DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Regarding independent claim 25:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that “Rather than ‘presenting to a user a prompt that prompts the user to simplify a model of the downgrader…’ Garland's ‘system specifications,’ however, are not a ‘downgrader’ as that term is defined and described in Applicant's specification.” In response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the Garland reference is not relied upon for teaching a “downgrader.” Instead, the Saner reference is relied upon for teaching a downgrader (one or more program code modules that perform validations and/or transformation of user inputs in a computer program). For instance, the abstract recites that “little research has been performed to analyze the correctness of the sanitization process… the sanitization process itself could be incorrect or incomplete… we present a novel approach to the analysis of the sanitization process.” The Saner reference later discusses extracting the sanitization graph and testing the effectiveness of sanitization solutions as per at least sections 3.2.1 and 3.2.2.
Where Applicant further argues that “presenting to a user a prompt that prompts the user to simplify a model of the downgrader,” it is noted that the combination of Rajan and Saner in view of Garland is relied upon for teaching that limitation. For instance, [0024] of Rajan discloses that: “Once the specification model has been developed, a property is verified using model checking on the specification model using standard techniques and a counterexample is 
The Garland reference recites (Col. 15, Ll. 47-Col. 16, Ll. 3)  that its “system supports a user transforming the specification of an automaton into a restricted form suitable for simulation… an automaton specification that must not be used in the specification of automaton A relates to non-determinism… One approach to resolving the explicit nondeterminism… is for the user to provide a "chooser" function for each "choose" statement.  This "chooser" function then provides a deterministic procedure for selecting from the set of choices specified by the "choose" statement, parameter, or initial assignment.  Deterministic scheduling is accomplished by allowing at most one action (which must be a non-input action since the automaton is closed) to be enabled in any state.  One approach to satisfying the deterministic scheduling requirement is for the user to provide an explicit "action selector" function for the automaton that identifies a transition definition and parameter values for the enabled non-input actions for each state of the automaton.” The Garland reference further recites (Col. 24, Ll. 11-30) that its “Interactive tools can include an nondeterminism "remover" which, for example, prompts a user to provide a "chooser" function for each instance of a "choose" statement.  The non-determinism remover can also prompt the user to provide an "action selector" function to resolve the implicit 
Accordingly, the teachings of the Garland reference are combined with those of Rajan-Saner’s web test case for a sanitization routine, such that during modification, the user is further prompted to resolve non-determinism in the sanitization routine (“presenting to a user a prompt that prompts the user to simplify a model of the downgrader”). 
	Applicant additionally argues that “Rajan, Balzarotti and Garland do not teach or suggest that operation of Garland's "interactive tools" is responsive to Rajan's ‘[t]he web test case is executed on the implementation’ passing” and that “the cited prior art references must disclose that ‘presenting to a user a prompt that prompts the user to simplify a model of the downgrader’ has a clear relationship to ‘the downgrader passing the testing performed in the second level of analysis.’” In response, it is noted that the “responsive to” relationship is comprised within the Rajan reference: i.e., “responsive to the [property] passing the testing performed in the second level of analysis, presenting to a user a prompt” as per [0024] of Rajan and page 9 of the 6/29/2021 Office action. In this case, the Rajan reference already teaches prompting the user for a modification responsive to a test result, but does not teach the specific property being verified, nor the specific modification undertaken. As discussed above, the Rajan reference is combined with that of Saner and Garland for addressing said teachings.
In response to Applicant’s argument (page 15) that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, as per at least [0001]-[0003], the Rajan reference is concerned with verifying web applications (e.g., “existing implementations may contain errors, such as the user database not being updated correctly even after a user registers, or a shopping cart not being emptied even after the user checks out, and so forth”). Rajan does not heavily detail exemplary errors, and as such, does not discuss web application sanitization routines. However, sanitization routines are part of web applications (see the abstract of Saner stating as much), and it would make sense to test sanitization routines as an additional category of potential errors. Further, since the combined teachings rely upon use of automata for simulation, it would be advantageous to remove issues of non-determinism, as per the teachings of Garland discussed above.
In response to Applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).

Regarding independent claim 32:
Applicant's arguments have been fully considered but they are not persuasive.
Since Applicant’s arguments concerning claim 32 rely on those of claim 25, they are likewise not found to be persuasive. 

Regarding independent claim 39:
Applicant's arguments have been fully considered but they are not persuasive.


Regarding claim 31:
Applicant's arguments have been fully considered but they are not persuasive.
	Applicant argues that the rejection is improper since claim 31 presents additional limitations not found in claims 25 and 30. In response, it is noted that the previously cited portions of Rajan concerning testing (i.e., FIG. 3) and the previously cited portions of Saner concerning testing a string automata (i.e., 3.1-3.1.3) are likewise relevant in addressing the additional language of claim 31.

Regarding claim 38:
Applicant's arguments have been fully considered but they are not persuasive.
	Applicant argues that the rejection is improper in substantially the same way as discussed concerning claim 31 above. In response, it is noted that the previously cited portions of Rajan concerning testing (i.e., FIG. 3) and the previously cited portions of Saner concerning testing a string automata (i.e., 3.1-3.1.3) are likewise relevant in addressing the additional language of claim 38.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 25-44 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 7 of U.S. Patent No. US 8,875,297 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the patent anticipate those of the instant application. For instance, exemplary claim 25 is .

Instant Application
US 8,875,297 B2
Claim 25. A method, comprising:

identifying a downgrader in a computer program under test;

performing, using a processor, testing on the downgrader in a first level of analysis; 

responsive to the downgrader not passing the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader;







creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis; and



identifying a downgrader in a computer program under test;

via a processor, performing testing on the downgrader in a first level of analysis;

responsive to the downgrader not passing the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader, wherein synthesizing the counter example for the downgrader comprises encoding as a first logical formula a complement of a regular pattern asserting a security property of a method corresponding to the downgrader, encoding as a second logical formula instructions of the method within a call graph, and feeding the first logical formula and the second logical formula into a string-analysis solver;

creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis.


responsive to the downgrader passing the testing performed in the second level of analysis, prompting a user to simplify a model of the downgrader.


Claims 25-44 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 7-8, and 14 of U.S. Patent No. US 8,863,292 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the patent anticipate those of the instant application. For instance, exemplary claim 32 is disclosed by claims 1 and 7 of the patent. Claim 39 is likewise disclosed by claims 8 and 14 of the patent for substantially the same reasons (i.e., similar language). Claim 25 is disclosed by claims 1, 7, 8, and 14 of the pantent (i.e., the method being executed).  Instant claims 26-31, 33-38, and 40-44 depend on respective parent claims 25, 32, and 39, and are therefore likewise rejected.

Instant Application
US 8,863,292 B2
Claim 32. A system comprising:
a hardware processor configured to initiate executable operations comprising:

identifying a downgrader in a computer program under test; 

performing testing on the downgrader in a first level of analysis; 

responsive to the downgrader not passing the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader;







creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis; and

responsive to the downgrader passing the testing performed in the second level of analysis, presenting to a user a prompt that prompts the user to simplify a model of the downgrader.

a processor configured to initiate executable operations comprising:

identifying a downgrader in a computer program under test;

performing testing on the downgrader in a first level of analysis;

responsive to the downgrader not passing the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader, wherein synthesizing the counter example for the 

creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis.

Claim 7. The system of claim 1, the executable operations further comprising:
responsive to the downgrader passing the testing performed in the second level of analysis, prompting a user to simplify a model of the downgrader.


Claims 25-44 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4-5, and 8 of U.S. Patent No. US 10,387,288 B2 in view of Ottavi (US 2010/0095276 A1). Regarding exemplary claim 25, it is disclosed by the patent as follows.

Instant Application
US 10,387,288 B2
Claim 25. A method, comprising:


identifying a downgrader in a computer program under test;


performing, using a processor, testing on the downgrader in a first level of analysis; 

responsive to the downgrader not passing the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader;







creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis; and

responsive to the downgrader passing the testing performed in the second level of analysis, presenting to a user a prompt that prompts the user to simplify a model of the downgrader.


identifying a downgrader in a computer program under test;
via a processor, 

performing testing on the downgrader in a first level of analysis;

if the downgrader does not pass the testing performed in the first level of analysis:

automatically synthesizing a counter example for the downgrader;







creating a test unit for the downgrader using the counter example as an input parameter to the downgrader; and

executing the test unit to perform testing on the downgrader in a second level of analysis;




if the downgrader does not pass the testing performed in the second level of analysis, prompting the user to indicate whether an actual problem exists with the downgrader; and
if the user indicates that the actual problem does not exist with the downgrader, presenting to the user a prompt that prompts the user to refine an input specification for the model of the downgrader.


The patent claims do not disclose “responsive to the downgrader passing the testing performed in the second level of analysis, presenting to a user a prompt that prompts the user to simplify a model of the downgrader.” However, the patent claims in view of at least FIG. 7, .

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 25-26, 30-33, 37-40, and 44 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Rajan (US 2009/0089618 A1) in view of “Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications” (hereinafter Saner) and Garland (US 6,289,502 B1).

Regarding claim 25, Rajan discloses: A method, comprising:
identifying a [property] in a computer program under test;
performing, using a processor, testing on the [property] in a first level of analysis; 
Refer to at least the abstract, as well as to the first two stages in FIG. 3 of Rajan, wherein a property P is verified using model checking. 
responsive to the [property] not passing the testing performed in the first level of analysis:
Refer to at least “IF P IS FALSE” in FIG. 3 of Rajan.
automatically synthesizing a counter example for the [property];
Refer to at least the abstract, [0007], and “COUNTER EXAMPLE RUN” in FIG. 3 of Rajan with respect to generating a counterexample. 
creating a test unit for the [property] using the counter example as an input parameter to the [property]; and
executing the test unit to perform testing on the [property] in a second level of analysis; and
Refer to at least the abstract, [0006]-[0007], [0022], [0024], and  “WEB TEST CASES t@” FIG. 3 of Rajan with respect to generating a counterexample / witness. The counterexample / witness is used in creating a test case. The test case is executed.
responsive to the [property] passing the testing performed in the second level of analysis, presenting to a user a prompt.
Refer to at least [0024] of Rajan with respect to presenting a result to the tester for modification.
Rajan is generic for web applications (i.e., [0001] of Rajan), and therefore does not disclose: downgrader. However, Rajan in view of Saner discloses: downgrader.
Refer to at least the abstract and section 3 of Saner with respect to performing a static analysis on sanitization routines. 
Rajan-Saner further does not specify: [presenting to a user a prompt] that prompts the user to simplify a model of the downgrader. However, Rajan-Saner in view of Garland that prompts the user to simplify a model of the downgrader.
Refer to at least Col. 24, Ll. 11-30 of Garland with respect to a nondeterminism "remover" which, for example, prompts a user to provide a "chooser" function for each instance of a "choose" statement.  The non-determinism remover can also prompt the user to provide an "action selector" function to resolve the implicit nondeterminism resulting from multiple non-input actions being enabled in a state, or can aid in incorporating scheduling variables, for example, to implement a round-robin scheduling of actions.
Since the teachings of both Rajan, Saner, and Garland concern software testing, they are considered to be combinable.
Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Rajan to include support for testing sanitization routines of web applications for at least the reasons provided in the introduction of Saner (i.e., increasing the security of web applications). It further would have been obvious to modify Rajan-Saner to include interactive tools to aid with transformations or derivations of system specifications for at least the purpose of increasing user efficiency (e.g., Col. 24, Ll. 7-30 of Garland).

Regarding claim 26, Rajan-Saner-Garland discloses: The method of claim 25, wherein the executing the test unit to perform testing on the downgrader in the second level of analysis comprises: receiving from the user a user input to initiate execution of the test unit.
Refer to at least 63 in FIG. 1 of Garland with respect to a user interface. Further refer to at least 120 in FIG. 1B of Garland with respect to validation tools. 
Refer to at least Col 8, Ll. 55-60 of Garland with respect to validation tools requiring user input based on validation output.
This claim would have been obvious for substantially the same reasons as claim 25 above.

Regarding claim 30, Rajan-Saner-Garland discloses: The method of claim 25, wherein the performing testing on the downgrader in the first level of analysis comprises: building a call graph rooted at a method corresponding to the downgrader; modeling instructions of the method corresponding to the downgrader within the call graph; asserting a pattern with respect to return variables in the call graph having the modeled instructions; and running a string-analysis solver on the pattern that is asserted.
Refer to at least sections 3.1 -3.1.3 of Saner with respect to the particular steps of the static analysis portion in Saner (e.g., creating a dependence graph; using string automata; determining intersections for automata).
This claim would have been obvious for substantially the same reasons as claim 25 above.

Regarding claim 31, it is rejected for substantially the same reasons as claims 25 and 30 above (i.e., the citations and obviousness rationale).

Regarding independent claim 32, it is substantially similar to independent claim 25, and is therefore likewise rejected (i.e., the citations and the obviousness rationale).

Regarding dependent claims 33 and 37-38, they are substantially similar to dependent claims 26 and 30-31 above, and are therefore likewise rejected.

Regarding independent claim 39, it is substantially similar to independent claim 25, and is therefore likewise rejected (i.e., the citations and the obviousness rationale).

Regarding dependent claims 40 and 44, they are substantially similar to dependent claims 26 and 30 above, and are therefore likewise rejected.

Allowable Subject Matter
Claims 27, 34, and 41 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Each of said claims concerns automatically synthesizing a counterexample “wherein the automatically synthesizing the counter example for the downgrader comprises: encoding as a first logical formula a complement of a regular pattern asserting a security property of a method corresponding to the downgrader; encoding as a second logical formula instructions of the method corresponding to the downgrader within a call graph; and feeding the first logical formula and the second logical formula into a string-analysis solver,” which is not disclosed in either of the Rajan, Saner, or Ottavi references. The found prior art of record further does not appear to disclose or suggest said limitations. Claims 28-29, 35-36, and 42-43 depend on respective claims 27, 34, and 41, and are therefore objected to for at least that reason.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/V.S/Examiner, Art Unit 2432    

/DAO Q HO/Primary Examiner, Art Unit 2432