DETAILED ACTION
This Notice of Allowance is in response to applicant’s amendment and remarks filed 10/06/2021.  Claims 1, 3, 5, 11-13, and 18-20 have been amended.  Claims 1-20 are pending and have been considered as follows.
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference.  In particular, the observations with respect to claim language, and response to previously presented arguments.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 1-20 are allowed.
Examiner’s Statement for Reasons of Allowance
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
Independent Claims 1, 12, and 19 are allowed for the reasons argued by applicant in the remarks on pages 7-8 filed on 10/06/2021 which are persuasive.  In light of the amendment to the claims, the 35 U.S.C. 112(b) rejection of Claims 3, 5, 11, 13, and 18 is withdrawn.  Further, the 35 U.S.C. 101 rejection of Claims 19 and 20 is Claims 2-11, 13-18, and 20 depend upon respective independent claims above and are allowed by virtue of their dependencies.
Although, the prior art of record LeMay et al. (US 20160092673 A1) discloses “a computing device having a processor with shadow stack support. During execution of a call instruction, the processor determines whether a legacy stack pointer is within bounds and generates a virtual machine exit if the legacy stack pointer is out-of-bounds. If not out-of-bounds, the processor pushes a return address onto the legacy stack and onto a shadow stack protected by a hypervisor. During execution of a return instruction, the processor determines whether top return addresses of the legacy stack and the shadow stack match, and generates a virtual machine exit if the return addresses do not match. If the return addresses match, the processor pops the return addresses off of the legacy stack and off of the shadow stack”,
Neither LeMay nor the prior art of record teaches individually or in combination the limitations listed below as recited in applicant’s amended independent Claims:
[Claim 1] “wherein the artifact is associated with a thread incorporating hooking functionality, and wherein the first location represents a current location of the artifact in stack memory; comparing the first location to a second location of that artifact on the stack memory, wherein the second location is one of the plurality of locations comprised by the stack memory and represents a previously identified location of that artifact in the stack memory; determining whether the first location matches the second location
[Claim 12] “wherein the artifact is associated with a thread incorporating hooking functionality, and wherein the first location represents a current location of the artifact in stack memory; comparing the first location to a second location of that artifact on the stack memory, wherein the second location is one of the plurality of locations comprised by the stack memory and represents a previously identified location of that artifact in the stack memory; determining whether the first location matches the second location”;
[Claim 19] “wherein the artifact is associated with a thread incorporating hooking functionality, and wherein the first location represents a previously identified location of the artifact in that stack memory; evaluating, at a second time, the stack memory, wherein the evaluation comprises determining the first location of the artifact is not currently found in the stack memory; and based on determining the first location is no longer found in the stack memory, performing one or more remedial actions”.
The closest prior art made of record and cited consisted of the following references.
Ferrie (US 7797702 B1) discloses a process that utilizes thread local storage (TLS) functionality to prevent a malicious thread from executing in its address space. The legitimate process includes a thread white list that identifies the entry point addresses of threads executed by the process. When executed on a computer, the process interacts with the TLS functionality provided by the computer's operating system. The operating system sends the process a message each time a new thread is 
GERZON et al. (US 20140380468 A1) discloses a processing system that comprises: a stack pointer configured to reference a first return address stored on a stack; a return address buffer pointer configured to reference a second return address stored in a return address buffer; and a return address verification logic configured, responsive to receiving a return instruction, to compare the first return address to the second return address.
Giuliani et al. (US 20150215335 A1) discloses anti-exploit systems and methods that monitor a memory space of a process for execution of functions. Stack walk processing is executed upon invocation of one of the functions in the monitored memory space. During execution of the stack walk processing, at least one memory check is performed to detect suspicious behavior. An alert of suspicious behavior is triggered when the performing of the memory check detects at least one of: code execution attempted from non-executable memory, identification of an invalid base pointer, identification of an invalid stack return address, attempted execution of a return-oriented programming technique, the base pointer is outside a current thread stack, and a return address is detected as being inside a virtual memory area. If an alert of suspicious behavior is triggered, execution of a payload is prevented for the invoked function.
Shanbhogue et al. (US 20160110542 A1) discloses a processor that comprises: a first register to store a first bound value for a stack to be stored in a memory; a second register to store a second bound value for the stack; a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value; and a logic to prevent a return to a caller of the function if the stack pointer value is not within the range.
Momot (US 20160196428 A1) discloses detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.
However.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Moula et al. (“ROPK++: An Enhanced ROP Attack Detection Framework for Linux Operating System”, June 2017, International Conference on Cyber Security And Protection Of Digital Services, pp. 1-6)
Hentunen (US 20150161396 A1) is cited for detecting ROP exploits by comparing code location addresses.
Rhee et al. (US 20160034687 A1) is cited for detecting ROP attacks by determining whether a valid stack frame and return code address is present.
Loman et al. (US 20180039776 A1) is cited for detecting ROP exploits using contextual information such as path information.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

01.21.2022