ALLOWABILITY NOTICE
Claims 1-13 are pending in this action.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
This application is in condition for allowance except for the presence of claims 14-20 directed to an invention non-elected without traverse by Jens Jenkins in interview dated 4/21/2021.  Accordingly, claims have been cancelled.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/29/2021is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement has been considered by the examiner.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Jens Jenkins, Reg. No. 44,803, on 4/21/2021.

The claims are amended as follows:

1. (Currently Amended) A computing system comprising: one or more processors; and one or more computer-readable storage medium having stored computer executable instructions which are executable by the one or more processors for implementing a method for creating a container-based memory enclave, the method comprising: identifying a container image having a security component that is used for attesting to a particular security configuration that is used by a host system running on a first security domain, the security component being stored at a memory address of the host system; using the container image to instantiate a new container, the new container being configured to utilize enclave memory in a second security domain of [[a]] the host system based on a security component stored at an address of the host system, the new container including a copy of the security component stored at the address of the host system with a particular memory address that is a purported link from the new container to the memory address of the security component stored at the address of the host system; and during or after instantiation of the new container, modifying the purported link from the new container to the particular memory address of the security component stored at the address of the host system so that the purported link from the new container to the memory address is modified to verifiably link the new container to the memory address of the host system.

2. (Original) The computing system of claim 1, wherein the modifying the purported link comprises overwriting the particular address of the security component at the new 

3. (Original) The computing system of claim 1, wherein the modifying the purported link comprises creating a link from the particular address of the security component at the new container to the address of the host system where the security component used by the host system is loaded.

4. (Original) The computing system of claim 1, wherein the modifying the purported link comprises updating a referenced address in a mapping table associated with the particular address to include or reference the address of the host system where the security component used by the host system is loaded.

5. (Original) The computing system of claim 4, wherein the method further includes creating the mapping table and, during or after instantiating the new container, using metadata associated with the new container to add the referenced address to the mapping table.

6. (Original) The computing system of claim 1, wherein the security component comprises a library file.



8. (Original) The computing system of claim 7, wherein the method further includes performing attestation of security guarantees associated with the security configuration for the new container.

9. (Currently Amended) A method for creating a container-based memory enclave, the method comprising: identifying a container image having a security component that is used for attesting to a particular security configuration that is used by a host system running on a first security domain, the security component being stored at a memory address of the host system; using the container image to instantiate a new container, the new container being configured to utilize enclave memory in a second security domain that is different from the first security domain of [[a]] the host system based on a security component stored at an address of the host system, the new container including a copy of the security component stored at the address of the host system with a particular memory address that is a purported link from the new container to the memory address of the security component stored at the address of the host system; and during or after instantiation of the new container, modifying the purported link from the new container to the particular memory address of the security component stored at the address of the host system so that the purported link from the new container to the new container to the memory address of the host system.

10. (Original) The method of claim 9, wherein the modifying the purported link comprises overwriting the particular address of the security component at the new container with the address of the host system where the security component used by the host system is stored.

11. (Original) The method of claim 9, wherein the modifying the purported link comprises creating a link from the particular address of the security component at the new container to the address of the host system where the security component used by the host system is stored.

12. (Original) The method of claim 9, wherein the modifying the purported link comprises updating a referenced address in a mapping table associated with the particular address to include or reference the address of the host system where the security component used by the host system is stored.

13. (Original) The method of claim 9, wherein the security component includes data that is used to generate an attestation report regarding the security configuration for the new container and wherein the method further includes performing attestation of security guarantees associated with the security configuration for the new container. 

.

Reasons for Allowance
Claims 1-13 are allowed.

The following is an examiner’s statement of reasons for allowance:  The cited prior art references, Costa (US PGPUB No. 2018/0211035), McLaughlin et al. (US PGPUB No. 2017/0324765), Costa (US PGPUB No. 2018/0212966), Leslie et al. (US PGPUB No. 2016/0085695), Goor et al. (US Patent No. 6,305,009), Bromey et al. (US Patent No. 7,194,446) and Morris et al. (US PGPUB No. 2008/0022265), Wang et al. ("Enabling Security-Enhanced Attestation With Intel SGX for Remote Terminal and IoT", IEEE, doi: 10.1109/TCAD.2017.2750067, pp. 88-96, Jan. 2018) and Liang et al. ("Toward Migration of SGX-Enabled Containers", IEEE, doi: 10.1109/ISCC47284.2019.8969644, 2019, pp. 1-6) discloses the creation of enclaves dynamically or at runtime, do not alone or in combination teach the recited features of independent claims 1 and 9. While the references disclose some of the principle features of the claimed invention, the combination of the recited steps and the specificity of the recited steps, distinguish the claimed invention from the prior art.  For example, the claim states that the new container uses enclave memory of a security component stored at the address of the host system. Also, the new container initially contains a particular memory address that is a purported link from the new container to the memory address of the security component stored at the host system. Also, the purported link is updated to the particular memory address. These along with the other .

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is 571-270-7179.  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 






/PETER C SHAW/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        April 21, 2021