DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

International/Foreign Search Report
The International/Foreign Search Report (hereinafter “SR”) issued by the European Patent Office (EPO) for international/foreign application, EP 20 163 847.5, has been considered. No anticipatory- (marked “X”) or obviousness type (marked “Y”) reference was listed in the SR. The examiner reviewed the prior art listing the general state of the art (marked “A”), but none of the references listed were relied upon in this office action. 

Allowable Subject Matter
Claims 3-10, 16 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-2 and 11-12 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  The omitted steps are:  in order to carry out the invention, the  (subject matter that was disclosed in claim 3).
Claims 13-15 and 17-19 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  The omitted steps are:  executing the suspected ROP chain in a speculative execution path and forcing a missed prediction of the speculative execution path to then determine if the suspected ROP chain was executed by detecting the canary values on the stack (subject matter disclosed in claims 15, 16 and 20).

How to overcome the rejection of claims 1-2, 11-15 and 17-19 under 35 U.S.C § 112:
It is suggested that the applicant incorporates the subject matter of claim 3 to claim 1, the subject matter of claim 15 and 16 into claim 13, and the subject matter of claim 20 into claim 19 to overcome the rejection under U.S.C. § 112.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-2, 11-12 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by “ROP Payload Detection Using Speculative Code Execution” (hereinafter "Polychronakis").

Regarding claim 1:
Polychronakis discloses:
A computing apparatus, comprising:
a processor (Polychronakis implies a processor in the Abstract, “…execution of code…”);
a memory (Polychronakis discloses memory in the Abstract: “…process memory…”); and
encoded logic to instruct the processor (Polychornakis discloses on pg. 58: “As a step towards filling this gap, we present a new technique for the detection of ROP [return-oriented programming] exploits based on the identification of the ROP payload that is contained in the attack vector. ROPscan, our prototype implementation, uses a code emulator to speculatively execute code fragments that already exist in the address space of a targeted process.”) to:
identify within the memory a payload that is suspected to be a return-oriented programming (ROP) chain (Polychornakis discloses detecting a payload that is suspected to be part of ROP chain: “As ROP code has started replacing conventional shellcode in recent exploits, in this work we build on the concept of dynamic code analysis with the goal to detect the presence of ROP payloads in arbitrary inputs.”);
execute the suspected ROP chain in a speculative execution path within the processor (Polychornakis disclosing executing the suspected ROP chain in a speculative execution path, see pg. 58: “a code emulator to speculatively execute code fragments that already exist in the address space of a targeted process.”; 60: “3.2 Speculative Execution … speculatively starts executing the code that exists at that address”);
force a missed prediction of the speculative execution path (Polychornakis discloses on pg. 60-61: “During the execution of an instruction sequence, if a jmp eax instruction transfers control to another valid location in the gadget space, but the value of eax has not been loaded from the input buffer, then this sequence is clearly not a gadget. Similarly, consider a relative call instruction that transfers control a few bytes further from the current location of EIP, followed at some point by a ret instruction. In this case, ret does not denote the end of a gadget although it reads an address from the payload and jumps to it, because the value read is not the original value that ex-1. In case a dispatcher gadget is used [6], gadgets first transfer control to it using a previously initialized register.”);
determine that the suspected ROP chain executed through (Polyuchornakis discloses on pg. 63: “For each exploit, we isolated the attack vector that contains the ROP payload, and fed it to ROP scan, which in all cases identified the beginning of the payload correctly. The last two columns in the table correspond to the total number of executed gadgets and the number of unique gadgets, respectively. When considering the detection heuristic used in ROPscan, in the worst case, one of the exploits against Adobe Reader uses just eight gadgets for its ROP code. When combined with the results of Section 4.1, this gives us a range of possible values for the detection threshold between 4–8 gadgets. A median value of six gadgets strikes a good balance between increased resilience to false positives, and the ability to detect even smaller ROP code implementations.”); 
and 
take a security action responsive to the determining (see pg. 65 of Polychornakis: “The detection algorithmof ROPscan can identify the presence of ROP payloads in arbitrary inputs, and the results of our experimental evaluation demonstrate that it can easily extend the detection capabilities of existing defenses that are based solely on the detection of conventional shellcode.”).

Regarding claim 2:
Polychronakis discloses:
The computing apparatus of claim 1, wherein executing the suspected ROP chain the speculative execution path comprises populating a stack return register with a pointer to the suspected ROP chain (see pg. 59: “The gadgets usually end with a ret instruction—hence the name of the technique [17]—although any other indirect jump instruction can be used [6]. The ret instruction is a perfect fit for transferring control to the next gadget because it actually performs two operations at once: sets the instruction pointer (EIP) to the address contained in the memory location pointed to by the stack pointer (esp), and increments the stack pointer by four bytes (assuming an address size of 32 bits). This allows esp to be used as an “index” register for transferring control to the desired gadget according to the list of addresses in the ROP payload.”).  

Regarding claim 11:
Polychronakis discloses:
The computing apparatus of claim 1, further comprising encoded logic to force an increased latency on a speculative execution window (pg. 60: “Based on the above observation, the first step of the detection algorithm is to identify potential gadget addresses within the scanned input. This is achieved by advancing a 4-byte sliding window one byte at a time, and checking whether the 32-bit address that corresponds to the current location of the window falls within the gadget space of any of the protected applications. In the common case, a random address will fall either into an unmapped or nonexecutable memory page, or in the kernel address space (upper 2GB of the total 4GB), as shown in Figure 2(a). Address 0072F741 is not mapped, and the sliding window advances to the next byte of the input.”).   

Regarding claim 12:
Polychronakis discloses:
The computing apparatus of claim 11, wherein forcing the increased latency comprises adding memory access latency (see pg. 60, and citation for claim 11).  

How to overcome the rejection of claims 1-2 and 11-12 under 35 U.S.C § 102:
It is suggested that the applicant incorporates the subject matter of claim 3 to claim 1 to overcome the rejection under U.S.C. § 102.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 13-15 and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over “ROP Payload Detection Using Speculative Code Execution” (hereinafter "Polychronakis"), and further in view of "Transparent Run-Time Defense Against Stack Smashing Attacks" (hereinafter "Baratloo").

Polychronakis discloses: 
One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to:
dynamically scan a binary object to identify a potential return- oriented programming (ROP) chain (Polychornakis discloses detecting a payload that is suspected to be part of ROP chain: “As ROP code has started replacing conventional shellcode in recent exploits, in this work we build on the concept of dynamic code analysis with the goal to detect the presence of ROP payloads in arbitrary inputs.”);
execute the potential ROP chain (Polychornakis disclosing executing the suspected ROP chain in a speculative execution path, see pg. 58: “a code emulator to speculatively execute code fragments that already exist in the address space of a targeted process.”; 60: “3.2 Speculative Execution … speculatively starts executing the code that exists at that address”);
based at least in part on the determining, designate the potential ROP chain as an ROP chain (Polyuchornakis discloses on pg. 63: “For each exploit, we isolated the attack vector that contains the ROP payload, and fed it to ROP scan, which in all cases identified the beginning of the payload correctly. The last two columns in the table correspond to the total number of executed gadgets and the number of unique gadgets, respectively. When considering the detection heuristic used in ROPscan, in the worst case, one of the exploits against Adobe Reader uses just eight gadgets for its ROP code. When combined with the results of Section 4.1, this gives us a range of possible values for the detection threshold between 4–8 gadgets. A median value of six gadgets strikes a good balance between increased resilience to false positives, and the ability to detect even smaller ROP code implementations.”). 

Polychronakis fails to disclose the following limitation disclosed by Baratloo:
append a canary instruction to the end of the potential ROP chain (see pg. 9 of Baratoloo: “The wrapper entry function saves a copy of the canary value on a canary stack and then jumps to the copied function. The wrapper exit function verifies the current canary value with the canary stack. A canary stack is needed to save canary values for nested function calls. If the canary value is not found on the canary stack, then the function
determines that a buffer overflow has occurred. In that case, the wrapper exit function then calls the die() function, which creates a syslog entry, prints an error message to the standard error device, and terminates. The die() function can also perform additional notification and handling, such as sending an email message or shutting down the entire system.”); and
determine that the canary instruction was executed (see pg. 9 and citation above: “…verifying the canary value at the end of the function to determine if any buffer overflow occurred.”). 
One of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to update the system of Polychornakis by placing canary values on the stack to “determine if any buffer overflow occurred”, and thereby gaining, predictably, the commonly understood benefits of such adaption, that is, terminating malicious code if a discrepancy is detected based on the detected canary values (see Section 3 of Baratloo, pg. 5).
	
	Regarding claim 14:
The combination Polychronakis and Baratoloo discloses:
see pg. 7 of Baratloo with regards to the discussion of using labels).  
	
	Regarding claim 15:
The combination Polychronakis and Baratoloo discloses:
The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein executing the potential ROP chain comprises executing the potential ROP chain in a speculative execution path (Polychornakis disclosing executing the suspected ROP chain in a speculative execution path, see pg. 58: “a code emulator to speculatively execute code fragments that already exist in the address space of a targeted process.”; 60: “3.2 Speculative Execution … speculatively starts executing the code that exists at that address”). 

Regarding claim 17:
The combination Polychronakis and Baratoloo discloses:
The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein the canary instruction comprises a dummy label (see pg. 7 of Baratloo with regards to the discussion of using labels).  

Regarding claim 18:
Polychronakis discloses:
A computer-implemented method of detecting a return-oriented programming (ROP) exploit, comprising:
Polychornakis disclosing executing the suspected ROP chain in a speculative execution path, see pg. 58: “a code emulator to speculatively execute code fragments that already exist in the address space of a targeted process.”; 60: “3.2 Speculative Execution … speculatively starts executing the code that exists at that address”);
designating the suspected ROP chain as an ROP chain (Polyuchornakis discloses on pg. 63: “For each exploit, we isolated the attack vector that contains the ROP payload, and fed it to ROP scan, which in all cases identified the beginning of the payload correctly. The last two columns in the table correspond to the total number of executed gadgets and the number of unique gadgets, respectively. When considering the detection heuristic used in ROPscan, in the worst case, one of the exploits against Adobe Reader uses just eight gadgets for its ROP code. When combined with the results of Section 4.1, this gives us a range of possible values for the detection threshold between 4–8 gadgets. A median value of six gadgets strikes a good balance between increased resilience to false positives, and the ability to detect even smaller ROP code implementations.”). 

Polychronakis fails to disclose the following limitation disclosed by Baratloo:
appending a dummy instruction to the end of a suspected ROP chain (see pg. 9 of Baratoloo: “The wrapper entry function saves a copy of the canary value on a canary stack and then jumps to the copied function. The wrapper exit function verifies the current canary value with the canary stack. A canary stack is needed to save canary values for nested function calls. If the canary value is not found on the canary stack, then the function
determines that a buffer overflow has occurred. In that case, the wrapper exit function then calls the die() function, which creates a syslog entry, prints an error message to the standard error device, and terminates. The die() function can also perform additional notification and handling, such as sending an email message or shutting down the entire system.”);
determining that the dummy instruction was executed (see pg. 9 and citation above: “…verifying the canary value at the end of the function to determine if any buffer overflow occurred.”).
One of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to update the system of Polychornakis by placing canary values on the stack to “determine if any buffer overflow occurred”, and thereby gaining, predictably, the commonly understood benefits of such adaption, that is, terminating malicious code if a discrepancy is detected based on the detected canary values (see Section 3 of Baratloo, pg. 5).

	Regarding claim 18:
The combination Polychronakis and Baratoloo discloses:
The method of claim 18, further comprising taking a security action based on the designating (see pg. 65 of Polychornakis: “The detection algorithmof ROPscan can identify the presence of ROP payloads in arbitrary inputs, and the results of our experimental evaluation demonstrate that it can easily extend the detection capabilities of existing defenses that are based solely on the detection of conventional shellcode.”).


How to overcome the rejection of claims 13-15, 17-19 under 35 U.S.C § 103:
It is suggested that the applicant incorporates the subject matter of claim 15, 16 to claim 13 and the subject matter of claim 20 into claim 18 to overcome the rejection under U.S.C. § 103.

Related Art
The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant’s disclosure: 
U.S. Pub. No. 2018/0039776 A1 (“Loman”) – Loman discloses “trampoline attacks” (a.k.a. “return-oriented programming attacks”) and proposes a detection and mitigation technique by detecting deviations from predicted behavior by using an address table or other control structure. 
“Defending Embedded Systems Against Control Flow Attacks” (by Francillon et al.) – presents a control flow enforcement technique based on an Instruction Based memory Access Control to protect against control flow manipulation, including return-oriented programming attacks (see Section 4.3 of Francillon). 
“Return-Oriented Programming” (by Prandini and Ramilli) – describes the general state of the art of return-oriented programming attacks and discusses some of the detection and evasion techniques on pg. 86-87. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alexander Lagor whose telephone number is (571)270-5143.  The examiner can normally be reached on Monday thru Friday, 9:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashokkumar B. Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ALEXANDER LAGOR/
Primary Examiner
Art Unit 2491