DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-21 and 23 have been considered but are moot based on new grounds of rejection.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-12, 15-17, 19-21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu, publication number: US 2016/0253497 in view of Kim, publication number 2017/0372067.

As per claims 1, 8, 21 and 23, Chirstodorescu teaches a method for detection of tampering in an executable code comprising one or more code blocks, 
monitoring execution of the executable code with a call stack data structure associated therewith, the execution involving accessing one or more address spaces (Static and/or dynamic analysis of program code (tamper detection code) determines the instructions of the program, and generates an inter-procedural control flow graph (CFG), the graph having nodes representing instructions and “edges” (arrows) that represent the control flow transitions “between the [nodes] instructions” due to e.g., “jumps, [function] calls, [function] returns”; in particular, edges (arrows) exiting nodes correspond to the last instruction executed at the nodes (e.g. jump, (function) call/return) and edges entering the nodes correspond to the first instruction executed at the nodes targeted by said jump, call/return instructions (Christodorescu: e.g. par. 56- 57, 70-78; Fig. 4-5). The inter-procedural CFG flow graph is further augmented (as a “memory traversal map”) to include memory regions (portions) that correspond to the code portions of respective CFG nodes (see Figs. 4-5); accordingly, the memory [addresses] traversal map (call stack data structure) indicates memory locations (addresses) to be monitored/intercepted, and the order in which the memory locations are accessed during program execution (e.g. MRO-MR7 in Fig. 5); during 
receiving information about the one or more address spaces, as accessed (“In block 1004, the computing device may retrieve the memory address specified by a memory access request to the memories of the computing device (Christodorescu: par. 110; Fig. 10), where the monitoring of memory accesses is performed in accordance with the memory map, as outlined above);
comparing the received information about one or more accessed address spaces with information about one or more allowed address spaces defined in the call stack data structure of the executable code (“In determination block 1008, the computing device may determine whether a memory address of a memory access request matches a next memory address of the memory traversal map to determine whether the memory address and the next memory address match” (Christodorescu: par. 112; Fig. 10));
raising a flag upon detection that the one or more accessed address spaces are different from the one or more allowed address spaces, based on the comparison (“In response to determining that the memory address of the memory access request does not match the next memory address of the memory traversal map (i.¢., 
executing an action based on the raised flag (In addition to the alert (flag), a configurable security response includes “terminating the program, continue program execution in a sandbox for forensic purposes, attempting to repair program state and continue execution of the program, and/or rolling back the program state (with help of a checkpointing mechanism) and continuing execution of the program” (Christodorescu: par. 35, 100)).

Christodorescu does not teach wherein the received and compared information is about the size of the code block. 
In an analogous art, Kim teaches wherein the received and compared information is about the size of the code block (checking for tampering by comparing information associated with block size such as hashes, Fig. 5 and 6, [0116-0120][0126][0107][0124]).


As per claims 2 and 9, the combination teaches monitoring execution of each of the one or more code blocks of the executable code (Christodorescu: e.g. Fig. 4-5; all memory regions MRO-7 are monitored; and as outlined for the rejection of claim 1).

As per claims 3 and 10, the combination teaches monitoring execution of one or more predetermined code blocks of the executable code (Christodorescu: e.g. par. 61-62, Fig. 4-5; in order to minimize the performance overhead, in one embodiment, the memory traversal map includes “memory regions for the vulnerable sections of the program instructions and ignore less vulnerable sections of the program instructions’).

As per claims 4 and 11, the combination teaches monitoring execution of initial one to three code blocks of the executable code (Christodorescu: Fig. 4-5; memory blocks MRO-MR2).

As per claims 7 and 19, the combination teaches adding the flag as a global variable to the executable code (The flag is a global variable as it must be visible/accessible to the countermeasure functions outlined for the rejection of claim 1. This is a standard programming feature, known to programmers of ordinary skill, which is not a differentiating feature).
As per claim 15, the combination teaches wherein the tamper detection code is added in line to the executable code (The code for determining/ identifying a ROP attack (tamper detection code) is executed inline when a memory access request is issued and before the response to the access request is received from the memory (Christodorescu: par. 111-115; Fig. 10)
As per claim 16, the combination teaches wherein the tamper detection code is a function called for execution of the executable code (The code for determining/ identifying a ROP attack (tamper detection code) is called when a memory access request “to memory addresses corresponding to memory regions of the memory traversal map for the program” is detected; (Christodorescu: par. 109; Fig. 10)),
As per claim 17, the combination teaches wherein the tamper detection code is a stack pointer function (The tamper detection code determines whether a “mismatch of the memory address and the next memory address(es) is indicative of an ROP attack”, 
As per claim 20, the combination teaches wherein the executable code is associated with a gaming application (Christodorescu: par. 25, 28; “Aspects include methods and computing devices implementing such methods for detecting ROP attacks” where in one embodiment the computing devices are “gaming controllers’).


Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view of Kim, in further view of Nayshtut et al. US 2019/0354678 A1 (hereinafter Nayshtut).
As per claims 6 and 13, the combination of Christodorescu and Kim teach elements as described in claim 1. 
The combination does not expressly disclose transmitting information to a server. However, in a related application, Nayshtut discloses that data/information related to a (ROP: par. 3, 7) exploit is “transmitted via a network” to an “endpoint security product 206” hosted by a (distribution) “server 102”, which provides “additional analysis describing the types of exploits affecting different endpoints 104A-F in different physical locations”. The additional analysis, enable the server 102 to send to the endpoints, new exploits detection algorithms or updates to existing detection algorithms 
Transmitting to a server arrangement, upon raising the flag, information related to one or more of: - one or more programs modifying the address spaces being accessed for execution of the executable code; - information related to an Internet Protocol (IP) address of a user device employing the executable code; and - information about a user profile associated the user device (Address spaces (MRx), and the IP address from which the information is transmitted over the network, per above).

Claims 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Christodorescu in view Kim in further view of Harel et al. US 2018/0349598 A1 (hereinafter Harel).

Christodorescu and Kim do not expressly disclose a checksum function to prevent tampering of the tamper detection code and associated data (recited by claim 18), which effectively causes the executable code to comprise at least one read-only segment (recited by claim 14). However, in a related application, Harel (par. 39) discloses a security policy that includes generating signatures (checksums) for software components, where the signatures “can be used to verify that the code being executed...is authentic and has not been modified/altered/replaced’. ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Christodorescu and Kim with Harel. One would have done so for the reasons outlined above by Harel. In the context of Christodorescu, the signature is generated at least for the monitoring code and the code for determining/ identifying a ROP attack (tamper detection code), as the integrity of said codes is crucial for correct monitoring and determination of ROP attacks, as outlined for the rejection of claim 1. At least in an alternative embodiment, an additional signature is generated for the memory traversal map, as Memory traversal map is an integral part of the tamper detection code, storing the expected sequence of memory regions (MRx), as outlined for the rejection of claim 1. Accordingly, Christodorescu and Kim in view of Harel discloses:
(14) The executable code comprises at least one read-only segment containing information related to the one or more allowed address spaces thereof (as 
(18) The processor is configured to implement a checksum function to prevent tampering of the tamper detection code (as outlined above in view of Harel)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 




Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494