Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-11, 13-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kim (US Patent Pub. 20110010559) in view of Goyal (US Patent Pub. 20180239921).


As per claims 1, 8 and 15: Kim discloses a system for web application security through containerization, the system comprising (see abstract): 
see fig. 1): 
receive, from a management service, a security label for a protected application, and a list of permitted applications that are allowed to access files originated by the protected application (Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area); 
determine, by the kernel-level management instructions, an application identity for an application that invokes the file access system call; and permit or deny, by the kernel-level management instructions, access to the secured file based on a comparison of the application identity with the list of permitted applications within the security label map (Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area).
Kim does not specifically disclose write a security label map within a kernel layer of the client device, comprising: the security label, and the list of permitted applications; 
Goyal discloses the apparatus 200, in conjunction with kernel 150 of FIG. 1, may intercept I/O requests from the applications to the overlay filesystem 215. The kernel 150 may route such requests to the appropriate layer of the filesystem (Paragraph 36). Further, Goyal discloses if the security context labels of the mounter process 232 and the file 275 match each other and the type of access request by the application process 252 is permitted based on the mounter access policy 245, the access provider 270 may issue an instruction 272 to the kernel 150 to allow the request 255 of the application process 252 to access to the file 275 (Paragraph 42).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Kim and Goyal in it’s entirety, to modify the technique of Kim for determine whether the corresponding application is a permitted application by adopting Goyal's teaching for intercept I/O requests from the applications to the overlay filesystem. The motivation would have been to improve a system for web application security through containerization.
As per claims 2, 9 and 16: The combination of Kim and Goyal discloses the system of claim 1, wherein a management agent within an application layer of the client device calls a function that writes the security label map, wherein the function is exposed by a user driver within the kernel layer (See Goyal; Paragraph 13; each "object" (e.g., file, directory, etc.) in the overlay is given a label. Each of the objects may be accessed in a number of ways (e.g., read, write, execute, etc.). Further, a "subject" such as an application process may access the objects. Each subject is also assigned a security context label).
As per claims 3, 10 and 17: The combination of Kim and Goyal discloses the system of claim 1, wherein the instructions, when executed by the at least one processor, cause the client device to at least:
install the protected application on the client device, wherein the security label and the list of permitted applications are received based on the protected application being installed on the client device (See Goyal; Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area).
As per claims 4, 11 and 18: The combination of Kim and Goyal discloses the system of claim 1, wherein the security label is uniquely associated with the protected application (See Goyal; Paragraph 41; The security context label uniquely identifies a specific security context associated with the mounter process 232).
As per claim 6, 13 and 20: The combination of Kim and Goyal discloses the system of claim 1, wherein the kernel-level management instructions permits access to the secured file by passing the file access system call to an inter-process communication mechanism (See Goyal; Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area).
As per claim 7 and 14: The combination of Kim and Goyal discloses the system of claim 1, wherein the kernel-level management instructions denies access to the secured file by preventing the file access system call from being passed to an inter-process communication mechanism (See Goyal; Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area).

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kim (US Patent Pub. 20110010559) in view of Goyal (US Patent Pub. 20180239921) and in view of RAMACHANDRAN (US Patent Pub. 20120137375).


As per claim 5, 12 and 19:  The combination of Kim and Goyal discloses the system of claim 1, determine, by the kernel-level management instructions, an application identity for an application that invokes the file access system call; and permit or deny, by the kernel-level management instructions, access to the secured file based on a See Kim; Paragraph 73; the filter module 140 may determine whether the corresponding application is a permitted application and, if, as a result of the determination, the corresponding application is not a permitted application, preclude the corresponding application from accessing the encryption information. This filter module may be implemented in the form of a file system filter or a mini filter, for example, in a kernel area).
Kim in view of Goyal do not specifically disclose wherein the security label is embedded within an inode table.
RAMACHANDRAN discloses the local label store 123 is a partition that is encrypted using a key embedded in the kernel image. The local label store 123 is stored in a partition not readable to user space processes (enforced using LSM checks). On disk, labels 200 are indexed by the inode numbers or process identifications of the resources to which they map. Label 200 reads and writes are buffered using an in-memory cache (Paragraph 102).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Kim and Goyal in it’s entirety, to modify the technique of Kim for determine whether the corresponding application is a permitted application by adopting RAMACHANDRAN's teaching for labels that are indexed by the inode numbers or process identifications of the resources to which they map. The motivation would have been to improve a system for web application security through containerization.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472.  The examiner can normally be reached on 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ANTHONY D BROWN/Primary Examiner, Art Unit 2433