PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office
    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/007,722
Filing Date: 13 June 2018
Appellant(s): Ndu et al.



__________________
Fred G. Pruner, Jr.
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed on 12/14/20.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 7/20/20 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument

Note: 
Appellant’s main argument is that the prior art does not disclose render obvious measuring, by a measurement module, after the measurement module is loaded and before loading a plurality of other modules, state information to generate a set of respective initial measurements, and comparing, by a device, a second set of measurements determined by the device with the initial measurements.  

Appellant’s main support for the alleged deficiency of the final rejection is that the hash told by Field is not subsequently used.  

The final rejection offered Field’s reference that teaches generating two hashes that are compared in order to ensure integrity of the code before the code is executed.  The examiner also offered additional references: Dellow and Pearson, both suggesting continues repetition of checking integrity of the previously checked code.  Similarly to Field, the integrity of code in Dellow and Pearson is verified by checking generated hash against the original hash of the code.

as modified, given the fact that the rejections are based on combinations of references, appellant’s arguments and support seems to rely on attacking references individually.

Claim 1 
Appeal Brief, A1, pg. 9-11:
Appellant’s ARGUMENT:
Field fails to disclose measuring, by a measurement module, after the measurement module is loaded and before loading a plurality of other modules, state information to generate a set of respective initial measurements, and comparing, by a device, a second set of measurements determined by the device with the initial measurements.
Appellant’s Support:
Field discusses validating a particular program, such as an operating system code portion, by calculating a signature, such as a hash, for the program and comparing the calculated hash to a reference hash for the program, such that if the hashes match then the program code is validated.  The hashes are compared to the reference hashes and then are no longer used.  One of ordinary skill in the art would not expect a subsequent use of the hash.  A calculated hash for the loaded program would not be subsequently compared against another measurement or hash.  
Examiner’s RESPONSE:

The claim uses conditional statement (e.g. “after” and “before”) but it is not clear how this relate to appellant’s argument.  
It is not clear whether appellant suggests that the earlier generated hash of the code is not compared with the hash that is subsequently generated for the same code or whether appellant has something else in mind.
As noted by appellant “measuring, by a measurement module, after the measurement module is loaded and before loading a plurality of other modules, state information to generate a set of respective initial measurements, and comparing, by a device, a second set of measurements determined by the device with the initial measurement” in Field’s teaching (as well as appellant’s invention) involves validation of the code by comparing generated hash the code with the previously generated hash of the code.
Hashing code results in generating a plurality of 0 and 1 values that, as a string, uniquely representing the particular code.  These strings are red and the string values are compared in order to ascertain whether the codes which supposed to be unchanged, indeed have not been tempered with.
This is exactly what Field’s invention attempts to do.  It aims to ensure integrity of a Kernel by checking value of Kernel’s hash with the retrieved value of the previously generated Kernel’s hash.

(Note that Field discusses digital signature and, as recognized by appellant and articulated by Field as well as other prior art, digital signature verification includes hash comparison.)
Reviewing appellant purpose of the invention (as indicated in para 14 of the corresponding USPUB 2019/0384918 publication: “the scanning engine 140 can continually re-measure those kernel parts (symbols) and can take remedial action based on a policy set by a customer in the policy engine 150”); however, the claim does not suggest using again or “subsequent use” (to use appellant’s wording) any particular entity cited in the claim language.  
(Appellant briefly mentions “monitoring” in the last paragraph of pg. 11: “claim 1 does not merely recite …, however, as claim 1 recites numerous actions … such as action pertaining to monitoring respective stat information …”, that potentially could be interpreted as the purpose of the invention noted in appellant’s specification.)
Perhaps, appellant actually attempts to argue the claimed monitoring, the process of which continues to involve comparison of hashes (the second set measurements with the initial measurements).  

In fact, this is why the final rejection relied on additional, Dellow (para 45) (USPUB 20050182919) reference, who expressly suggested continuous (every five minutes) integrity checking of the code with signature/hash verification/comparison.
Pearson (USPUB 20180239895) was offered as a second prior art reference that suggested continues monitoring integrity of programs (Abstract) with the various fragments of disclosure (e.g. para 37, 57 and 38-40), clarifying that this continuous verification involves hash verification  
For more intuitive presentation, the examiner invites the board to a quick review of the signature/hash as pertaining to a computer code integrity verification.
Applying a hash function to computer module/measurement/code/etc. the system generates hash of the code.  The hash is a unique representation of the code.  
Because of this uniqueness, any other code or the code that was changed will have different hash.  
Thus, generating the hash of the code at one point of the time, then generating the hash of the same code at another time allows to see whether any changes (e.g. due to the malicious security event such as virus) occurred within the code.  
Dellow’s and Pearson’s inventions aiming to ensure code integrity by continues hash comparison (see Pearson’s Abstract, para 2-4, 10, 12, 38-41, etc., for example).
In other words, Dellow’s and Pearson’s teaching of continues comparison of the generated hash to continuously derived/generated hash, clearly addresses “the subsequent” use of the hash.  
As noted before, given the fact that hash is a unique representation of the code, the continually generated hash of the code would have to be compared with the previously generated code in order to identify any changes.  Note that the final office action offered motivation to combine Field and Dello/Pearson references.

Appeal Brief, A1, pg. 11-12:
Appellant’s ARGUMENT:
Field does not address numerous actions that are performed by the claimed device in claim 1.
Appellant’s Support:
Appellant argues that a baseboard management controller taught by Jacobs does not address the alleged deficiency of Field’s teaching that were discussed above.
Examiner’s RESPONSE:
While the rejections are based on combinations of references, appellant’s arguments and support include attacks on references individually.
Note that in the final rejection Jacobs was offered as additional reference, which expressly taught a device (baseboard management controller) separate from the processor, which received data to be compared in secure environment.  
Jacobs was not to address all the (“numerous) limitations (“actions”) of claims 1.
Claim 7 and 19 

Appeal Brief, A2, pg. 12-13:
Appellant’s ARGUMENT:

Field does not disclose measuring, by a measurement module, respective baseline measurements and sending the respective baseline measurement to the device.

Appellant’s Support:
A secure boot in which a hash for program code to be loaded is compared against a reference signature hash for the program code, the loads does not calculate, measure or determine a baseline measurements and the final office action also fails to present any plausible reason why the measurement would be sent to a device for subsequent comparisons or why this measurement would be otherwise used as a baseline measurement.

Examiner’s RESPONSE:

The argument is not understood.  There is no “secure boot” in the claim language and para 8-9 of the final office action offered two different interpretation of the argued claims. 
First, various different elements of Field’s disclosure could be interpreted as “other modules”, e.g. executable files that are executed after verification of kernel code.  While Field teaches the integrity check of these “other modules”, para 48-55 once again clarify that such integrity check involves calculating, measuring or determining a baseline measurements (in comparing signature/hashes).
Furthermore, note that in the rejection the examiner offered additional reference, Jacobs, expressly teaching a device (baseboard management controller) that is separate from the processor, which receives data to be compared in secure environment.  



Appeal Brief, A3, pg. 13:
Claims 2, 5, 6, 8-10, 13, 14 and 16-18 

Appellant’s ARGUMENT:

Claims 2, 5, 6, 8-10, 13, 14 and 16-18 should be reversed for at least the same reasons as the claims [claim 1] from which they depend.


Examiner’s RESPONSE:

As addressed above, Field teaches the alleged deficiencies and, as a result, based on these arguments the rejection of claims 2, 5, 6, 8-10, 13, 14 and 16-18 should not be reversed.

Appeal Brief, B1, pg. 14-15:
Claims 1 and 12 

Appellant’s ARGUMENT:

Shah fails to cure the previously argued deficiency of Field, e.g. Shah providing a set of initial measurement’s measured by measurement module in the specific sequence set forth in claim 1..

Appellant’s Support:

Shah’s Fig. 5 and the associated text does not address state information to determine a second set of measurements, comparing by the device, the second set of measurements with the claimed initial measurements; determining by the device, that there is a violation based on the comparison, or performing, by the device, a security action based on the determination of the violation.

Examiner’s RESPONSE:

Once again, while the rejections are based on combinations of references, appellant’s arguments and support include attacks on references individually.
Specifically, the arguments were argued against and addressed with Field’s reference above. The rejection did not rely on Shah to address these particular argued limitations. 

Specifically, Field’s kernel reasonably satisfies the broadest reasonable interpretation of the kernel code and the module code.  This is because a skilled in the art would appreciate that particular code includes plurality of codes, the concept that is expressly illustrated by Shah’s Fig. 5 (Kernel including Kernel information, Kernel instructions, etc.) that was used in the alternative interpretation of the claimed limitation.  
Thus, the examiner concluded that even if more specific interpretation of claimed limitation was required, including known entities: kernel code and module code such as expressly taught by Shah into Field’s kernel verification would have been obvious given the predictable benefit of computer security.
 
Claims 1 and 12  

Appeal Brief, B1, pg. 15-16:
Appellant’s ARGUMENT:

Jacobs and Zimmer fail to cure the previously argued deficiency of Field, e.g. generating a set of respective initial measurement.
Appellant’s Support:
While Jacobs discusses baseboard management controller verifying a digital signature of a “blob” which “is encrypted and digitally signed” does not address but claim 1 is more than mere “integrity monitoring” and as such, fails to teach a device measuring stat information, comparing the second set of measurements with the initial measurements with the initial measurements, determining by the device that there is a violation based on the comparison, and performing security action based on the determination of the violation. 
Examiner’s RESPONSE:

Once again, while the rejections are based on combinations of references, appellant’s arguments and support include attacks on references individually.
These arguments were argued against, and addressed with, Field’s reference above. The rejection did not rely on Jacobs and Zimmer to address these particular argued limitations. 
While Field’s addressed the argued limitations of verifying/comparing signatures/hashes, Jacobs and Zimmer were offered as additional elements to expressly illustrate that having a device that is separate from the processor, which receives data to be compared in secure environment would have been obvious.  



Appeal Brief, B2, pg. 17-18:
Claims 1 and 12 

Appellant’s ARGUMENT:

Dellow does not disclose the instruction monitor being sent an initial set of measurement obtained in the specific sequence set forth in claim 1, generating a second set of measurement and comparing the initial set of measurement to the second set of measurements but merely compares a hash of instruction parameters to a stored signature.

Appellant’s Support:
Dellow merely compares a hash of instruction parameters to “a stored signature” and does not fail to cure the deficiencies of Field, Shah, Jacobs and Zimmer. 

Examiner’s RESPONSE:




Appeal Brief, B2, pg. 18-19:
Claims 7 and 19 

Appellant’s ARGUMENT:

Field fails to disclose obvious the elements that are introduced in claims 7 and 19 and Neither Field, Shah, Jacobs, Zimmer and Dellow disclose the previously argued limitations.  
Appellant’s Support:
As discussed above, Field failed to disclose or render obvious the element that are introduced in claim 7 and 19 and none of Shah, Jacobs, Zimmer and Dellow disclose or render measuring, by the claimed module, respective baseline measurement and sending the respective baseline measurement to a device.

Examiner’s RESPONSE:

The allegations are merely a statement without a clear indication of the prior art deficiencies and, as a result, it is understood that these arguments are directed towards the previously argued limitations, which were addressed above.



Appeal Brief, B3, pg. 19:
Claims 2, 5, 6, 8-10, 13, 14 and 16-18 

Appellant’s ARGUMENT:

Clams 2, 5, 6, 8-10, 13, 14 and 16-18 overcome the corresponding 103 rejection for the same reasons as the claims from which they depend.
Examiner’s RESPONSE:

Given the fact that the claims from which claims 2, 5, 6, 8-10, 13, 14 and 16-18 depend on does not overcome 103 rejection, the dependent claims are also subject to this rejection.



Appeal Brief, C1, pg. 20-22:
Claims 1 and 12 

Appellant’s ARGUMENT:

Pearson fail to teach hardware module sending an initial set of measurements or comparing this initial set of measurements against a second set of measurements derived by the hardware module for purposes of the integrity monitoring of the kernel.
Appellant’s Support:
Pearson continually verifies the cryptographic signatures of the modules abut fails that these cryptographic signatures are initial measurements acquired at load time.

Examiner’s RESPONSE:

Appellant’s arguments are directed towards the limitations addressed by Field not Dellow.  Thus, appellant’s argument are essentially addressed by the response to argument directed towards Field’s teaching, above.



Appeal Brief, C2, pg. 22-23:
Claims 7 and 19 

Appellant’s ARGUMENT:

Field in view of Shah, Jacobs, Zimmer and Pearson fails to disclose the elements that are introduced in claims 7 and 19.  The Office Action fails to address the specific elements of claims 7 and 19 and, as a result, rejection should be reversed.
Appellant’s Support:
Pearson compares a module to a predetermined cryptographic signatures at various time but does not contemplate taking an initial baseline measurement or sending the baseline measurement or a device for comparison with other measurements.

Examiner’s RESPONSE:


This being said, an incorrect statement was presented in the allegation.  In the art, the integrity of the system is not to compare module/measurement/code/etc. to their signature/hash but to the previously originally generated signature/hash of the module/measurement/code/etc.  
This is because code and its hash are not the same things.  The hash is generated applying the code to a hash algorithm which generates a unique representation of the code.  The important thing to notice is that the hash is unique to the particular code from which it is derived.  Any other code or the code that has been changed will yield another hash.  Thus, generating the hash of the code at one point of the time, then generating the hash of the same code at another time allows to see whether any changes (e.g. due to the malicious security event such as virus) occurred within the code.  It is done by comparing the previously generated hash to the hash generated at the later point of time.
Pearson’s invention is aiming to ensure code integrity by continues hash comparison (see Abstract, para 2-4, 10, 12, 38-41, etc.).
Furthermore, as per a skilled in the art would readily appreciate that the comparison is completed by a device, and more express recitation of the claimed device was addressed with other, additional references. 


Appeal Brief, C3, pg. 23:
Claims 2, 5, 6, 8-10, 13, 14 and 16-18 

Appellant’s ARGUMENT:

Clams 2, 5, 6, 8-10, 13, 14 and 16-18 overcome the corresponding 103 rejection for the same reasons as the claims from which they depend.
Examiner’s RESPONSE:

Given the fact that the claims from which claims 2, 5, 6, 8-10, 13, 14 and 16-18 depend on does not overcome 103 rejection, the dependent claims are also subject to this rejection.

Appeal Brief, D, pg. 23-25:
Claims 11 and 20 

Appellant’s ARGUMENT:

The Final Office Action fails to identify any specific section(s) or element(s) of Nishida that purportedly disclose or render obvious the elements that are introduced in claim 11. 
Appellant’s Support:
Nishida fails to disclose or render obvious determining or generating an initial measurement by a measurement module, where this measurement occurs according to a specific sequence: after the measurement module is loaded and before loading a plurality of other modules, state information corresponding to symbols to generate a set of initial measurements that include such information.
Nishida cited for the general disclosure of a purported measurement that includes information about a location and size of the measurement fails to set forth any plausible reason why a skilled artisan would have modified Field’s determination of a hash for an operating system code section to be loaded and include size of location information for this operating code section and although the Office Action follow Field’s deficiencies with the statement that “Nishida suggest such solution” the Final Office Action fails to explain what is the purported “solution”.

Examiner’s RESPONSE:

Once again, while the rejections are based on combinations of references, appellant’s arguments and support include attacks on references individually.
The argued limitation “determining or generating an initial measurement by a measurement module…” were addressed with different art (not with Nishida), especially in respect to similar arguments above.

15. Field as modified teaches respective initial measurements include hashes of the respective state information with corresponding symbols but fails to teach the respective initial measurements including a location of the respective symbol in the memory and a size of the respective state information associated with the symbol.
16. However, Nishida suggest such solution (see para 27-28, for example).  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught by Nishida into Field as modified invention given the predictable benefit of falsification detection.
For the board’s convenience, the solution is emphasized with the bold and underlined fonts.

Appeal Brief, E & F, pg. 25-26:
Claims 11 and 20 

Appellant’s ARGUMENT:



Examiner’s RESPONSE:

Appellant’s statement is incorrect.  
The rejection of claims 11 and 20 relies on Field in view of Shah, Jacobs and Zimer, and further view of Nishida.  In fact, prior to discussing Nishida reference, the previous paragraph refers to Field’s as modified teaching.
Furthermore, para 16 of the final rejection expressly offers motivation to combine:

“It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solution as taught by Nishida into Field as modified invention given the predictable benefit of falsification detection”.


For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

                                                                                                                                                                                                        
Conferees:

/ELLEN TRAN/Primary Examiner, Art Unit 2433     

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                                        

Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.