DETAILED ACTION
This action is in response to new application filed 6/17/2020 titled “Method of Defending Against Memory Sharing-Based Side-Channel Attacks by Embedding Random Value in Binaries”. Claims 1-19 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-19 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Pohlack (US 9,405,708).

acquiring a binary code of an original program (see Pohlack column 8 lines 23-30 i.e. One embodiment of a method for avoiding timing side-channel attacks by attempting to make important pages unique is illustrated by the flow diagram in FIG. 2. As illustrated at 210, in this example, the method may include a client (e.g., a client application, service provider customer or subscriber) initiating the execution of a guest process (e.g., an application) in a virtualization environment that hosts multiple guests and column 19 lines 15-24 i.e. In some embodiments, instead of (or in addition to) inserting random numbers into IMPs to prevent them from matching a page accessed by an attacking guest, a guest process (e.g., an application, library function or operating system executing on a guest virtual machine) may perform a binary transformation on a code page that it accesses in a manner that does not affect the operation of the code. For example, a guest process may inspect the actual code that resides on the page and may replace it with an alternative encoding that is functionally equivalent but has a different byte representation); 
disassembling the binary code (see Pohlack column 8 lines 29-44 i.e.  The method may also include the operating system on the guest beginning to instantiate code pages and/or data structures in memory for the guest process, as in 220. If a sensitive code page or sensitive data structure is instantiated (e.g., one that includes cryptography information or other types of secret information, that is likely to be a target of a KSM attack, or that should otherwise be protected from such an attack), shown as the positive exit from 230, the method may include inserting a random or pseudorandom 
finding an offset from a disassembled code (see Pohlack column 8 lines 29-44 i.e.  The method may also include the operating system on the guest beginning to instantiate code pages and/or data structures in memory for the guest process, as in 220. If a sensitive code page or sensitive data structure is instantiated (e.g., one that includes cryptography information or other types of secret information, that is likely to be a target of a KSM attack, or that should otherwise be protected from such an attack), shown as the positive exit from 230, the method may include inserting a random or pseudorandom number into the sensitive code page or sensitive data structure (e.g., inserting a random or pseudorandom number into each of one or more pages thereof) when it is instantiated as in 240); 
embedding a detour random value code including a detour instruction and a random value of a fixed or variable length at a location of a found offset (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert may need to be prepared in such a way as to make room for the NONCE placeholder locations and also such that the random 
outputting a rewritten program generated by embedding the detour random value code (see Pohlack column 8 lines 55-63 i.e. the method may include beginning (or continuing) execution of the guest process, as in 260. For example, in some embodiments, the guest process may begin executing before all of its code pages and/or data structures have been instantiated in memory, while in other embodiments, execution may not begin until all of the code pages or data structures have been instantiated in memory or, in some cases, until all of the data structures have been initialized).

With respect to claim 2 Pohlack teaches the method according to claim 1, wherein the random value of a fixed or variable length is between 5 and 8 bytes (see Pohlack column 11 lines 66 – column 12 line 32 i.e. One of these parameters may specify the size of one (or more) of the NONCE values that are inserted into IMPs (e.g., in bytes). Note that, in various embodiments, the value of the size parameter may determine the likelihood of accidentally having similar pages in the system (e.g., within a system that provides virtualization services, as described herein). For example, in some cases, an attacker may have an idea about what a code page looks like, and may have an idea about where the random number would be on that page, but may not have an idea about the content of the random number. An attacker trying to construct similar 

With respect to claim 3 Pohlack teaches the method according to claim 1, wherein the step of embedding a detour random value code includes the step of embedding the detour random value code in all pages (see Pohlack column 11 lines 5-16).

With respect to claim 4 Pohlack teaches the method according to claim 1, wherein the step of finding an offset includes the step of specifying the offset between two predetermined instructions of the disassembled code (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein 

With respect to claim 5 Pohlack teaches the method according to claim 4, further comprising the step of relocating the instruction and recovering symbol information (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert may need to be prepared in such a way as to make room for the NONCE placeholder locations and also such that the random number written into the NONCE placeholder location is not executed as if it were code (e.g., the code into which the NONCE placeholder location 

With respect to claim 6 Pohlack teaches the method according to claim 1, wherein the step of finding an offset includes the step of finding instructions to be patched, which have a length the same as a length of the detour instruction and the random value of a fixed or variable length (See Pohlack column 13 lines 61 – column 14 line 4 i.e. As described in more detail herein, in response to determining that the detected cache line flush type instructions are likely being executed as part of a timing side-channel attack, the security component may be configured to modify the program instructions of the process or application that included the detected cache line flush type instructions (e.g., patching the process or application to replace native-code representations of these instructions with native-code representations of other instructions) and/or modifying the page mapping of the process or application that included the detected cache line flush type instructions).

With respect to claim 7 Pohlack teaches the method according to claim 6, further comprising the step of copying the instructions to be patched in a new section (See Pohlack column 13 lines 61 – column 14 line 4 i.e. As described in more detail herein, in response to determining that the detected cache line flush type instructions are likely being executed as part of a timing side-channel attack, the security component may be configured to modify the program instructions of the process or application that included the detected cache line flush type instructions (e.g., patching the process or application 

With respect to claim 8 Pohlack teaches the method according to claim 7, wherein the step of embedding a detour random value code includes the step of patching the instructions to be patched with the detour instruction and the random value of a fixed or variable length (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert may need to be prepared in such a way as to make room for the NONCE placeholder locations and also such that the random number written into the NONCE placeholder location is not executed as if it were code (e.g., the code into which the NONCE placeholder location may be modified to cause execution to jump over the random number in the NONCE placeholder location so that it is interpreted as actual program code)).

With respect to claim 9 Pohlack teaches the method according to claim 6, wherein the instructions to be patched include only instructions unrelated to linking (see 

With respect to claim 10 Pohlack teaches a computer-readable recording medium recording a program for executing the method according to claim 1 (see claim 1 above).

With respect to claim 11 Pohlack teaches a binary rewriter comprising: 
a disassembler for disassembling a binary code of an acquired original program (see Pohlack column 8 lines 29-44 i.e.  The method may also include the operating system on the guest beginning to instantiate code pages and/or data structures in memory for the guest process, as in 220. If a sensitive code page or sensitive data structure is instantiated (e.g., one that includes cryptography information or other types 
an offset finder for finding an offset from a disassembled code (see Pohlack column 8 lines 29-44 i.e.  The method may also include the operating system on the guest beginning to instantiate code pages and/or data structures in memory for the guest process, as in 220. If a sensitive code page or sensitive data structure is instantiated (e.g., one that includes cryptography information or other types of secret information, that is likely to be a target of a KSM attack, or that should otherwise be protected from such an attack), shown as the positive exit from 230, the method may include inserting a random or pseudorandom number into the sensitive code page or sensitive data structure (e.g., inserting a random or pseudorandom number into each of one or more pages thereof) when it is instantiated as in 240); and 
a code embedding module for embedding a detour random value code including a detour instruction and a random value of a fixed or variable length at a location of a found offset, and outputting a rewritten program generated by embedding the detour random value code (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, 

With respect to claim 12 Pohlack teaches the rewriter according to claim 11, wherein the random value of a fixed or variable length is between 5 and 8 bytes (see Pohlack column 11 lines 66 – column 12 line 32 i.e. One of these parameters may specify the size of one (or more) of the NONCE values that are inserted into IMPs (e.g., in bytes). Note that, in various embodiments, the value of the size parameter may determine the likelihood of accidentally having similar pages in the system (e.g., within a system that provides virtualization services, as described herein). For example, in some cases, an attacker may have an idea about what a code page looks like, and may have an idea about where the random number would be on that page, but may not have an idea about the content of the random number. An attacker trying to construct similar pages by guessing the NONCE values and/or by providing many similar page variants at the same time (each with a different NONCE value) may find it increasingly difficult to succeed as the NONCE size increases. For example, if the NONCE value contains only one byte, an attacker would only need 256 copies of the code page to find a match, 

With respect to claim 13 Pohlack teaches the rewriter according to claim 11, wherein the detour random value code is embedded in all pages (see Pohlack column 11 lines 5-16).

With respect to claim 14 Pohlack teaches the rewriter according to claim 11, wherein the code embedding module includes an inject-based embedding module, and the offset finder specifies the offset between two predetermined instructions of the disassembled code (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert 

With respect to claim 15 Pohlack teaches the rewriter according to claim 14, wherein the inject-based embedding module relocates codes coming after the offset and recovers symbol information after embedding the detour random value code (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert may need to be prepared in such a way as to make room for the NONCE placeholder locations and also such that the random number written into the NONCE placeholder location is not executed as if it were code (e.g., the code into which the NONCE placeholder location may be modified to cause execution to jump over the random number in the NONCE placeholder location so that it is interpreted as actual program code));.



With respect to claim 17 Pohlack teaches the rewriter according to claim 16, wherein the patch-based embedding module copies the instructions to be patched in a new section (See Pohlack column 13 lines 61 – column 14 line 4 i.e. As described in more detail herein, in response to determining that the detected cache line flush type instructions are likely being executed as part of a timing side-channel attack, the security component may be configured to modify the program instructions of the process or application that included the detected cache line flush type instructions (e.g., patching the process or application to replace native-code representations of these instructions with native-code representations of other instructions) and/or modifying the 

With respect to claim 18 Pohlack teaches the rewriter according to claim 17, wherein the patch-based embedding module patches the instructions to be patched with the detour instruction and the random value of a fixed or variable length (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the techniques described herein through the insertion of one or more NONCE placeholder locations, the attacker may know the location at which a random number will be inserted, but may not know the value stored in that location, since the actual random number may be instantiated for each program. Note also that any guest application or library code into which NONCE placeholder locations are insert may need to be prepared in such a way as to make room for the NONCE placeholder locations and also such that the random number written into the NONCE placeholder location is not executed as if it were code (e.g., the code into which the NONCE placeholder location may be modified to cause execution to jump over the random number in the NONCE placeholder location so that it is interpreted as actual program code)).

With respect to claim 19 Pohlack teaches the rewriter according to claim 16, wherein the instructions to be patched include only instructions unrelated to linking (see Pohlack column 16 lines 23-39 i.e. In embodiments in which a shared library (e.g., one that is accessible to an attacking guest process) has been prepared to support the 

Prior Art not used in Rejection
	Newton et al (US 2020/0192668) titled “SYSTEMS AND METHODS OF PERFORMING PROBE INJECTION USING INSTRUCTION PUNNING” teaches a method provides for injecting a probe into a computer-readable computer program having a plurality of computer-executable instructions.
	John et al (US 2019/0132334) titled “SYSTEM AND METHOD FOR ANALYZING BINARY CODE FOR MALWARE CLASSIFICATION USING ARTIFICIAL NEURAL NETWORK TECHNIQUES”.
	Wesie et al (2016/0299765) titled “System And Method Of Obfuscation Through Binary And Memory Diversity” teaches in one embodiment, the system for obfuscating binary codes comprises one or more processors. The one or more processors may be configured to receive a binary file. The one or more processor may further be configured .

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                             

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492