DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Continued Examination Under 37 CFR 1.114
     A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 23rd, July 2021 has been entered. 
Response to Amendments
Claim(s) 1,9 and 24 are amended
Claim(s) 1-15 and 24 are pending.
Response to Arguments
Applicant’s argument regarding rejection of claim(s) 1-15 and 24 under 35 U.S.C. 103 filed on 23rd, July 2021, have been considered but are moot based on the new grounds of rejection.
Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim(s) 1, 9 and 24 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The claims recite the limitation “the isolating secure memory region”. There is insufficient antecedent basis for this limitation in the claim.
For the purpose of this examination, the examiner construes the limitation of “running the target application with the isolating secure memory region”, to mean running/launching/activating an application using the contents (encryption/decryptions keys or software license) stored in secure memory. 
Appropriate correction is required. 
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


Claim(s) 1-3, 7-10, 14 and 24 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Park et al. (US 2013/0326500 A1), in view of Aditya (US 2013/0031607 A1), further in view of Moon et al. (US 2016/0253520 A1).

Regarding claim 1, Park discloses an application protection method (Park [0011] discloses a system which provides a mobile terminal, an application providing method for same that use an application package installer having multiple pieces of signature (signatures are used to protect an application)  information), comprising:
sending an application download request for a target application to an application management server (Park, Fig. 1, [0040 – 0041] steps 100 discloses a user making an application download request through an input unit. The user may make a download request through a webpage linked with an application providing server (application management server) or through a separate executable program supporting application provision. An application download request may also be issued by an automatic application update procedure), 
wherein the application download request includes terminal identification information (signature information corresponding to mobile terminal) of a terminal (Park Figs. 1, 5 & 6, [0008; 0012 -0019], in steps 300 of Fig. 1, step 312 of Fig. 5 and step 322 of Fig. 6, discloses obtaining an application download request from a user and matching a signature of requesting terminal to a corresponding a particular application package created for that particular/specific terminal type),
receiving a compiled application installation package (compiled application package installer) sent by the application management server (Park [0041], discloses that when an application download request is made, the method of the present invention moves to step 200 where the mobile terminal obtains an application package installer (receiving a compiled application installation package). For example, in response to an application download request, the mobile terminal may obtain an application package 
wherein the compiled application installation package is compiled from an application installation package of the target application according to the terminal identification information (signature information specific to a particular terminal type) by the application management server (Park [0008], discloses the provision of an application to a particular mobile terminal, multiple application packages are created corresponding in number to terminal types and each such application package is associated with signature information specific (terminal identification information used to compile each application installation package by the a management server) to a particular terminal type) and
wherein the compilation algorithm is stored in the cloud (Park [0084] discloses a storage unit 1400 may store programs, data and information necessary for operation of the mobile terminal 1000. In particular, the storage unit 1400 may temporarily store an application package installer (compiled by the server), an application package file (compiled by server), an application signature information (compiled by server), terminal signature information (compiled by server).... The storage unit 1400 may function in cooperation with a web storage or cloud server on the Internet. Thus, the cloud server stores the algorithm used to compile and store an application package installer, an application package file and terminal signature),
installing, according to the compiled application installation package, the target application in a runtime environment (version, user rights, external libraries, etc…) (Park [0024] discloses a control unit may check the validity of the signature information 
wherein the runtime environment is obtained by compiling a preset intermediate file (manifest file written in XML) according to the terminal identification information (Park, [0047] discloses a manifest file written in XML containing signature of terminal device used to define the running environment including application version, usage rights and external libraries); and 
the preset intermediate file (a manifest file written in XML) comprises a runtime file and a framework file (Park, [0056] discloses a manifest file written in XML containing signature of terminal device used to define the running environment including application version, usage rights and external libraries (running environment). The mobile terminal may determine whether the selected signature information corresponds to the employed signature scheme specifying options for a signature algorithm, signature key generation algorithm and certificate according to terminal type, manufacturer, version and platform (Framework)).
Park did not explicitly disclose wherein the target application is encrypted by the application management server; after installing target application in the runtime environment, decrypting, by the terminal, the compiled and encrypted application installation package according to a private key preset in a TrustZone; the TrustZone further is configured to perform the steps of: isolating a secure memory for storing 
Aditya discloses wherein the target application is encrypted by the application management server (Aditya [Abstract] discloses The server system, in response to a software purchase from an end user (customer), is configured to install the software on the customer's machine, encrypt the software, and provision encryption keys to grant the customer access to the software),
after installing target application in the runtime environment, decrypting, by the terminal, the compiled and encrypted application installation package according to a private key preset in a TrustZone (Aditya Fig. 3, [0020] discloses the process of providing an encryption of a software application by provisioning a software encryption /decryption key and storing the software key on an end user system 306. To prevent the end user from accessing the encryption /decryption key, the key may be stored in a secure location (Storing in a TrustZone) of the end user system, e.g., using a trusted platform module or other security circuitry/system that "hides" the key from the user. To provide an additional layer of independent protection of the installed software application, a software license encryption /decryption key is provisioned and storing the software license key on the end user system 308. Similar to the software key, the software license key may be stored in a secure location of the end user system;  [0022] After the software agent module, software application (encrypted) and the software key and/or the software license key are installed on the end user system, use of the software application is controlled via the software agent module. For example, when a user attempts to launch the software application, the software agent module is 
the TrustZone further is configured to perform the steps of: isolating a secure memory for storing terminal’s private key (Aditya Fig. 3, [0020] discloses the process of providing an encryption of a software application by provisioning a software encryption /decryption key and storing the software key on an end user system 306. To prevent the end user from accessing the encryption /decryption key, the key may be stored in a secure location (isolating memory for storing terminal’s private in a TrustZone) of the end user system, e.g., using a trusted platform module or other security circuitry/system that "hides" the key from the user. To provide an additional layer of independent protection of the installed software application, a software license encryption /decryption key is provisioned and storing the software license key on the end user system 308. Similar to the software key, the software license key may be stored in a secure location of the end user system); and 
running the target application with the isolating secure memory region (Aditya, Fig. 3, [0020], discloses to provide encryption of the software application, operations of this embodiment may also include provisioning a software encryption/decryption key and storing the software key on the end user system 306. To prevent the end user from accessing the encryption/decryption key, the key may be stored in a secure location of the end user system, e.g., using a trusted platform module or other security 
Park, and Aditya are analogous because both teachings are from the same field of endeavor with respect to providing a secured means of transmitting applications to client devices. 
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Aditya into the method by Park, the motivation would have been to provide software delivery models, and more particularly, software delivery models with secure access control and monitoring, Aditya [0002]. 

Moon discloses wherein the TrustZone is an architecture solution of a security chip, including a hardware security module such as a SIM (Subscriber Identity Module) card or an SoC (System-on-a-Chip) (Moon, Fig. 5, discloses an operation 520 where a device generates a token and stores the token in a secure storage location (e.g., TrustZone, etc.). The token is applied to a cryptographic library such as PBKDF2 to generate secure bytes based on the token in operation 530; Fig. 6 [0058] discloses an electronic device 601 may include at least one processor (for example, an application processor (AP)) 610, a communication module 620, a subscriber identification module ( SIM) 624, a memory 630; [0062], discloses that the cellular module 621 may identify and authenticate the electronic device 601 within a communication network, using the SIM (for example, a SIM card) 624; In [0060], Moon also discloses that the processor 610 may be implemented, for example, as a system on chip ( SoC)).
Park, Aditya and Moon are analogous because these teachings are from the same field of endeavor with respect to providing a secured means of transmitting applications to client devices. 
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Moon into the method by Park and Aditya, the motivation would have been to provide key migration architecture that enables sensitive data to remain encrypted without an 

Regarding claim 2, Park, Aditya and Moon disclose the method according to claim 1, wherein before sending an application download request for a target application to an application management server (Park [0047], discloses an application information file contains various information on the application, and may be referred to as a manifest file and be written in XML. The application information file may also contain information items such as application name, version, icons, activities, services, provider, application components, usage rights, and external libraries; [0051] prior to the downloading of an application, a manifest file 22 with a filename such as MANIFEST.MF may be created. The manifest file 22 may be created using meta-information on files forming the application package. More specifically, the manifest file 22 may include hash values, which are obtained by hashing files forming the unsigned application package with SHA1, encoded in a Base64 scheme. Here, each hash value may be composed of a filename, hash function name, and hash result) the method further comprises):
compiling the preset intermediate file (manifest file) according to the terminal identification (signature of terminal device) information (Park, [0068] discloses a signature information 20a may be signature information determined to be suitable for the mobile terminal among the multiple pieces of signature information contained in the application package installer. As described before, the signature information 20a may include a signature file 21, a manifest file 22, and a signature block file 23; [0047] 
wherein the compiled preset intermediate file constitutes the runtime environment (Park, [0047] discloses a manifest file written in XML containing signature of terminal device (terminal identification information) used to define the runtime environment including application version, usage rights and external libraries).
The motivation to combine is similar to that of claim 1.

Regarding claim 3, Park, Aditya and Moon disclose the method according to claim 2, wherein compiling the preset intermediate file according to the terminal identification information preset comprises:
obtaining a hash value of the terminal identification information (the signature file 21/terminal identification file may include hash values) (Park [0050], the signature file 21 may be created using a value contained in the manifest file 22. More specifically, the signature file 21/terminal identification may include hash values, which are obtained by hashing code sections for files in the manifest file 22 with SHA1, encoded in a Base64 scheme); and
compiling the preset intermediate file according to the hash value (Park [0050], the signature file 21 may be created using a value contained in the manifest file 22. More specifically, the signature file 21 may include hash values, which are obtained by hashing code sections for files in the manifest file 22 with SHA1, encoded in a Base64 
The motivation to combine is similar to that of claim 2.

Regarding claim 7, Park, Aditya and Moon disclose the method according to claim 1, wherein receiving a compiled application installation package sent by the application management server comprises (Park [0041] discloses that when an application download request is made, the method of the present invention moves to step 200 where the mobile terminal obtains an application package installer. For example, in response to an application download request, the mobile terminal may obtain a compiled application package installer from a server):
receiving a compiled application installation package sent by the application management server (Park –Step 200), wherein the compiled application installation is compiled from an application installation package of the target application according to the terminal identification information. Also in [0041], Park discloses that when an application download request is made, the method of the present invention moves to step 200 where the mobile terminal obtains an application package installer. For example, in response to an application download request, the mobile terminal may obtain an compiled application package installer from a server), 
where the compiled application installation is compiled from an application package of the target application according to the terminal information (Park [0008], discloses the provision of an application to a particular mobile terminal, multiple application packages are created corresponding in number to terminal types and each 
wherein the compiled application is encrypted by the application management server (Aditya [Abstract] discloses The server system, in response to a software purchase from an end user (customer), is configured to install the software on the customer's machine, encrypt the software, and provision encryption keys to grant the customer access to the software).
The motivation to combine is similar to that of claim 1.

Regarding claim 8, Park, Aditya and Moon disclose the method according to claim 7, wherein after installing the target application in a runtime environment (Park [0024] discloses a control unit 1300 which may check the validity of the signature information corresponding to the mobile terminal, and install, when the corresponding signature information is valid, a requested application using the signed application package),
the method further comprises: decrypting the compiled and encrypted application installation package according to a private key preset (Aditya [0022] After the software agent module, software application (encrypted) and the software key and/or the software license key are installed on the end user system (target application is installed a secured memory on the user’s device), use of the software application is controlled via the software agent module. For example, when a user attempts to launch (to run the application from the secured memory location) the software application, the software 
and executing the target application (Aditya [0022] After the software agent module, software application (encrypted) and the software key and/or the software license key are installed on the end user system (target application is installed a secured memory on the user’s device), use of the software application is controlled via the software agent module. For example, when a user attempts to launch (to run the application from the secured memory location) the software application, the software agent module is configured to communicate with the remote server to determine if the user is allowed access to the software application, and if so, the software agent module is configured to decrypt the software application (application is already installed on the user device) and/or the software license using the software key and/or the software license key, respectively, and allow the user to access the software application).
The motivation to combine is similar to that of claim 7.

Regarding claim(s) 9-10, see similar rejections of claim(s) 1 and 3, respectively, where the method is taught by the method.

Regarding claim 14, Park, Aditya and Moon disclose the method according to any one of claim 9 wherein: after the compiling an application installation package of the 
encrypting the compiled application installation package (Park [0041], discloses that when an application download request is made, the method of the present invention moves to step 200 where the mobile terminal obtains an application package installer (receiving a compiled application installation package). For example, in response to an application download request, the mobile terminal may obtain an application package installer from a server (receiving a compiled application installation package from a server)), and
sending the compiled application installation package to the terminal comprises (Park [0041], discloses that when an application download request is made, the method of the present invention moves to step 200 where the mobile terminal obtains an application package installer (receiving a compiled application installation package). For example, in response to an application download request, the mobile terminal may obtain an application package installer from a server (receiving a compiled application installation package from a server)); [0008] provisioning/sending an application to a particular mobile terminal, where multiple application packages are created corresponding in number to terminal types and each such application package is associated with signature information specific to a particular terminal type):

The motivation to combine is similar to that of claim 9.

Regarding claim 24, see similar rejections of claim 1, where the terminal is taught by the method.

Claim(s) 4, 5 and 11-12 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Park et al. (US 2013/0326500 A1), in view of Aditya (US 2013/0031607 A1), further in view of Moon et al. (US 2016/0253520 A1), further in view of Zucker (US 5,822,787).

Regarding claim 4, Park, Aditya and Moon disclose the method according to claim 3, wherein compiling the preset intermediate file according to the hash value comprises: compiling the preset intermediate file according to the hash value (Park 
Park, Aditya and Moon did not explicitly disclose generating an application binary interface (ABI) corresponding to the hash value.
Zucker discloses generating an application binary interface (ABI) (Fig. 2, (46)) corresponding to the hash value (Zucker Col. 3, lines 54-60, & Col. 12, lines 6-19, discloses virtual address consisting of virtual segment identifier (VSID) obtained by hashing the offset/VSID and searching indicated portion of the page table, Col. 3, lines 54-60. The link editor 50 arranges to have the program transfer control to entries in the procedure linkage tables so that application binary interface 46, a pointer table section 82 includes a pointer table for each respective procedure linkage table 80 (generating application binary interface based on hash value in the table).
Park, Aditya, Moon and Zucker are analogous because these teachings are from the same field of endeavor with respect to providing access to data location in memory.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Zucker into the method by Park, Aditya and Moon, the motivation would have been unmapping control unit unmaps stale entries in a page table after all Virtual address spaces have been allocated to processes, thereby ensuring that the unmapping operation will occur 

Regarding claim 5, Park, Aditya, Moon and Zucker disclose the method according to claim 4, generating an ABI corresponding to the hash value comprises (Zucker, Col. 3, lines 54-60. The link editor 50 arranges to have the program transfer control to entries in the procedure linkage tables so that application binary interface 46, a pointer table section 82 includes a pointer table for each respective procedure linkage table 80 (generating application binary interface based on hash value in the table):
wherein separately adjusting a link address (dynamic linker 54, relocates and resolves addresses) and a symbol table name (Symbol table 116) of the preset intermediate file according to the hash value (Zucker, Fig. 2, Col. 7 lines 24-50 and Col. 8, lines 50-63, discloses how a source application 40 is processed by a compiler and a link editor 50 to produce a binary application program 44. An Application Binary Interface (ABI) 46 is generated in accordance with specified linkage convention to interface the application program 44 and the link editor 50 performs various memory relocations using information available in the program 44 and the system library 52, Col. 7 lines 24-50. Furthermore Zucker discloses the use of link editor 50 and the dynamic linker 54 to perform the required relocations and resolve absolute addresses as required, the program further comprises a string table section 74 for storing text names of symbols including data constants, variables and strings, and a symbol table section 
The motivation to combine is similar to that of claim 4.

Regarding claim(s) 11-12, see similar rejections of claim(s) 4-5, where the method is taught by the method.

Claim(s) 6 and 13 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Park et al. (US 2013/0326500 A1), in view of Aditya (US 2013/0031607 A1), in view of Moon et al. (US 2016/0253520 A1), in view of Zucker (US 5,822,787), further in view Elko et al. (US 5,537,574).

Regarding claim 6, Park, Aditya, Moon and Zucker disclose the method according to claim 5, wherein separately adjusting a link address and a symbol table name of the preset intermediate file according to the hash value comprises:
encoding the symbol table name of the preset intermediate file (Park [00500-0051], the manifest file 22 may have a filename such as MANIFEST.MF. The manifest file 22 may be created using meta-information on files forming the application package. More specifically, the manifest file 22 may include hash values, which are obtained by hashing files forming the unsigned application package with SHA1, encoded in a Base64 scheme. Here, each hash value may be composed of a filename, hash function name, and hash result, [0051].

	Elko discloses performing an exclusive OR operation on the link address of the preset intermediate file and the hash value, to generate a link address of the compiled preset intermediate file (Elko, Col. 26, line 59-Col. 27, line 3, a hash table 301 enables a search operation to quickly find a required directory entry. The search operation hashes a data name received in a CPC command (302), using any hashing algorithm (303), of which many are well-known in the art. For example, the hash operation may be an exclusive -OR operation upon the bytes in the received name to be searched. The hash operation generates a hash-table address for an entry within a hash anchor table. Any hash table address may be generated by a name, as long as different names generate addresses that disperse to different entry locations within the table. Each hash-table entry contains an address to a cache directory entry); and 
	performing an exclusive OR operation on the encoded symbol table name and the hash value, to generate a symbol table name of the compiled preset intermediate file (Elko, Col. 26, line 59-Col. 27, line 3, a hash table 301 enables a search operation to quickly find a required directory entry. The search operation hashes a data name received in a CPC command (302), using any hashing algorithm (303), of which many are well-known in the art. For example, the hash operation may be an exclusive -OR operation upon the bytes in the received name to be searched. The hash operation 
Park, Aditya, Moon, Zucker and Elko are analogous because these teachings are from the same field of endeavor with respect to providing techniques for identifying and accessing data stored in memory.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Elko into the method by Park, Aditya, Moon and Zucker, the motivation would have been that it tolerates the retention of known methods and structures for DASD access, while maintaining the integrity of data obtained from a DASD and cached in a memory (aka SES) shared by a plurality of computer systems, Elko, Col. 4, lines 56-61.

Regarding claim 13, see similar rejections of claim 6, where the method is taught by the method.

	Claim(s) 15 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Park et al. (US 2013/0326500 A1), in view of Aditya (US 2013/0031607 A1), in view of Moon et al. (US 2016/0253520 A1), Floyd et al. (US 9,817,680 B1).

Regarding claim 15, Park, Aditya and Moon disclose the method according to claim 14, but did not explicitly disclose wherein the encrypting the compiled application installation package comprises: determining a class constructor in the compiled application installation package; and encrypting the class constructor.
In an analogous art, Floyd discloses determining a class constructor in the compiled application installation package (Floyd, Col. 1, lines 51-52, define a class constructor to be a special type of method called when a new object is created; Col. 4, lines 22 – 31, discloses loading in each application class constructor the settings member variable using “GetSettings” method. Settings are then accessed via the public members on the settings classes. Applications (and components) create “settings classes” to represent the settings needed in the applications. Each application class that needs settings may have its own settings in a configuration file, or may use settings that are global to the application)
encrypting the class constructor (Floyd, Col. 2, lines 12 – 21, discloses the use of encryption attributes to define an application class, then it further writes the value encrypted and decrypts the value when it reads it. Thus, the values or settings used by the class constructor are encrypted and decrypted to read or modify the values. Col. 8, lines 6-41, outlined procedures and code segments for encrypting settings class members. The code segment include adding encrypted attribute to the settings class members that are encrypted, encrypted attribute can be used for both application settings and user preferences and when the “WriteSettings” method is called to create the configuration file, settings marked with encrypted will be encrypted).

Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Floyd into the method by Park, Aditya and Moon, the motivation would have been to provide tools for generating and processing application settings for a software application using an application configuration component operating on a computer system, Floyd, [Abstract].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following publications show the state of the art related to the installation of application in a secured storage space, generating a private key for accessing the application to avoid unauthorized access.
Larose et al. (US 6,108,420)
Abraham et al. (US 2013/0318357 A1)
Warnez et al. (US 2015/0172255 A1)
Paatero (US 7,930,537 B2)
Zhu et al. (US 2006/0093149 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIXON F DABIPI whose telephone number is (571)270-3673.  The examiner can normally be reached on 8:30 -5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/D.F.D/ Examiner, Art Unit 2443                                                                                                                                                                                             
/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2443