DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This final office action is responsive to the amendments filed on 01/26/2021.
Claims 1-27 are pending.

Response to Amendment

Applicant has amended independent claims 1, 10, 19 and dependent claims 9, 18, 27 to include new/old limitations in a form not previously presented necessitating new search and considerations.  


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-27 are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.

The following claim language is not clearly understood:
Claim 1 “determining, by the hypervisor, the internal address”. It is unclear which address is “internal address” and if there is external address that is determined by components other than hypervisor. Also, if the internal address is same or different from address in the export table as recited in claim 9.
Claims 10 and 19 recites elements of claim 1 and have similar deficiency as claim 1. Therefore, they are rejected for the same rational. Remaining dependent claims are also rejected due to their dependency on the rejected independent claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-27 are rejected under 35 U.S.C. 103 as being unpatentable over Lin et al. (US Pub. No. 2015/0033227 A1, hereafter Lin) in view of Lutas et al. (US Pub. No. 2016/0048679 A1, hereafter Lutas).
Lin was cited in the last office action.


Highlighted claim elements are missing from the respective cited prior art.

As per claim 1, Lin teaches the invention substantially as claimed including a method for a hypervisor (fig 11 virtualization layer 210) to dynamically discover internal address information of a guest kernel on a virtual machine (fig 11 kernel space secure VM 206 [0124] resolving, kernel virtual address [0144] identified a given kernel address x), the method comprising: 
locating, by the hypervisor, a kernel system call ([0123] kernel system call context identification component 214, identifies, target process/thread, kernel space, pin point, system call [0129] specific system call context may be identified, fig 11 214 syscall 220) or an exported function ([0129] exported OS services, user process, invokes system calls to requests OS services e.g. file access [0130] SVM 206 monitors the instructions executed, entering/existing, system call) in an image of the guest kernel in guest memory of the virtual machine (fig 11 secure VM 206 kernel space memory kernel global/heap data 222 224 [0135] user/kernel level stack data), wherein the guest memory corresponds to virtual memory allocated by the hypervisor (fig 11 memory, VMM 210, SVM 206 [0003] virtualization layer, virtual machine, share, physical resources, computer [0054] [0054] virtualizes, hardware resources, observed and controlled, VMM layer); 
disassembling ([0108] introspection system, execution, instruction, disassemble it), by the hypervisor (fig 11 VMM 210 SVM 206 system call 220), machine code ([0023] fig 2, raw data bits/bytes, obtained, machine introspection [0024] VMI, pull, state, VMM, in order to obtain high level information) of the kernel system call (fig 11 system call 220 [0123] system call [0129] system call context) or the exported function in the image ([0129] exported OS services, user process, invokes system calls to requests OS services e.g. file access [0130] SVM 206 monitors the instructions executed, entering/existing, system call) into assembly code; 
detecting, by the hypervisor, a pattern from memory references in the assembly code ([0143] analyzing, instruction sequences, instruction sequence patterns; fig 13 byte sequence “55 ba 00 … f6 5d c3”); and 
after detecting the pattern ([0143] instruction sequence patterns), determining, by the hypervisor, the internal address information of the guest kernel from the assembly code ([0143] instruction sequence, sequence of kernel synchronization primitives [0144] having identified a given kernel address x in the system call fig 13 spin lock in 2.6.34 [0124] resolving, kernel virtual address [0120] fig 12 system calls, kernel parameters).

Lin doesn’t specifically teach disassembling by the hypervisor machine code into assembly code, detecting by hypervisor pattern, determining, by the hypervisor, the internal address from the assembly code.

Lutas, however, teaches disassembling by the hypervisor machine code into assembly code ([0058] disassembling an instruction comprises parsing the machine code representation of the instruction, carried out by instruction decoder 30 and/or by execution unit 36 [0057] translation between representation assembly language representation 45 and machine code representations 47 [0031] hypervisor, control, processor), detecting by hypervisor pattern ([0058] disassembling, instruction, parsing, machine code, identify instruction encoding fields, extracting content of individual encoding fields, carried out by instruction decoder 30 and/or by execution unit 36, [0031] hypervisor, control, processor), determining, by the hypervisor, the internal address from the assembly code ([0041] fig 4, hypervisors, virtual memory space, host virtual address, reference host physical address, dedicated data structure and mechanism [0057] fig 7 assembly language representation 45, processor, content stores in memory at virtual address EBX+4*ECX+0x2, [0031] hypervisor, control, processor).
It would have been obvious to one of ordinary skills in the art before the effective filing date of the invention was made to combine the teachings of Lin with the teachings of Lutas of disassembling machine code and translation between assembly and machine code carried out by instruction decoder/execution unit in the processor controlled by the hypervisor, detecting field/pattern by hypervisor, hypervisor refereeing to the address in the assembly language representation to improve efficiency and allow disassembling by the hypervisor machine code into assembly code, detecting by hypervisor pattern, determining, by the hypervisor, the internal address from the assembly code to the method of Lutas as in the instant invention. The combination of analogous cited prior art (Lin [0003] Lutas [0002]) would have been obvious because applying the known method of translating between assembly and machine code by execution unit of processor, detecting field and referring to address in the assembly code, wherein the processor is controlled by the hypervisor as taught by Lutas to the known method of discovering system call using introspection to yield predictable results of disassembling by the hypervisor machine code into assembly code, detecting by hypervisor pattern, determining, by the hypervisor, the internal address from the assembly code with 
 
As per claim 2, Lin teaches detecting a pattern comprises detecting a call to a specific exported function with an internal global data as a parameter for the exported function ([0143] analyzing the instruction sequence, executing a function prologue, sequence of kernel synchronization primitive, spin lock [0124] intercept the data access of in-guest kernel global data, kernel heap data, system call gets executed); and 
the internal address information comprises an address of the internal global data ([0124] memory mapping and address resolution 218 fig 11 kernel global data 222 fig 13  ebp [0088] ebp, wihin kernel address space).  

As per claim 3, Lin teaches tracking a register in the assembly code ([0137] track, data, directly, indirectly, kernel stack pointer), wherein determining the internal address information of the guest kernel from the assembly code comprises looking up a value stored in the register ([0128] each process at kernel level, unique kernel stack, isolate thread execution context at kernel level, kernel stack pointer esp register; fig 13 [0099] translation lookaside buffer, address translation) after detecting the call to the exported function ([0143] analyzing, instruction sequences, instruction sequence patterns; fig 13 byte sequence “55 ba 00 … f6 5d c3”).  

As per claim 4, Lin teaches detecting a pattern comprises detecting a call to an internal function ([0143] analyzing, instruction sequences, instruction sequence patterns, fig 13 byte sequence “55 ba 00 … f6 5d c3”) with a specific exported global data as a parameter for the internal function ([0122] program_out= code_out(user data, kernel data fig 13 mv ebp, esp)  ; and 
the internal address information comprises an address of the internal function ([0143] instruction sequence, sequence of kernel synchronization primitives [0144] having identified a given kernel address x in the system call fig 13 spin lock in 2.6.34).  

As per claim 5, Lin teaches further comprising tracking a register in the assembly code ([0028] monitoring, automatically identify, introspection related data, in-guest kernel memory, introspection code [0077] track registers), wherein detecting a call comprises detecting an address of the exported global data being loaded in the register followed by the call to the internal function ([0028] introspection, perform read operations, kernel, in-guest memory [0061] storing/restoring the context state, registers [0088] global addresses, propagations to registers [0126] control register, differentiate the process execution context).  

As per claim 6, Lin teaches detecting a pattern ([0143] analyzing, instruction sequences, instruction sequence patterns, fig 13 byte sequence “55 ba 00 … f6 5d c3”) comprises detecting the kernel exported function returning a value at an offset in an internal data structure (fig 13 pop ebp ret [0143] executing a function).
Lutas teaches remaining claim elements of the internal address information comprises the offset of a field in the internal data structure ([0038] address translation data structure and/or address translation mechanism of processor, guest physical address, uniquely attached to a guest VM [0039] guest virtual addresses fig 4 62-64-66 [0046] memory address fig 7).  

As per claim 7, Lin teaches wherein detecting the kernel exported function returning a value at an offset in an internal data structure (fig 13 pop ebp ret [0143] executing a function) comprises detecting a value being read at a relative offset with respect to a specific register ([0028] perform read operations in the guest-memory [0039] user level program code,  OS as well as user level program code, data read [0095] [0130] system call, entry/exit point,  register eax).
Lutas teaches remaining claim elements of a relative offset with respect to a specific register ([0038] address translation data structure and/or address translation mechanism of processor, guest physical address, uniquely attached to a guest VM [0039] guest virtual addresses fig 4 62-64-66 [0046] memory address fig 7 EBX+4*ECX+0x02).  

As per claim 8, Lin teaches detecting a pattern ([0143] analyzing, instruction sequences, instruction sequence patterns, fig 13 byte sequence “55 ba 00 … f6 5d c3”) comprises detecting a specific instruction that operates on an internal global data (fig 13 0xc0129956	mov ebp, esp); and 
the internal address information comprises an address of the internal global data (fig 13	0xc0129950 push ebp).  

As per claim 9, Lin teaches wherein locating the kernel exported function comprises parsing an export table comprising addresses associated with one or more exported functions or exported data in the guest kernel image to locate an address of the guest kernel function ([0095] maintain, file descriptor mapping, process opens a file [0096] scrutinize the system call, track the new CR3 value [0123] identifies, target process/thread, kernel space, pin point, system call [0129] specific system call context may be identified, fig 11 214 syscall 220 [0130] SVM 206 monitors the instructions executed, entering/existing, system call, fig 11 secure VM 206 kernel space memory kernel global/heap data 222 224 [0135] user/kernel level stack data; fig 12).

Claim 10 recites a non-transitory, computer-readable storage medium encoded with instructions executable by a processor to implement limitations similar to those of claim 1. Therefore, it is detected for the same rational.
Claim 11 recites a medium to implement limitations similar to those of claim 2. Therefore, it is detected for the same rational.
Claim 12 recites a medium to implement limitations similar to those of claim 3. Therefore, it is detected for the same rational.
Claim 14 recites a medium implement limitations similar to those of claim 5. Therefore, it is detected for the same rational.
Claim 15 recites a medium to implement limitations similar to those of claim 6. Therefore, it is detected for the same rational.
Claim 16 recites a medium to implement limitations similar to those of claim 7. Therefore, it is detected for the same rational.
Claim 17 recites a medium to implement limitations similar to those of claim 8. Therefore, it is detected for the same rational.
Claim 18 recites a medium to implement limitations similar to those of claim 9. Therefore, it is detected for the same rational.
Claim 19 recites a computer system, comprising: a memory; a secondary memory storing code for hypervisor; a processor configured to load the code form the secondary memory to main memory (Lin: fig 15 processor 605 memory 607 persistent storage 609) and execute the code to perform limitations similar to those of claim 1. Therefore, it is rejected for the same rational.
Claim 20 recites a system to perform limitations similar to those of claim 2. Therefore, it is rejected for the same rational.
 Claim 21 recites a system to perform limitations similar to those of claim 3. Therefore, it is rejected for the same rational.
Claim 22 recites a system to perform limitations similar to those of claim 4. Therefore, it is rejected for the same rational.
Claim 23 recites a system to perform limitations similar to those of claim 5. Therefore, it is rejected for the same rational.
Claim 24 recites a system to perform limitations similar to those of claim 6. Therefore, it is rejected for the same rational.
Claim 25 recites a system to perform limitations similar to those of claim 7. Therefore, it is rejected for the same rational.
Claim 26 recites a system to perform limitations similar to those of claim 8. Therefore, it is rejected for the same rational.
Claim 27 recites a system to perform limitations similar to those of claim 9. Therefore, it is rejected for the same rational.

Response to Arguments

The previous specification objection has been withdrawn.
The previous drawing objections have been withdrawn.
The previous objections under 35 USC 112 have been withdrawn.
Applicant's arguments filed on 01/26/2021 have been fully considered but they are not persuasive. In Applicant’s response filed on 01/26/2021, Applicant argues the following:
Lin cannot teach or suggest the machine code recited in amendment claim 1.
In contrast, amended claim 1 requires the disassembling of a specific machine code i.e. the machine code of a kernel system call or an exported function in an image of the guest kernel in guest memory of the virtual machine detected by a hypervisor.
In addition, Lin doesn’t teach or suggest disassembling the specific machine code into assembly code. Therefore, Lin can not teach or suggest “detecting, by the hypervisor, a pattern for memory reference in the assembly code; and after detecting the pattern from memory references in the assembly code; and after detecting the pattern, determining, by the hypervisor, the internal address information of the guest kernel from the assembly code” because the assembly code is required to be disassembled from the specific machine code as set forth above.
Russello cannot cure the deficiencies of Lin.

Examiner has thoroughly considered Applicant’s arguments, but respectfully, find them unpersuasive for at least the following reasons:

With respect to point a: Examiner respectfully disagree. Fig. 2 shows the machine code. In addition, newly cited art, clearly recites translating between machine code and assembly code ([0057]).
With respect to point b: Argument is moot in view new grounds of rejections.
With respect to point c: Lin teaches both machine code (fig 2) and assembly code (fig 8 top portion of the figure). Both Lin ([0108]) and Lutas ([0023] [0024]) teaches disassembling the machine code ([0108] [0023] ). In addition, Lutas teaches translating between machine code and assembly code ([0057]). Lutas also teaches disassembling instruction is carried out by the instruction decoder/execution unit ([0058]) and decode/execution unit is part of the processor (fig 2 30 36) and hypervisor control the processor, therefore, hypervisor controls the decode / execution unit and is controlling the disassembling/parsing of the machine code.
With respect to point d: Argument is moot in view of new grounds of rejections.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Koryakin et al. (US Patent No. 9274823 B1) teaches thin hypervisor for native execution of unsafe code.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU ZAR GHAFFARI whose telephone number is (571)270-3799.  The examiner can normally be reached on Monday-Thursday 9:00 - 17:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai AN can be reached on 571-272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU ZAR GHAFFARI/Primary Examiner, Art Unit 2195