepts are inserted can be chosen out of candidate live code segments within firmware 310. The manner in which code segments are classified as live, as well as the number of intercepts chosen from each region (e.g., module) can affect the frequency in which the injected monitoring machine is executed. […] As illustrated in FIG. 9D, when code belonging to original firmware 310 is executed, and one of the intercept points is reached, the control intercept that has been placed at that point redirects the control flow of embedded device 110 to manager 915.  Manager 915 can, in turn, further redirect the control flow of embedded device 110 to payload 925.  When the execution of payload 925 and manager 915 is completed, the control flow of embedded device 110 can return to the point where execution of code belonging to original firmware 310 was left off to execute manager 915 and payload 925.  The execution of code belonging original firmware 310 can continue until another, or the same, intercept point is reached once again.”) (Monitoring machine set intercepts 905a-h as traps to record the execution of the host program.).
Regarding claims 12-14, they are the computer system claims corresponding to the method of claims 1-3, respectively. Therefore, claims 12-14 are rejected for the same reasons as claims 1-3.
Regarding claim 16, it is the computer program product claim corresponding to the method of claim 1. Therefore, claim 16 is rejected for the same reason as claim 1.
Regarding claim 17, the rejection of claim 1 is incorporated and furthermore Cui teaches the method of claim 1, wherein the target application binary residing in the main memory is volatile (Storage memory 270 Random Access Memory (RAM)), and the target application binary residing in the secondary memory is nonvolatile (Firmware memory 280, Read-Only Memory (ROM)) (Cui ¶ [0091] “At 1010, manager 915 can save the context of code of fortified firmware 320 in storage memory 270 and/or firmware memory 280.” ¶ [0051] “[…] Storage memory 270 can include RAM, flash memory, hard drive, or any other suitable type of memory. Firmware memory 280 can be a flash ROM chip, or another similar device. […]”).
Regarding claim 18, the rejection of claim 1 is incorporated and furthermore Cui teaches the method of claim 1, wherein the dynamic rewriting of the target application binary during runtime execution (normal operation) is performed on the target application binary residing in the main memory (Storage memory 270 Random Access Memory (RAM)) (Cui, ¶ [0051] “[…]Storage memory 270 can include any volatile […] memory that is modifiable by the user.”) without changing (not modifiable) the target application binary residing in the secondary memory (Firmware memory 280, Read-Only Memory (ROM)) (Cui, ¶[0052] “embedded device 110 can be configured in such a way that the content of firmware memory 280 may be inaccessible to the user of the device. Unlike storage memory 270, firmware memory 280 may not be modifiable during the device's normal operation.” ¶ [0051] “[…] Storage memory 270 can include RAM, flash memory, hard drive, or any other suitable type of memory. Firmware memory 280 can be a flash ROM chip, or another similar device. […]”).
Regarding claim 19, the rejection of claim 1 is incorporated and furthermore Cui teaches the method of claim 1, wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary by a tracing or debugging program (monitoring machine 330) in response to the target application being loaded into main memory by the tracing or debugging program (Cui ¶ [0089] “[…] monitoring machine 330 can include manager 915 and payload 925 (shown in FIGS. 9B-9D).” ¶ [0091] “FIG. 10 illustrates a process 1000 that can be performed by manager 915 […]. At 1010, manager 915 can save the context of code of fortified firmware 320 in storage memory 270 and/or firmware memory 280. The code whose context is stored is the code which was included in fortified firmware 320 from original firmware 310. At 1020, manager 915 can load the context of payload 925 into the registers of processor 260.”).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 8, 11, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Cui in view of Gupta (U.S. Publication No. 2016/0224790).
Regarding claim 4, the rejection of claim 3 is incorporated and furthermore Cui taught the method of claim 3, wherein the performing the first rewriting of the target application binary (Cui, ¶ [0071], “[…] At 650, the one or more code segments that implement the feature of interest can be removed from original firmware 310 to generate fortified firmware 320.  In this example, code segment 605 is deleted. Removing the code for the feature of interest can, for example, reduce the potentially vulnerable attack surface of fortified firmware 320.”).
Cui did not specifically teach overwriting instructions in all basic blocks not in the control flow graph with no operation instructions or trap instructions.
However, Gupta teaches overwriting instructions in all basic blocks not in the control flow graph with no operation instructions or trap instructions (Gupta, ¶ [0007], “Once the set of instructions are determined, for each available instruction not in the set of instructions, the systems and methods change the respective instruction to inoperative to prevent execution of the respective instruction. […] The systems and methods may change the respective instruction to inoperative by overwriting the respective instruction with a no operation (NOP) instruction.”).

Regarding claim 8, the rejection of claim 5 is incorporated and furthermore Cui taught the method of claim 5, wherein dynamically rewriting the target application binary during runtime execution to remove the determined second instructions (Cui, ¶ [0071], “At 640, a static and/or dynamic analysis can be performed on original firmware 310 to identify one or more code segments that implement the feature of interest […] At 650, the one or more code segments that implement the feature of interest can be removed from original firmware 310 to generate fortified firmware 320.  In this example, code segment 605 is deleted.  Removing the code for the feature of interest can, for example, reduce the potentially vulnerable attack surface of fortified firmware 320.”).
Cui did not specifically teach overwriting instructions from the identified basic block candidates with no operation or trap instructions.
However, Gupta teaches overwriting instructions from the identified basic block candidates with no operation or trap instructions (Gupta, ¶ [0007], “Once the set of instructions are determined, for each available instruction not in the set of instructions, the systems and methods change the respective instruction to inoperative to prevent execution of the respective instruction. […] The systems and methods may change the respective instruction to inoperative by overwriting the respective instruction with a no operation (NOP) instruction.”).
It would have been obvious to one of an ordinary skill in the art before the effective filling date of the claimed invention to incorporate Gupta’s concept of replacing unused lines of code with no operation instructions into Cui’s system because both systems were design to reduce the attack surface of a program application by reducing the amount of executable code within the program application and by incorporate the teaching of Gupta into Cui would allow Cui’s system to delete the binary code lines of the unused code by zeroing out the line with no operation instructions.
Regarding claim 11, the rejection of claim 2 is incorporated and furthermore Cui taught the method of claim 2, wherein dynamically rewriting the target application binary during runtime execution to remove the determined second instructions further comprises:
determining during runtime execution loops in the target application binary (Cui, ¶ [0090], “As illustrated, intercepts 905a-h can be inserted in various intercept points in original firmware 310. In some embodiments, the locations where the intercepts are inserted can be chosen out of candidate live code segments within firmware 310. The manner in which code segments are classified as live, as well as the number of intercepts chosen from each region (e.g., module) can affect the frequency in which the injected monitoring machine is executed. […] As illustrated in FIG. 9D, when code belonging to original firmware 310 is executed, and one of the intercept points is reached, the control intercept that has been placed at that point redirects the control flow of embedded device 110 to manager 915.  Manager 915 can, in turn, further redirect the control flow of embedded device 110 to payload 925.  When the execution of payload 925 and manager 915 is completed, the control flow of embedded device 110 can return to the point where execution of code belonging to original firmware 310 was left off to execute manager 915 and payload 925.  The execution of code belonging original firmware 310 can continue until another, or the same, intercept point is reached once again.”); and
Cui did not specifically teach overwriting the loops that are not reachable from a current loop being executed with no operation instructions or trap instructions.
However, Gupta teaches for loops not reachable from a current loop being executed, overwriting the loops that are not reachable from a current loop being executed with no operation instructions or trap instructions (Gupta, ¶ [0007], “Once the set of instructions are determined, for each available instruction not in the set of instructions, the systems and methods change the respective instruction to inoperative to prevent execution of the respective instruction. […] The systems and methods may change the respective instruction to inoperative by overwriting the respective instruction with a no operation (NOP) instruction.”).
It would have been obvious to one of an ordinary skill in the art before the effective filling date of the claimed invention to incorporate Gupta’s concept of replacing unused lines of code with no operation instructions into Cui’s system because both systems were design to reduce the attack surface of a program application by reducing the amount of executable code within the program application and by incorporate the teaching of Gupta into Cui would allow Cui’s system to delete the binary code lines of the unused code by zeroing out the line with no operation instructions.
Regarding claim 15, it is the computer system claim corresponding to the method of claim 11. Therefore, claim 15 is rejected for the same reason as claim 11.
Claim 20  rejected under 35 U.S.C. 103 as being unpatentable over Cui in view of Caballero (U.S. Publication No. 2019/0042224).
Regarding claim 20, the rejection of claim 1 is incorporated and furthermore Cui taught the method of claim 1, wherein:
the no longer used first instructions comprise:
instructions not invoked by the target application binary during runtime execution (Cui ¶ [0066] […] “At 630, the list can then be examined to identify a feature of interest that meets a predetermined criterion. For example, the feature of interest can be identified upon determining one or more of the following:” ¶ [0069] “F3: A feature that is not used by embedded device 110 (e.g., a feature that is intended for use by other printer models or other device models that share the same firmware with embedded device 110)”);
Cui did not specifically teach the no longer used second instructions comprise:
instructions that are not in a main execution loop of the target application binary; and
instructions in the main execution loop that are not accessed again;
However, Caballero teaches the no longer used second instructions comprise:
instructions that are not in a main execution loop (unreachable) of the target application binary (Caballero, ¶ [0042] “In some examples, the optimizer 110 performs dead code elimination (e.g., removal of useless code) and/or reachability analysis (e.g., identify and remove unreachable code).  In some examples, the optimizer 110 performs constant propagation, or discovery and propagation of constant values in the first IR 114.”); and
instructions in the main execution loop that are not accessed again (non-recurring memory access) (Caballero, ¶ [0027] “Loop-optimization algorithms, including loop vectorization, may focus on optimizing loops that include memory loads which, at a compile time, have a predictable pattern of recurring memory accesses to one or more (relatively) small look-up tables.”).
It would have been obvious to one of an ordinary skill in the art before the effective filling date of the claimed invention to incorporate Caballero’s concept of implementing a reachability analysis and loop-optimization algorithms into Cui’s system because both systems were design to optimize the program application by reducing the amount of executable code within the program application and by incorporate the teaching of Caballero into Cui would allow Cui’s system to perform reachability analysis on the program in order to determine and remove unreachable code that are not in the main execution of the program application and loop-optimization algorithm to determine pattern of recurring memory access to keep and remove instructions that are non-recurring access.
Allowable Subject Matter
Applicant’s amendments to claim 9 and arguments on pages 13-14 in the Remarks have been fully considered and is persuasive. Therefore, the 35 U.S.C. § 102(a)(1) rejection of claims 9-10 is withdrawn.
Claim 9-10 are objected to as being dependent upon a rejected base claim, but would be allowable if the 112(b) issue are resolved and if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Response to Arguments
Applicant’s amendments to claims 1, 9, 12, and 16
A Terminal Disclaimer has not been filed. Therefore, the Double Patenting rejection of claims 1-20 is maintained.
Applicant’s argument regarding independent claim 1 have been fully considered. However, the 35 U.S.C. § 102(a)(1) rejection is maintained.
Applicant argues that Cui fails to teach limitation(s) of independent claim 1.
In the Remark, Applicant argues:
	1. Independent claims: the cited prior art does not disclose or suggest the first rewriting as claimed
Claim 1 claims
“wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in a secondary memory or performing dynamic rewriting of the target application binary residing in a main memory;
wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into the main memory before executing the first instruction of the target application.”
	[…]
The Examiner stated that Cui at the above-referenced paragraphs (¶ 71, 64, 65) and related excerpts describe the first rewriting and the dynamic aspects of the first rewriting.
	However, at best paragraphs 71, 64, 65 of Cui describe modifying original firmware 310, and that the modified original firmware, or the fortified firmware, may include firmware memory 280. Cui does not differentiate between static rewriting of a secondary memory or dynamic rewriting of a main memory.
	Even though Cui at [0071] describes that a static and/or dynamic analysis can be performed on original firmware 310, Cui for example (in reference to Cui FIG. 2) does not describe that the static analysis is performed on the firmware memory 280 of embedded device 110, and the dynamic analysis is performed on the storage memory 270 of embedded device 110. 
	Similarly, even though Cui at [0065] describes "modification Ml-M4 can be performed in accordance with a predetermined schedule, such as when embedded device 110 is booted", modifications Ml-M4 refer to modification of original firmware 310 (refer to Cui at ¶ 59-62), and not such as where the original firmware 310 is main memory (such as storage memory 270) that is distinct from a secondary memory such as firmware memory 280. Cui therefore does not disclose or suggest "wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into the main memory before executing the first instruction of the target application.''
Gupta does not remedy the deficiencies of Cui. At best Gupta at ¶ [0140] describes volatile memory 90 and non-volatile disk storage 95, but does not describe the sequence of any rewriting of these different storage areas, such as the sequence claimed in Applicant's independent claims.
Accordingly, the cited prior art does not disclose or suggest:
“wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in a secondary memory or performing dynamic rewriting of the target application binary residing in a main memory;
wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into the main memory before executing the first instruction of the target application”

as claimed by the independent claims. This is not disclosed or suggested by the cited art. Therefore, claim 1 and the other independent claims are patentable and should be allowed.

Examiner’s Response:
	Examiner respectfully disagrees. As recited in claim 1, “wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in a secondary memory or performing dynamic rewriting of the target application binary residing in a main memory”. Therefore, the first rewriting is either 1) static rewriting of the target application binary residing in a secondary memory or 2) dynamic rewriting of the target application binary resigning in a main memory.
	As cited above, Cui discloses ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.” of FIG. 5. In particular, step 520, ¶ [0057] original firmware 310 for embedded device 110 is retrieved and ¶ [0051] “Firmware memory 280 can be used to store the firmware of embedded device 110.”. Furthermore, as cited above, Cui discloses ¶ [0071], “At 640, a static and/or dynamic analysis can be performed on original firmware 310”.
Therefore, Cui teaches that a static and/or dynamic analysis is performed on the original firmware 310 that was retrieved and stored in the embedded device 110. Thus, if the original firmware 310 is stored in storage memory 270 of FIG. 2 and/or the original firmware 310 is stored in the firmware memory 280 of FIG. 2 of embedded device 110, then static and/or dynamic analysis is being performed on the memory section of storage memory 270 and/or firmware memory 280 that original firmware 310 occupied/stored. 
Therefore, static and/or dynamic analysis is being performed on storage memory 270 and/or firmware memory 280 of embedded device 110 depending on where the original firmware 310 is stored when it is retrieved in step 520.
“wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in a secondary memory or performing dynamic rewriting of the target application binary residing in a main memory” of independent claim 1.
In addition, as cited above, Cui discloses ¶ [0065] “In particular, one or more of 520, 530, and/or 540 can be performed by embedded device 110.” of FIG. 5. In particular, step 540, ¶ [0064] “At 540, fortified firmware 320 can be installed or otherwise executed on embedded device 110 […] installing fortified firmware 320 can include flashing firmware memory 280.” and that ¶ [0065] “one or more of modifications M1-M5 can be performed by embedded device 110 at runtime. In such embodiments, modification M1-M4 can be performed in accordance with a predetermined schedule, such as when embedded device 110 is booted or every in times the embedded device is booted.”. Therefore, dynamic modification of the original firmware 310 and/or fortified firmware 320 is performed using modification M1-M4 at runtime when the fortified firmware 320 is installed/loaded and/or execute on embedded device 110.
Thus, Cui teaches the limitation “wherein the dynamic rewriting of the target application binary during runtime execution is performed on the target application binary in response to the target application being loaded into the main memory before executing the first instruction of the target application.” of independent claim 1.
Since Cui teaches each and every element as set forth in the independent claim 1, the 35 U.S.C. § 102(a)(1) rejection is maintained in view of Cui.
Applicant’s amendment to claim 9 
Applicant’s argument regarding independent claim 1 have been fully considered. However, the 35 U.S.C. § 102(a)(1) rejection is maintained.
Applicant argues that Cui fails to teach limitation(s) of independent claim 1.
In the Remark, Applicant argues:	
3. Claim 17: the cited prior art does not disclose or suggest "wherein the target application binary residing in the main memory is volatile, and the target application binary residing in the secondary memory is non-volatile"
Claim 17 claims:
"wherein the target application binary residing in the main memory is volatile, and the target application binary residing in the secondary memory is non-volatile."

Support for new claim 17 may be found within the filed specification at least at ¶ [0045].
[…]
The Examiner stated, as an example, on pages 11-12 of the Office Action that Cui describes "wherein the first rewriting is performed via one of performing static rewriting of the target application binary residing in secondary memory or performing dynamic rewriting of the target application binary residing in main memory" at the above-referenced excerpts, namely ¶ 71, 64, and 65.
However, as argued above with respect to Point 1, Cui does not differentiate between rewriting of the secondary memory and rewriting of the main memory. Much less, Cui does not differentiate between rewriting of a non-volatile secondary memory and rewriting of a volatile main memory.
At best, Cui at paragraph [0051] describes "Firmware memory 280 can be a flash ROM chip, or another similar device" and at [0064], "installing fo1tified firmware 320 can include flashing firmware memory 280." To the extent that "flashing" memory is non-volatile memory, 
Thus Cui does not disclose/suggest "wherein the target application binary residing in the main memory is volatile, and the target application binary residing in the secondary memory is non-volatile," as claimed by claim 17.
Even though Gupta at, [0140] describes volatile memory 90 and non-volatile disk storage 95, Gupta does not describe the sequence of any rewriting of these different storage areas, such as the sequence claimed in Applicant's independent claims.
Accordingly, the cited prior art does not disclose or suggest wherein the target application binary residing in the main memory is volatile, and the target application binary residing in the secondary memory is non-volatile. Claim 17, on the other hand, claims "wherein the target application binary residing in the main memory is volatile, and the target application binary residing in the secondary memory is non-volatile." This is not disclosed or suggested in the cited art. Therefore, claim 17 is patentable and should be allowed.
	(See Remark, pages 15-16)
Examiner’s Response:
	Examiner respectfully disagrees. As cited above, Cui discloses ¶ [0091] “At 1010, manager 915 can save the context of code of fortified firmware 320 in storage memory 270 and/or firmware memory 280.” and that ¶ [0051] “[…] Storage memory 270 can include RAM, flash memory, hard drive, or any other suitable type of memory. Firmware memory 280 can be a flash ROM chip, or another similar device. […]”). Therefore, the firmware 320 can be save in storage memory 270 Random Access Memory (RAM) and firmware memory 280 Read-Only Memory (ROM) in the embedded device 110 of FIG. 2. And since RAM is volatile and ROM is 
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Binh Luu whose telephone number is (571)272-6150.  The examiner can normally be reached on M-F 9:00AM-5:00PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WEI ZHEN can be reached on 571-272-3708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/BINH LUU/
Examiner, Art Unit 2191



/WEI Y ZHEN/Supervisory Patent Examiner, Art Unit 2191