Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	
Claims
Claims 1, 8, and 15 have been amended. Claims 1-20 are rejected and pending in the application. This action is Final.

Response to Arguments
Applicant Argues 
Without conceding the propriety of the rejection, and in a genuine effort to advance prosecution of the instant application, claims 1, 8, and 15 have each been amended to recite “receiving, by a database connector having a taint extension, a SQL request from an application^ the database connector provided within an application server that executes the application and enabling communication between the application and a database that is external to the application server, the taint extension provided as a wrapper to the database connector and exclusively executing taint-processing changes in response to received SQL requests…etc.

Examiner Responds:
Applicant's 35 USC § 103 arguments with respect to claims 1-20  have been considered but are moot in view of the new ground(s) of rejection.

Claim Rejections – 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Johns et al. U.S. Patent Publication (2017/0318045; hereinafter: Johns) in view of Orso et al. Non Patent Publication (“Using positive tainting and syntax-aware evaluation to Counter SQL injection attacks, 2006; hereinafter: Orso) and further in view of Davis et al. Non Patent Publication (“DBTaint: Cross-Application Information Flow Tracking via Databases”, 2010; hereinafter: Davis) 

Claims 1, 8, and 15
As to claims 1, 8, and 15, Johns discloses a system, comprising: 
a computing device (paragraph[0074], “The described functionality may be performed by custom hardware components containing hardwired logic for performing operations, or by any combination of computer hardware and programmed computer components…etc.”); and 
a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for persisting taint information, the operations comprising (paragraph[0080], “The web application server 105 also includes one or more memory systems 454 in communication with the one or more processors 452 via one or more communication mediums…etc.”): 
receiving, by a database connector having a taint extension, a SQL request from an application, (paragraph[0054]-paragraph[0055], “Transfer Protocol ("CTTP") request and responses 224 from one environment (client or server) to the other across an HTTP transport link 223. During code execution, the taint flows may be tracked. As soon as a message containing potentially tainted data leaves one environment and reaches the other…etc.”, the reference describes a client (i.e., a database connector) receiving a message attached with taint information (i.e., a taint extension) from an application (e.g., figure 2). The reference describes the request as being a SQL command (e.g., paragraph[0023], “Networked applications, and especially web applications, often employ a varying amount of heterogeneous computer languages, such as programming languages (e.g., Java, PHP, C#), query languages (e.g., SQL…etc.”); 
sending, by the taint extension, the SQL request to a SQL parser (paragraph[0055]-paragraph[0056], “the receiving environment can first parse the taint information and apply it to the received string data in the message. After this operation, the content of the network transfer protocol message can be processed at one or more corresponding parsers…etc.”); 
receiving, by the taint extension, a structural representation of the SQL request from the SQL parser (paragraph[0055]-paragraph[0056], “the receiving environment can first parse the taint information and apply it to the received string data in the message. After this operation, the content of the network transfer protocol message can be processed at one or more corresponding parsers…etc.”, the reference describes a taint engine (i.e., the taint extension) receiving SQL request (e.g., paragraph[0057], “a tainted SQL keyword (such as SELECT or UPDATE) can be an instance of a SQL injection.”) from the server’s parser.);
adding, by the taint extension, taint information corresponding to data within the SQL request to provide an enhanced SQL statement (paragraph[0057], “The embodiments of the server-side and client-side parsers described in this disclosure can be taint-aware and are adapted to handle HTTP data as a prerequisite for applying the communicated taint information to the received HTTP data…etc.”); 

Johns does not appear to explicitly disclose  
the database connector provided within an application server that executes the application and enabling communication between the application and a database that is external to the application server, the taint extension provided as a wrapper to the database connector and exclusively executing taint-processing changes in response to received SQL requests
transmitting, by the database connector, the enhanced SQL statement to a database for storing the taint information with the data.

However, Orso discloses the database connector provided within an application server that executes the application and enabling communication between the application and a database that is external to the application server (figure 2, Section: 4. Implementation, “Module STRING CHECKER performs syntax-aware evaluation of query strings right before the strings are sent to the database…etc.”), the taint extension provided as a wrapper to the database connector and exclusively executing taint-processing changes in response to received SQL requests (figure 2, Section: 4.3 Handling False Positives, “When in learning mode, WASP adds an additional unique taint marking to each string in the application. Each marking consists of an ID that maps to the fully qualified class name, method signature, and bytecode offset of the instruction that instantiated the corresponding string. If WASP detects an SQLIA while in learning mode, it uses the markings associated with the untrusted SQL keywords and operators in the query to report the instantiation point of the corresponding string(s)….etc.” and Section: 4.4 Syntax-Aware Evaluation, “The STRING CHECKER module performs syntax-aware evaluation of query strings and is invoked right before the strings are sent to the database….etc.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Johns with the teachings of Orso to provide a taint system to execute SQL statements which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Johns with the teachings of Orso to provide a highly automated approach for protecting existing Web applications against SQL injection. 

The combination of Johns and Orso do not appear to explicitly disclose transmitting, by the database connector, the enhanced SQL statement to a database for storing the taint information with the data.

However, Davis discloses transmitting, by the database connector, the enhanced SQL statement to a database for storing the taint information with the data (2.2.1 Storing Taint Data, “Many databases support composite data types, where each data cell may store a tuple of data. We used this feature to store taint information alongside associated data values, allowing DBTaint to use the well-understood SQL API for interacting with these taint values…etc.”, the reference describes the system storing a rewritten query with taint information (i.e., the enhanced query as described in Johns) into a database. The Examiner interprets the client (i.e., database connector) in JOHNS as being able to transmit the enhanced query to the database described in Davis.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Johns with the teachings of Orso and Davis to provide a database to store taint data which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Johns with the teachings of Orso and Davis to provide information flow tracking in databases to enable cross-application information flow tracking (Davis: Abstract). 

Claims 2, 9, and 16
As to claims 2, 9, and 16, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, and Davis further disclose wherein operations further comprise: 
receiving, by the database connector, a query result (2.2.2 Operating on Taint Data, “We provide the database functions getval() and gettaint() to extract the data and taint values from a DBTaint tuple…etc.”); 
processing, by the taint extension, the query result to combine taint meta-data with one or more string values to provide a taint-aware query result (2.4 Database Client-Server Integration, “Rewrite all queries to add additional placeholders for taint values associated with the data values, and to add appropriate taint values where appropriate…etc.”); and 
returning the taint-aware query result to the application (2.4 Database Client-Server Integration, “When retrieving the composite tuples from the database, collapse them into appropriately tainted data values then return them to the Web application…etc.”).

Claims 3, 10, and 17
As to claims 3, 10, and 17, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, and Davis further disclose wherein the SQL request comprises a write statement, and in response, unfolding is performed to separate the data and the taint information (3.3.2 JDBC, “INSERT INTO messages (msg) VALUES (ROW(’first post’, 1)) We use Zql [5], a Java SQL parser, to parse the queries so they can be rewritten in DBTaint. R…etc.”, the reference describes using a parser (i.e., unfolding) after detecting an insert tainted SQL statement (i.e. write command).).

Claims 4, 11, and 18
As to claims 4, 11, and 18, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, and Davis further disclose wherein the SQL request comprises a read statement (paragraph[0015], the reference describes select SQL select statements as a request), and in response, folding is performed to combine the data and the taint information (paragraph[0054], “As soon as a message containing potentially tainted data leaves one environment and reaches the other (e.g., in the form of HTTP requests or responses), the taint information that applies to the message may be serialized in a fitting container format and added to the message…etc.”).

Claims 5, 12, and 19
As to claims 5, 12, and 19, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, and Davis further disclose wherein the taint extension reserializes the data and the taint information to provide the enhanced SQL query (paragraph[0054], “the taint information that applies to the message may be serialized in a fitting container format and added to the message…etc.”).

Claims 7 and 14
As to claims 7 and 14, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, and Johns further disclose wherein the database connector comprises an application programming interface (API) (paragraph[0020], “This process 100 begins by receiving a uniform resource locator ("URL") 101 from a user at a web browser 102 of a client system 103 that is running a web application 112…etc.”).

Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Johns et al. U.S. Patent Publication (2017/0318045; hereinafter: Johns) in view of Orso et al. Non Patent Publication (“Using positive tainting and syntax-aware evaluation to Counter SQL injection attacks, 2006; hereinafter: Orso) and further in view of Davis et al. Non Patent Publication (“DBTaint: Cross-Application Information Flow Tracking via Databases”, 2010; hereinafter: Davis) and further in view of Nethercote et al. Non Patent Publication (“How to Shadow Every Byte of Memory Used by a Program”, 2007; hereinafter: Nethercote)

Claims 6, 13, and 20
As to claims 6, 13, and 20, the combination of Johns, Orso, and Davis discloses all the elements in claim 15, as noted above, but do not appear to explicitly disclose wherein the taint information is stored within one of shadow tables, and shadow columns within the database.

However, Nethercote discloses wherein the taint information is stored within one of shadow tables, and shadow columns within the database (3.1. Shadow Memory Data Structure, “Memcheck’s main shadow memory data structure is a two-level table…etc.”, the reference describes using a shadow memory data structure to create a table (i.e., shadow tables). The Examiner interprets the table having columns.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to a person having ordinary skill in the art to which said subject matter pertains to have modified the teachings of Johns with the teachings of Davis, Orso, and Nethercote to provide a shadow data structure which would result in the claim invention. The skilled artisan would have been motivated to improve the teachings of Johns with the teachings of Davis, Orso, and Nethercote to provide efficient and robust system of storing and detecting critical errors in memory (Abstract: Nethercote). 

Final Rejection
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAWAUNE A CONYERS whose telephone number is (571)270-3552.  The examiner can normally be reached on M-F 8:00am-4:30pm EST. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
/DAWAUNE A CONYERS/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        


Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000