DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	This action is in response to the communication filed on April 14, 2020.  Claims 1-20 were originally received for consideration.  No preliminary amendments for the claims have been received. 
2.	Claims 1-20 are currently pending consideration.

Information Disclosure Statement

3.	An initialed and dated copy of Applicant’s IDS (form 1449), received on 4/14/2020, is attached to this Office Action.




Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:



(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 4-5 and 11-12 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Yamada et al. (U.S. Patent Pub. No. US 2016/0180115). 

Regarding claim 1, Yamada discloses: 
A computer program product for hardware-assisted filtering of an import address table, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
configuring a computing environment to detour a first function call to a stub (paragraphs 0047 and 0065:  indirect branch instruction are replaced by different types of stub instructions), wherein the computing environment uses an import address table to access system function calls and address space layout randomization to randomize a location of functions accessed through the import address table (paragraphs 0035-0036:  during execution the target address of an instruction, such as a return instruction, may be verified; the valid RET target may be dynamically populated in the look up table when a call instruction is executed), wherein the computing environment includes a return address register that stores addresses for return from function calls, and wherein the computing environment generates a return address prediction based on the return register (paragraphs 0033, 0065:  a stub instruction may be placed in the cache in place of the execution instruction and a return target address may be predicted and stored in a lookup table); 
compare the stub instruction with the target address of the target); and 
generating an indication of a return-oriented programming attack when the address does not match the return address prediction (Figure 1, paragraph 0019:  detect and process return-oriented programming attacks by verifying addresses). Claim 2 is rejected as applied above in rejecting claim 1.  Furthermore, Yamada discloses: 
The computer program product of claim 1 wherein the return address prediction is generated by speculatively fetching and executing a branch of programming code (paragraph 0014:  determine valid target addresses for branch instructions either prior to or during execution of instructions for applications). 
Claim 3 is rejected as applied above in rejecting claim 1.  Furthermore, Yamada discloses: 
The computer program product of claim 1 wherein the function call is a call to a system function (paragraphs 0035-0036, 0047:  call instruction).
Regarding claim 6, Yamada discloses: 
A method comprising: 
configuring a computing environment to detour a function call to a stub (paragraphs 0047 and 0065:  indirect branch instruction are replaced by different types of stub instructions), wherein the computing environment includes a return address register that stores addresses for returns from function calls (paragraphs 0035-0036:  during execution the target address of an instruction, such as a return instruction, may be verified; the valid RET target may be dynamically populated in the look up table when a call instruction is executed), and wherein the computing environment generates a return address prediction based on the return address register (paragraphs 0033, 0065:  a stub instruction may be placed in the cache in place of the execution instruction and a return target address may be predicted and stored in a lookup table); 
determining by the stub when the stub is executed whether the return address prediction was to the stub (paragraphs 0047, 0065: compare the stub instruction with the target address of the target); and 
generating an indication of a return-oriented programming attack when the address does not match the return address prediction (Figure 1, paragraph 0019:  detect and process return-oriented programming attacks by verifying addresses).Claim 7 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
The method of claim 6 wherein the computing environment uses an import address table to access system function calls (paragraphs 0035-0036, 0047:  call instruction).
 Claim 8 is rejected as applied above in rejecting claim 7.  Furthermore, Yamada discloses: 
The method of claim 7 wherein the computing environment uses address space layout randomization to randomize a location of functions accessed through the import address table (paragraphs 0035-0036:  during execution the target address of an instruction, such as a return instruction, may be verified; the valid RET target may be dynamically populated in the look up table when a call instruction is executed). Claim 9 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses:
during execution the target address of an instruction, such as a return instruction, may be verified; the valid RET target may be dynamically populated in the look up table when a call instruction is executed). Claim 10 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
The method of claim 6 wherein the function call is a call to a system function (paragraphs 0035-0036, 0047:  call instruction). Claim 13 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
The method of claim 6 further comprising instrumenting the computing environment to monitor system calls by detouring a plurality of system functions to a plurality of stubs (paragraph 0039:  an application is monitored for a possible ROP attack). Claim 14 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
The method of claim 6 further comprising responding to the indication of the return-oriented programming attack by updating a health status of a computing device in a heartbeat generated by the computing device (paragraphs 0040-0041:  counters are set to zero, fast look up tables disabled to protect from an attack). Claim 15 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
counters are set to zero, fast look up tables disabled to protect from an attack). Claim 16 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses: 
The method of claim 6 further comprising responding to the indication of the return-oriented programming attack by initiating a root cause analysis on a computing device (Figure 1, paragraph 0019:  detect and process return-oriented programming attacks by verifying addresses).. Regarding claim 17, Yamada discloses: 
A system comprising: 
one or more processors executing an operating system with a user space and a system space (paragraph 0020:  processor); 
a memory for non-transitory storage of computer-readable data (paragraph 0020:  memory); and 
computer executable code stored in the memory and executable by the one or more processors to perform the step of configuring a computing environment to detour a function call to a stub (paragraphs 0047 and 0065:  indirect branch instruction are replaced by different types of stub instructions), wherein the computing environment includes a return address store that stores addresses for a return from function calls (paragraphs 0035-0036:  during execution the target address of an instruction, such as a return instruction, may be verified; the valid RET target may be dynamically populated in the look up table when a call instruction is executed), and wherein the computing environment generates a return address prediction based on the return address store (paragraphs 0033,  a stub instruction may be placed in the cache in place of the execution instruction and a return target address may be predicted and stored in a lookup table), the computer executable code further configuring the one or more processors to perform the steps of determining by the stub when the stub is executed whether the return address prediction was to the stub (paragraphs 0047, 0065: compare the stub instruction with the target address of the target), and generating an indication of a return-oriented programming attack when the address return address prediction was not to the stub (Figure 1, paragraph 0019:  detect and process return-oriented programming attacks by verifying addresses). Claim 18 is rejected as applied above in rejecting claim 17.  Furthermore, Yamada discloses:
The system of claim 17 wherein the one or more processors are further configured to determine when the stub is executed whether the return address prediction was to the stub from indicia of a cache miss (Figure 1, paragraph 0019:  detect and process return-oriented programming attacks by verifying addresses). Claim 19 is rejected as applied above in rejecting claim 17.  Furthermore, Yamada discloses: 
The system of claim 17 wherein the one or more processors are further configured to respond to the indication of the return-oriented programming attack by at least one of coloring at least one of a file, a process, or an application with an indication of the return-oriented programming attack and updating a health status of a computing device in a communication to another device (paragraphs 0040-0041:  counters are set to zero, fast look up tables disabled to protect from an attack). Claim 20 is rejected as applied above in rejecting claim 17.  Furthermore, Yamada discloses: 
The system of claim 17 wherein the one or more processors are further configured to respond to the indication of the return-oriented programming attack by initiating a root cause analysis on a detect and process return-oriented programming attacks by verifying addresses).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 5, 11 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yamada et al. (U.S. Patent Pub. No. US 2016/0180115) in view of Klee et al. (U.S. Patent Pub. No. US 2015/0212855). Claim 4 is rejected as applied above in rejecting claim 1.  Yamada discloses call functions (paragraphs 0035-0036, 0047) which are also well-known in the art.  However, Yamada does not explicitly mention that the function call is a memory control function.  However, Klee discloses that function calls are used to initialize the upcall mechanism which transfers control from the user space back to the original kernel stack that called the upcall function and the upcall function stores the current kernel stack pointer (memory function) that is used upon return from the upcall (paragraphs 0025, 0068).  It would have .
Claim 11 is rejected as applied above in rejecting claim 6.  Yamada discloses call functions (paragraphs 0035-0036, 0047) which are also well-known in the art.  However, Yamada does not explicitly mention that the function call is a memory control function.  However, Klee discloses that function calls are used to initialize the upcall mechanism which transfers control from the user space back to the original kernel stack that called the upcall function and the upcall function stores the current kernel stack pointer (memory function) that is used upon return from the upcall (paragraphs 0025, 0068).  It would have been obvious to incorporate the specific function calls of a memory control function and a call transferring function into the call library of Yamada so that calls only occur at expected points during the execution of the thread (Klee:  paragraph 0025).

Claim 12 is rejected as applied above in rejecting claim 6.  Furthermore, Yamada discloses call functions (paragraphs 0035-0036, 0047) which are also well-known in the art.  However, Yamada does not explicitly mention that the function call is a call transferring control from a user space to a kernel in a system space.  However, Klee discloses that function calls are used to initialize the upcall mechanism which transfers control from the user space back to the original kernel stack that called the upcall function and the upcall function stores the current kernel stack pointer (memory function) that is used upon return from the upcall (paragraphs 0025, 0068).  It would have been obvious to incorporate the specific function calls of a memory control function and a call transferring function into the call library of Yamada so that calls only occur at expected points during the execution of the thread (Klee:  paragraph 0025).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Robert Hodge can be reached on 571-272-2097.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/KAVEH ABRISHAMKAR/
04/13/2021Primary Examiner, Art Unit 3649