DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Applicant’s Amendment and Remarks filed on 03 January 2021. 
Claims 1-16 are pending for examination.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.  
Claims 1-2, 4, 9-10, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee et al. (US Pub. 2013/0091318 A1) in view of Vipat et al. (US Pub. 2013/0125119 A1) and further in view of Tang et al. (US Pub. 2018/0247069 A1) and Holmberg (US Patent. 6,345,351 B1).
Bhattacharjee, Vipat and Tang were cited in the previous Office Action.


As per claim 1, Bhattacharjee teaches the invention substantially as claimed including A method for a protection module to use a hypervisor to protect memory pages of a guest operating system (Bhattacharjee, Fig. 1, 32 Agent (as protection module), 12 Hypervisor, 34 Hyper CASP Module; [0032] lines 1-2, Agent 32 may communicate the CAS guest physical addresses to hyperCASP module 34; lines 12-13, hypervisor 12 can protect against malware attacks from within guest OS 18), the method comprising: 
when a process launches, determining, by the protection module in the guest operating system, if the process is to be protected (Bhattacharjee, Fig. 1, 18 Guest operating system, 20 application; 32 Agent (as protection module within the guest OS); [0012] lines 3-5, a process of application 20. A process is an instance of an application (or a portion thereof), whose instructions are being executed; [0041] lines 1-8, When application 20 runs in guest OS 18…agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60; also see [0032] lines 1-14, Agent 32 may communicate the CAS guest physical addresses to hyperCASP module 34, which may map the machine addresses to the corresponding guest physical addresses. Thus, hyperCASP module 34 identifies the machine addresses to be protected…agent 32 may communicate the CAS addresses to hyperCASP module 34 using a two way communication channel. By protecting the address space in machine memory 24 corresponding to the CAS in guest virtual memory 28, hypervisor 12 can protect against malware attacks from within guest OS 18, for example, malware attempting to access the CAS [Examiner noted: when application (process) launches, the agent (as protection module) determining the CAS guest physical addresses and send to hyperCASP module for protection]); 
pausing execution of the process when the process is to be protected by the protection module while the protection module is running (Bhattacharjee, [0036] lines 9-16, hyperCASP module 34 may provide a recommendation to guest OS 18 to blacklist the process until it is scanned and marked as clean (e.g., whitelisted) by an anti-virus or another security tool…agent 32 to automatically take an action within guest OS 18, for example, run an anti-virus (initiated automatically) on detection of an attack within guest OS; also see [0048] lines 3-9, automatically taking action within guest OS 18 in 122 (e.g., cause agent 32 to automatically initiate an anti-virus in guest OS 18; offline/shut down guest 14; save a state of guest OS 18 for offline scanning, etc.); or providing a recommendation to guest OS 18 in 124 (e.g., blacklist process, run anti-virus on the process, etc.) [Examiner noted: blacklist process (as pausing/preventing the execution of process) while the agent is still running the anti-virus/security tool (as protection module is running)]);
modifying, by the protection module in the guest operating system, a physical memory page in a process by writing to a virtual memory page of the process that maps to the physical memory page (Bhattacharjee, Fig. 1, 18 Guest operating system, 32 Agent (as protection module); Fig. 2, 38 Guest virtual address space (as virtual memory page), 40 Guest physical address space (as physical memory page); 44 GVA, 46 GPA; [0041] lines 1-8, When application 20 runs in guest OS 18… When guest 14 starts up, agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60; [0038] lines 5-9, The virtual addresses are converted into physical addresses…maps the process's guest virtual pages into guest physical pages in memory; also see [0017] lines 5-10, an application or a library (including a dynamically linked library such as kernel32.dll) is loaded into memory, the corresponding code instructions are loaded into read-only memory and data is loaded into writable memory. Thus, code instructions may be read and executed from read-only memory; [0043] lines 4-6, a malware 64 in process X may reside in guest virtual address space 38 and may attempt to access CAS 60 (e.g., kernel32.dll). [Examiner noted: the application/library (kernel32.dll (Fig. 2, CAS 60, within the guest virtual address space) has been loaded into the guest virtual address space (as virtual memory page) and the mapping is established between GVA 44 and GPA 46]), which causes using a private physical memory page to the process, map data from the physical memory page to the private physical memory page (Bhattacharjee, Fig. 2, 42 Machine address space, 46 GPA maps to 48 MA; [0026] lines 4-8, host physical address (also called machine address). Shadow page tables are used by the hypervisor (e.g., hypervisor 12) to map the guest physical memory (e.g., guest physical memory 28) to the machine memory (e.g., machine memory 24). Lines 12-23, a page fault handler in the hypervisor facilitates loading the appropriate page (e.g., from disk) into machine memory, and updates the hypervisor's shadow page tables to reflect the changes. Execution of the instruction that caused the page fault resumes after the page has been loaded into machine memory and the paging tables appropriately point to the correct page. The hypervisor's paging tables reflect which pages are actually (i.e., physically) loaded in machine memory; [0039] lines 8-13, Guest physical address space 40 maps into a machine address space 42. For example, a GVA 44 in guest virtual address space 38 may be mapped to a corresponding GPA 46 in guest physical address space 40, which in turn may be mapped to a machine address (MA) 48 in machine address space 42 (as map data from the physical memory page to the private physical memory page)); and
causing, by the protection module in the guest operating system, the hypervisor to protect the private physical memory page by monitoring the private physical memory page and generating an alert when the private physical memory page is accessed by any process (Bhattacharjee, Fig. 3, 110 monitor access attempt to machine addresses, 112 access attempt to CAS detected, Yes, 114, 116, 118, 120 report (as generating an alert) attack to management console; [0032] lines 1-5, Agent 32 may communicate the CAS guest physical addresses to hyperCASP module 34…Thus, hyperCASP module 34 identifies the machine addresses to be protected; lines 10-13, By protecting the address space in machine memory…hypervisor 12 can protect against malware attacks from within guest OS 18; [0046] lines 10-11, the GPAs (e.g., GPA 46) is mapped to the corresponding MAs (e.g., MA 48) using shadow page table 51. In 110, access attempts to the MAs (e.g., MA 48) is monitored by hyperCASP module 34 [Examiner noted: generating report/alert when the machine address (as private physical memory page) is accessed by any process that is not permitted]).

Bhattacharjee fails to specifically teach the process is a user-mode process, and the protection module is associated with a kernel-mode driver in the guest operating system.

However, Vipat teaches the process is a user-mode process, and the protection module is associated with a kernel-mode driver in the guest operating system (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3."; also see [0030] lines 2-7, Anti-malware agent 132 may exchange information with kernel 130 (as kernel-mode driver) and other components as described below. Kernel 130 and anti-malware agent 132 may execute in accordance with a privilege level that provides more privileges than the privilege level of application 110).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee with Vipat because Vipat’s teaching of using anti-malware agent that associated with kernel-mode for monitoring/detecting the user-mode process would have provided Bhattacharjee’s system with the advantage and capability to allow system to using hierarchal protection domains in order to protecting the user application/process which improving the system security (see Vipat, Abstract, lines 7-8, protect different portions of an application and [0004]).

Although Bhattacharjee and Vipat teach the user-mode process, both Bhattacharjee and Vipat fail to specifically teach the physical memory page is a shared physical memory page in a context of the user-mode process, the data is copy/copied from the shared physical memory page to the private physical memory page, and the private physical memory page is allocated by the guest operating system. In addition, Bhattacharjee and Vipat fail to specifically teach modify the private physical memory page with existing data on the shared physical memory page, wherein another virtual memory page of another process, which differs from the user-mode process, is also mapped to the shared physical memory page.

            However, Tang teaches the physical memory page is a shared physical memory page in a context of the user-mode process (Tang, Fig. 7, (b) During execution of instructions within the executable memory, Host Machine Addr Space, Code data (right hand side, as shared memory page), Code Copy Data (right hand side, as private memory page that copy from shared memory page); [0075] lines 2-4, the guest physical memory pages may be shared by multiple processes due to the OS’s Copy-on-Write (COW) optimization (this is shared physical memory page, lines 18-23, The guest OSes' innate COW capability to transparently allocate new physical memory pages for the static code regions of processes to be protected…the write operation should occur in the context of the process), 
the data is copy/copied from the shared physical memory page to the private physical memory page (Tang, Fig. 7 (b)-(c), [the host machine address space has been modified, because the “Code Copy” data (copied from “code data” within the Guest physical address space) has been added into the Host Machine address space. Since the Host machine address space in Fig. 7(b)-(c) is no longer to be the same as Host machine address space in the Fig. 7(a), therefore, the Host machine address space is modified and which is also based on the existing data on the Guest physical address space (see Tang, Figs. 7(a)-7(c)]; [0076] lines 3-17, separate code and data views may be maintained for each executable memory page being protecting…After identifying the guest physical memory pages to protect, a duplicate page is added in a host machine address space. Any subsequent instructions being executed are redirected to the code copy memory page shown at the bottom of FIG. 7(b));
the private physical memory page is allocated by the guest operating system (Tang, [0075] lines 7-9, the OS may duplicate the original page into a newly allocated physical page only when the process writes to the memory page; lines 18-23, The guest OSes' innate COW capability to transparently allocate new physical memory pages for the static code regions of processes to be protected), and
modify the private physical memory page with existing data on the shared physical memory page (Tang, Figs. 7(a)-7(c); [0076] lines 3-17, separate code and data views may be maintained for each executable memory page being protecting…After identifying the guest physical memory pages to protect, a duplicate page is added in a host machine address space. Any subsequent instructions being executed are redirected to the code copy memory page shown at the bottom of FIG. 7(b) [Examiner noted: In Fig. 7 (a), an original data is within the Host machine address space when no monitoring has been performed. In Fig. 7(b)-(c), the host machine address space has been modified, because the “Code Copy” data (copied from “code data” within the Guest physical address space) has been added into the Host Machine address space. Since the Host machine address space in Fig. 7(b)-(c) is no longer to be the same as Host machine address space in the Fig. 7(a), therefore, the Host machine address space is modified and which is also based on the existing data on the Guest physical address space]), wherein another virtual memory page of another process, which differs from the user-mode process, is also mapped to the shared physical memory page (Tang, Fig.5. Guest virtual (V) address space, Guest physical (P) address space, V to P mapping; [0075] lines 2-4, the guest physical memory pages may be shared by multiple processes (as including another virtual memory page of another process is also mapped) due to the OS’s Copy-on-Write (COW) optimization).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee and Vipat with Tang because Tang’s teaching of duplicating the shared physical memory page to generating a private physical memory page would have provided Bhattacharjee and Vipat’s system with the advantage and capability to improve the security of the virtual environment in order to increase the system stability. (See Bhattacharjee, [0037] lines 8-9, protect against memory disclosure attacks).

Bhattacharjee, Vipat and Tang fail to specifically teach the private physical memory page modified with the existing data is identical to the shared physical memory page.

However, Holmberg teaches the private physical memory page modified with the existing data is identical to the shared physical memory page (Holmberg, Col 14, lines 14-15, one or more pages must be allocated for holding the speculative data (step 401). Next, data from the shared memory page(s) is copied to the corresponding new page(s) (step 403). After the copying operation, the newly allocated page and the original page in the shared memory space are identical; Col 15, lines 30-35, allocating a new page or pages (referred to herein as "private pages") to be used for holding the data generated by the speculatively executing job 207 (step 701). Data from the shared memory pages are then copied to the corresponding newly allocated private pages)).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat and Tang with Holmberg because Holmberg’s teaching of the newly allocated private page is identical to the shared memory page would have provided Bhattacharjee, Vipat and Tang’s system with the advantage and capability to restore the original data(state) from the newly allocated page which improving the system reliability (see Holmberg, Col 14, lines 19-25, the new page is available for use in restoring the original state).

As per claim 2, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1 above. Bhattacharjee further teaches monitoring, by the protection module in the guest operating system, for a launch of the process launch (Bhattacharjee, [0041] lines 1-8, When application 20 runs in guest OS 18… When guest 14 starts up, agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60 (as monitoring when the application running(launching) in the guest)); 
when the process is to be protected, performing, by the protection module in the guest operating system, said modifying the physical memory page (Bhattacharjee, Fig. 2, 42 Machine address space, 46 GPA maps to 48 MA; [0039] lines 8-13, Guest physical address space 40 maps into a machine address space 42. For example, a GVA 44 in guest virtual address space 38 may be mapped to a corresponding GPA 46 in guest physical address space 40, which in turn may be mapped to a machine address (MA) 48 in machine address space 42; [0041] lines 6-8, When guest 14 starts up, agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60; [0046] lines 7-10, agent 32 resolves the GPAs (e.g., GPA 46) corresponding to CAS 60. In 108, the GPAs (e.g., GPA 46) is mapped to the corresponding MAs (e.g., MA 48) using shadow page table 51 (as modifying by mapping the physical memory pages));
wherein the determining if the process is to be protected is based on a parameter in a load-image or a process creation notification (Bhattacharjee, Abstract, lines 10-12, identifying a machine address corresponding to the CAS by forcing a page fault in the guest OS; [0032] lines 1-14, Agent 32 may communicate the CAS guest physical addresses to hyperCASP module 34, which may map the machine addresses to the corresponding guest physical addresses. Thus, hyperCASP module 34 identifies the machine addresses to be protected…agent 32 may communicate the CAS addresses to hyperCASP module 34 using a two way communication channel. By protecting the address space in machine memory 24 corresponding to the CAS in guest virtual memory 28, hypervisor 12 can protect against malware attacks from within guest OS 18, for example, malware attempting to access the CAS [Examiner noted: when application launches, the agent determining the CAS guest physical addresses (as a parameter in a load-image or a process) and send to hyperCASP module for protection]). 
In addition, Vipat teaches the process is a user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3."). Further, Tang teaches physical memory page is a shared physical memory page in the context of a process (Tang, Fig. 7, (b) During execution of instructions within the executable memory, Host Machine Addr Space, Code data (right hand side, as shared memory page), Code Copy Data (right hand side, as private memory page that copy from shared memory page); [0075] lines 2-4, the guest physical memory pages may be shared by multiple processes due to the OS’s Copy-on-Write (COW) optimization (this is shared physical memory page, lines 18-23, The guest OSes' innate COW capability to transparently allocate new physical memory pages for the static code regions of processes to be protected…the write operation should occur in the context of the process).

As per claim 4, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1 above. Bhattacharjee further teaches receiving the alert that the private physical memory page is being modified; and taking an action in response to receiving the alert (Bhattacharjee, Fig. 3, 112, 114, 116, 118 permit access, No to 120 Report attack to management console (as the management console receives alert), 122 Automatically take action within guest operating system, and 124).
 
As per claims 9 and 12, they are non-transitory, computer-readable storage medium claim of claims 1 and 4 respectively above. Therefore they are rejected for the same reason as claims 1 and 4 respectively above.

As per claim 10, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 9 above. Bhattacharjee further teaches monitor, by the protection module in the guest operating system, for a launch of the process launch (Bhattacharjee, [0041] lines 1-8, When application 20 runs in guest OS 18… When guest 14 starts up, agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60 (as monitoring when the application running(launching) in the guest));
when the process is to be protected, perform, by the protection module in the guest operating system, said modifying the physical memory page, which causes using the private physical memory page to the process (Bhattacharjee, Fig. 2, 42 Machine address space, 46 GPA maps to 48 MA; [0039] lines 8-13, Guest physical address space 40 maps into a machine address space 42. For example, a GVA 44 in guest virtual address space 38 may be mapped to a corresponding GPA 46 in guest physical address space 40, which in turn may be mapped to a machine address (MA) 48 in machine address space 42; [0041] lines 6-8, When guest 14 starts up, agent 32 may force a fault inside guest OS 18 and resolve it so that mapping is established from GVAs (e.g., GVA 44) to GPAs (e.g., GPA 46) corresponding to CAS 60; [0046] lines 7-10, agent 32 resolves the GPAs (e.g., GPA 46) corresponding to CAS 60. In 108, the GPAs (e.g., GPA 46) is mapped to the corresponding MAs (e.g., MA 48) using shadow page table 51 (as modifying by mapping the physical memory pages); [0039] lines 8-13, Guest physical address space 40 maps into a machine address space 42. For example, a GVA 44 in guest virtual address space 38 may be mapped to a corresponding GPA 46 in guest physical address space 40, which in turn may be mapped to a machine address (MA) 48 in machine address space 42 (as using the private physical memory page));
Wherein the determining if the process is to be protected is based on a parameter in a load-image or a process creation notification (Bhattacharjee, Abstract, lines 10-12, identifying a machine address corresponding to the CAS by forcing a page fault in the guest OS; [0032] lines 1-14, Agent 32 may communicate the CAS guest physical addresses to hyperCASP module 34, which may map the machine addresses to the corresponding guest physical addresses. Thus, hyperCASP module 34 identifies the machine addresses to be protected…agent 32 may communicate the CAS addresses to hyperCASP module 34 using a two way communication channel. By protecting the address space in machine memory 24 corresponding to the CAS in guest virtual memory 28, hypervisor 12 can protect against malware attacks from within guest OS 18, for example, malware attempting to access the CAS [Examiner noted: when application launches, the agent determining the CAS guest physical addresses (as a parameter in a load-image a process) and send to hyperCASP module for protection]);
In addition, Vipat teaches the process is a user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3."). Further, Tang teaches physical memory page is a shared physical memory page in the context of a process (Tang, Fig. 7, (b) During execution of instructions within the executable memory, Host Machine Addr Space, Code data (right hand side, as shared memory page), Code Copy Data (right hand side, as private memory page that copy from shared memory page); [0075] lines 2-4, the guest physical memory pages may be shared by multiple processes due to the OS’s Copy-on-Write (COW) optimization (this is shared physical memory page, lines 18-23, The guest OSes' innate COW capability to transparently allocate new physical memory pages for the static code regions of processes to be protected…the write operation should occur in the context of the process) and the private physical memory page is allocated by the guest operating system (Tang, [0075] lines 7-9, the OS may duplicate the original page into a newly allocated physical page only when the process writes to the memory page; lines 18-23, The guest OSes' innate COW capability to transparently allocate new physical memory pages for the static code regions of processes to be protected).

Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee, Vipat, Tang and Holmberg, as applied to claims 1 and 9 respectively above, and further in view of Srivastava et al. (US Pub. 2012/0324236 A1).
Srivastava was cited in the previous Office Action.

As per claim 3, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1 above. Vipat teaches the process is a user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3."). 

Although, Bhattacharjee, Vipat, Tang and Holmberg teach the user-mode process, Bhattacharjee, Vipat, Tang and Holmberg fail to specifically teach resuming execution of the user-mode process after said causing the hypervisor to protect the private physical memory page.

However, Srivastava teaches resuming execution of the user-mode process after said causing the hypervisor to protect the private physical memory page (Srivastava, [0021] lines 6-12, In response to the hypercall, the hypervisor 112 pauses the guest machine 104 to initiate Copy-on-Write protection, which write-protects the address space of the guest machine 104 against access from any entity other than the hypervisor 112. To keep performance overhead reasonable, the hypervisor 112 pauses the guest machine 104 for a minimal duration, lines 14-16, resumed execution of the guest machine 104 (as resuming execution after hypervisor to initiate Copy-on-Write protection).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat, Tang and Holmberg with Srivastava because Srivastava’s teaching of pausing and resuming of execution during the memory protection would have provided Bhattacharjee, Vipat, Tang and Holmberg’s system with the advantage and capability to allow the system to protect the address space of the virtual machine to against any access from any entity other than the hypervisor which improving the system security (see Srivastava, [0021]).

As per claim 11, it is a non-transitory, computer-readable storage medium claim of claim 3 above. Therefore it is rejected for the same reason as claim 3 above.

Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee, Vipat, Tang and Holmberg, as applied to claims 1 and 9 respectively above, and further in view of  Bonzini et al. (US Pub. 2017/0250817 A1).
Bonzini was cited in the previous Office Action.

As per claim 5, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1 above. Tang further teaches modifying page permission to allow the protection module to execute only to the virtual memory page of the process mapped to the shared physical memory page (Tang, [0061] lines 9-13, initialization stage 420 (as including protection module, also see Bhattacharjee Fig.1 32 Agent) is configured to identify at runtime (e.g., at a process 424) selected executable memory pages to protect, and subsequently to configure (as modifying) execute-only access permissions for these pages; [0063] lines 1-6, the set of executable pages are configured with the desired permissions (e.g., by setting/specifying appropriate execute-only permission identifiers on, for example, extended page tables (EPT) that provide a mapping between a guest-physical address space and a host machine address space). In addition, Vipat teaches the process is a user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3.").

Bhattacharjee, Vipat, Tang and Holmberg fail to specifically teach when modifying the page permission, it is allow the protection module to write to memory page, and modifying the virtual memory page of the user-mode process.

However, Bonzini teaches when modifying the page permission, it is allow the protection module to write to the virtual memory page, and modifying the virtual memory page of the user-mode process (Bonzini, [0026] lines 10-14, modify permissions of the one or more memory pages in the area of guest memory 116 to allow the non-kernel portions (as protection module) of the guest 114 to write (as modifying) to the one or more memory pages).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat, Tang and Holmberg with Bonzini because Bonzini’s teaching of writing permission would have provided Bhattacharjee, Vipat, Tang and Holmberg’s system with the advantage and capability to protect the memory from any suspicious access/write which improving the system security.

As per claim 13, it is a non-transitory, computer-readable storage medium claim of claim 5 above. Therefore it is rejected for the same reason as claim 5 above.

Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee, Vipat, Tang and Holmberg, as applied to claims 1 and 9 respectively above, and further in view of Yu et al. (US Pub. 2014/0304720 A1).
Yu was cited in the previous Office Action.

As per claim 6, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1, Tang further teaches using an asynchronous procedure call (Tang, [0075] lines 27-29, the Heisenbyte implementations may be configured to schedule an Asynchronous Procedure Call thread to execute in the context of the target process). In addition, Vipat teaches user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3.").

Bhattacharjee, Vipat, Tang and Holmberg fail to specifically teach when using an asynchronous procedure call, it is to inject a dynamic link library in the user-mode process, the dynamic link library causing a write to the shared physical memory page.

	However, Yu teaches when using an asynchronous procedure call, it is to inject a dynamic link library in the user-mode process, the dynamic link library causing a write to the shared physical memory page (Yu, [0042] lines 3-9, determine the first dynamic link library file injected with the import function in the case that the import function is applied to the execution of the process of the application. The jumping unit may insert an asynchronous procedure call function into an execution program of loading the executable file by the executable file loading unit; Also see Fig. 1, 102, 103 load the second dynamic link library file into memory; [using asynchronous procedure call that inject the dynamic link library to the execution of the process, and loading (as write) second dynamic link library into the memory]).
	
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat, Tang and Holmberg with Yu because Yu’s teaching of injecting the dynamic link library would have provided Bhattacharjee, Vipat, Tang and Holmberg’s system with the advantage and capability to allow the computer system effectively perform an injection on the process of the application and ensure stability of execution of the process of the application.

As per claim 14, it is a non-transitory, computer-readable storage medium claim of claim 6 above. Therefore it is rejected for the same reason as claim 6 above.

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee, Vipat, Tang and Holmberg, as applied to claims 1 and 9 respectively above, and further in view of Moore et al. (US Pub. 2002/0019887 A1).
	Moore was cited in the previous Office Action.

As per claim 7, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1. Tang further teaches modifying an entry point of the process of redirect a call (Tang, [0073] lines 1-7, When ntdll.dll is loaded into the target process, the entry points of these two functions are modified with trampolines to a Virtual Memory (VM)-tracking code that resides on a dynamically allocated page. Because the function hooking is performed in-memory, the OS Copy-on-Write mechanism ensures that these hooks only apply to the target process). In addition, Vipat teaches the process is user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3.").

Bhattacharjee, Vipat, Tang and Holmberg fail to specifically teach when modifying an entry point of the user-mode process of redirect a call, it is to the protection module, the protection module causing a write to the shared physical memory pages in response to the call.

However, Moore teaches when modifying an entry point of the user-mode process of redirect a call, it is to the protection module, the protection module causing a write to the shared physical memory pages in response to the call (Moore, [0044] lines 2-14, the second instance of the activation module redirects the API calls to the interception module (as protection module) by creating R/W aliases to the entry points in DOSCALL1 and changing the far32 pointers to point to the interception module entry points (redirecting the API calls based on creating/changing entry points). An alias is merely a region of virtual memory that maps to the same physical memory as the original memory object (in this case the location of the DosAllocMem far32 pointer address) by referencing the same physical address in its page table entry. If the memory is in a global shared region of virtual memory, then any update made to a memory object using the alias address will at the same time be made for all processes at the original address location [as causing a write at memory address location]).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat, Tang and Holmberg with Moore because Moore’s teaching of redirecting call via interception module (as protection module) would have provided Bhattacharjee, Vipat, Tang and Holmberg’s system with the advantage and capability to provide modified functionality for the intercepted API calls which improving the system performance and security.

As per claim 15, it is a non-transitory, computer-readable storage medium claim of claim 7 above. Therefore it is rejected for the same reason as claim 7 above.

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee, Vipat, Tang and Holmberg, as applied to claims 1 and 9 respectively above, and further in view of Welland (US Patent. 5,581,722).

As per claim 8, Bhattacharjee, Vipat, Tang and Holmberg teach the invention according to claim 1. Tang further teaches wherein modifying the shared physical memory page comprises reading data from a location of the virtual memory page of the process (Tang, Fig. 5, and Fig. 7, (b) guest virtual address space maps to guest physical address space; [0075] lines 1-11, the guest physical memory pages may be shared by multiple processes due to the OS's Copy-on-Write (COW) optimization…Thus the OS may duplicate the original page into a newly allocated physical page only when the process writes to the memory page (as reading the data from original page (location of the virtual memory page) in order for mapping and duplicating (as modifying)). In addition, Vipat teaches the process is user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3.").

Bhattacharjee, Vipat, Tang and Holmberg fail to specifically teach writing the same data back to the location of the virtual memory page of the user-mode process.

However, Welland teaches writing the same data back to the location of the virtual memory page of the user-mode process (Welland, Col 7, lines 66-67, virtual memory is only virtual in terms of RAM; Col 8, lines 4-10, This virtual memory is conventionally organized into a plurality of pages, each comprising a prescribed number of bytes, which are correlated with specific locations in RAM. The virtual memory service operates by intercepting a client's attempt to access pages of virtual memory that have been swapped out to disk, swapping the pages back into RAM; Col 8, lines 28-31, a simple paged virtual memory service works by manipulating only the address mapping for its domain. It maps the available physical memory to the valid (swapped-in) virtual pages).

It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to have combined the teaching of Bhattacharjee, Vipat, Tang and Holmberg with Welland because Welland’s teaching of swap in(as write) the pages back (as same data) into the virtual memory page location (RAM) would have provided Bhattacharjee, Vipat, Tang and Holmberg’s system with the advantage and capability to enable the page protection to against error or malicious attack which improving the system stability.

As per claim 16, it is a non-transitory, computer-readable storage medium claim of claim 8 above. Therefore it is rejected for the same reason as claim 8 above.


Response to Arguments
Applicant’s arguments with respect to claims 1-2, 4-10 and 12-16 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

In the remark Applicant’s argue in substance: 
(a), the resuming execution of a generic guest machine in Srivastava cannot teach or suggest "resuming execution of the process (being a user-mode process)" as recited in claims 3 and 11. 


Examiner respectfully disagreed with Applicant’s argument for the following reasons:
As to point (a), Examiner would like to point out that the claimed limitations “resuming execution of the process (being a user-mode process)" are taught at least by the combination of references applied in the office action. For example, Vipat teaches the process is a user-mode process (Vipat, Fig.2, 102 Guest operating system, Ring 3 (as user mode), Ring 0 (as kernel-mode), 132 Anti Malware agent (as protection module); 130 Kernel (as kernel-mode driver); [0004] lines 5-10, a kernel may execute with a high level of hardware privilege known as "Ring-0," device drivers may execute with intermediate levels of hardware privilege known as "Ring-1" and "Ring-2," and user-mode applications (as user-mode process) may execute with a lowest level of hardware privilege known as "Ring-3."). Srivastava teaches resuming execution of the process (user-mode process) (Srivastava, [0021] lines 6-12, In response to the hypercall, the hypervisor 112 pauses the guest machine 104 to initiate Copy-on-Write protection, which write-protects the address space of the guest machine 104 against access from any entity other than the hypervisor 112. To keep performance overhead reasonable, the hypervisor 112 pauses the guest machine 104 for a minimal duration, lines 14-16, resumed execution of the guest machine 104 (as resuming execution after hypervisor to initiate Copy-on-Write protection). Please refer to the rejection under 35 U.S.C. 103 above.

For the reasons above, Applicant’s argument has not been found to be persuasive, and therefore the rejections are maintained. 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUJIA XU whose telephone number is (571)272-0954.  The examiner can normally be reached on M-F 9:00-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571) 272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MENG AI T AN/Supervisory Patent Examiner, Art Unit 2195                                                                                                                                                                                                        




/Z.X./Examiner, Art Unit 2195