Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	In a preliminary amendment dated 09/27/2021, claims 1-29 have been canceled. Claims 30-49 have been newly added. Claims 30-49 have been examined.

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 12/18/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

3.	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

4.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “second component” in claim 42.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the 

5.	For claims 30, 33-37, 39-46 and 49, the phrases “or”, “and/or” and “one of” have been given the broadest, reasonable interpretation of only requiring a single element from the given list in order to satisfy the requirements of the limitation.

Claim Objections
6.	Claims 35 and 42 is objected to because of the following informalities:
	Claim 35 recites, “…the debug and/or validation procedures…” However, this phase lacks antecedent basis as there is no preceding “a debug and/or validation procedure”.
Claim 42 recites, “…a plurality of actuators connected to the component…” However, there is both “a first component” and “a second component” in claim 42 and is unclear which “component” the plurality of sensors is connected to. Since the “first component” runs the firmware or finite station machine and is also connected to the “plurality of sensors”, examiner believes the “plurality of actuators” is connected to the “first component” and will treat the claims as such for the remainder of the Office Action.
Appropriate correction is required.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


8.	Claims 47-48 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ghose (U.S. Patent Application Publication 2014/0325239).
	For claim 47, Ghose teaches a method, comprising:
	analyzing a sequence of instructions and individuating significative ones (note paragraphs [0049], [0051] and [0140], compiler performs static analysis of a program, individuating basic blocks);
	associating each significative instruction with a watchpoint (note paragraphs [0083]-[0084], [0092], [0096] and [0140], the address of the last instruction in the basic block serves as a watchpoint);
	calculating first unique values of the watchpoints by using a predefined function before executing the sequence of instructions for all allowable paths in the sequence of 
	storing the first unique values as calculated (note paragraphs [0087], [0094], [0129] and [0140], signature validation table stores hashes);
	calculating second unique values of the watchpoint using a predefined function when executing the sequence of instructions (note paragraph [0130], hash is generated as every instruction commits);
	comparing the second unique value of each watchpoint as calculated with the stored first unique values (note paragraph [0132], hash digest for the executed block is compared against the retrieved validation table entry); and
	validating the instruction of a watchpoint as correct if its second unique value is comprised in the first unique values of the allowable paths (note paragraph [0132], instruction is validated if there is a match).

	For claim 48, Ghose teaches claim 47, wherein calculating the first unique values and calculating the second unique values use a same predefined function (note paragraphs [0123], [0128] and [0130], MD-5 or SHA hash is used to calculate both validation table and execution hash value).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 30-35, 40, 42, 44-46 and 49 are rejected under 35 U.S.C. 103 as being unpatentable over Ghose, and further in view of Iyer et al. (U.S. Patent Application Publication 2020/0125732; hereafter “Iyer”).
	For claim 49, Ghose teaches claim 47, wherein the predefined function is a HASH function (note paragraphs [0123], [0128] and [0130], MD-5 or SHA hash is used to calculate both validation table and execution hash value).

	Ghose differs from the claimed invention in that they fail to explicitly teach:
the sequence of instructions is a plurality of routines or states of a firmware or a finite state machine

Iyer teaches:
the sequence of instructions is a plurality of routines or states of a firmware or a finite state machine (note paragraph [0115], the term “module” may include firmware)




For claim 30, the combination of Ghose and Iyer teaches a method, comprising:
analyzing a firmware (note paragraph [0115] of Iyer, firmware) or a finite state machine (note paragraphs [0049], [0051] and [0140] of Ghose, compiler performs static analysis of a program);
decomposing the firmware or the finite state machine into a plurality of routines or states (note paragraphs [0049], [0051] and [0140] of Ghose, compiler performs static analysis of a program, decomposing basic blocks);
individuating significative instructions of the firmware or states of the finite state machine  (note paragraphs [0083]-[0084], [0092], [0096] and [0140] of Ghose, entry point and last instruction of basic block are significative instructions);
associating each significative instruction or state with a watchpoint  (note paragraphs [0083]-[0084], [0092], [0096] and [0140] of Ghose, the address of the last instruction in the basic block serves as a watchpoint);
calculating first HASH values of the watchpoints using a HASH function before running the firmware or finite state machine for all allowable paths in the firmware or the 
storing the first HASH values as calculated (note paragraphs [0087], [0094], [0129] and [0140] of Ghose, signature validation table stores hashes);
calculating second HASH values of the watchpoints using a HASH function when running of the firmware or finite state machine (note paragraph [0130] of Ghose, hash is generated as every instruction commits);
comparing the second HASH value of each watchpoint as calculated with the stored first HASH values (note paragraph [0132] of Ghose, hash digest for the executed block is compared against the retrieved validation table entry); and
validating the instruction or state of a watchpoint as correct if its second HASH value is comprised in the first HASH values of the allowable paths (note paragraph [0132] of Ghose, instruction is validated if there is a match).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the software module flow protection of Ghose and the software module is used as firmware of Iyer. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of using a signature validation table to protect the flow of a program (Ghose) running as firmware (Iyer)


	For claim 42. the combination of Ghose and Iyer teaches an apparatus, comprising:
	a first component configured to run program module (note paragraph [0031], processor executes instructions);
	a second component configured to store the program module (note paragraphs [0031], memory stores instructions);
	wherein the first component is configured to:
	calculate first HASH values associated to watchpoints of significative instructions or states of the firmware or finite state machine using a HASH function (note paragraphs [0091]-[0092], [0095], [0128] and [0139]-[0140] of Ghose, control flow signature is hash that is generated for each of the basic blocks by compiler before execution of the program);
	calculate second HASH values when the firmware or finite state machine is running; store the first HASH values (note paragraph [0130] of Ghose, hash is generated as every instruction commits);
	compare the second HASH value of each watchpoint as calculated with the stored first HASH values (note paragraph [0132] of Ghose, hash digest for the executed block is compared against the retrieved validation table entry); and
	validate an instruction or state of a watchpoint as correct if its second HASH value is comprised in the first HASH values (note paragraph [0132] of Ghose, instruction is validated if there is a match).


	a first component configured to run firmware or a finite state machine;
	a second component configured to store the firmware or finite state machine;
	a plurality of sensors connected to the first component and configured to provide thereto input signals; and
	a plurality of actuators connected to the component and configured to receive therefrom control signals;

	Iyer teaches:
	a first component configured to run firmware or a finite state machine (note paragraphs [0108] and [0115], processor can be ECU which runs firmware);
	a second component configured to store the firmware or finite state machine (note paragraph [0108] and [0112], memory stores instructions);
	a plurality of sensors connected to the first component and configured to provide thereto input signals (note paragraphs [0027], [0058], [0103], program module controls vehicle to automatically adjust and brake vehicle); and
	a plurality of actuators connected to the component and configured to receive therefrom control signals (note paragraphs [0027], [0058], [0103], program module controls vehicle to automatically adjust and brake vehicle);

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the software module flow protection of Ghose and the software module is used as firmware of a vehicle ECU of Iyer. It would have been obvious 


	For claim 31, the combination of Ghose and Iyer teaches claim 30, wherein the significative instructions or states are begin/end instructions of routines of the firmware or specific executions states of the finite state machine (note paragraphs [0083]-[0084], [0092], [0096] and [0140] of Ghose, entry point and last instruction of basic block are significative instructions, i.e. begin/end instructions for basic block).

	For claim 32, the combination of Ghose and Iyer teaches claim 30, wherein calculating the first HASH values and calculating the second HASH values use a same HASH function (note paragraphs [0123], [0128] and [0130] of Ghose, MD-5 or SHA hash is used to calculate both validation table and execution hash value).

	For claim 33, the combination of Ghose and Iyer teaches claim 30, wherein the HASH function is a cryptographic HASH function or Secure Hash Algorithm SHA-256 (note paragraphs [0123], [0128] and [0130] of Ghose, MD-5 or SHA-2, SHA-2 includes SHA-256, hash is used to calculate both validation table and execution hash value).

	For claim 34, the combination of Ghose and Iyer teaches claim 30, wherein calculating the first HASH values is performed for the firmware during a compiling phase 

	For claim 35, the combination of Ghose and Iyer teaches claim 30, wherein comparing the second HASH value of each watchpoint as calculated with the stored first HASH values is made starting from the first watchpoint in the runtime of the firmware or finite state machine or from any watchpoint in the debug and/or validation procedures of the firmware or finite state machine (note paragraphs [0131]-[0132] of Ghose, comparison is made for each end of the basic block including the first watchpoint in the runtime).

	For claim 40, the combination of Ghose and Iyer teaches claim 30, wherein associating the significative instructions or states and the watchpoints is performed in an automatic manner based on a list during design of the firmware or finite state machine (note paragraphs [0062], [0083]-[0084], [0092], [0096] and [0125] of Ghose, validations at significative instructions are performed automatically based on list of instructions that can change the flow of control).

	For claim 44, the combination of Ghose and Iyer teaches claim 42, further comprising: a compiler or a tool generating a hardware code for the first component (note paragraphs [0049], [0051] and [0140] of Ghose, compiler performs static analysis of a program including calculating first HASH values).

	For claim 45, the combination of Ghose and Iyer teaches claim 42, wherein the first component is configured to: provide a result of a comparison between the first and second HASH values as a warning signal, when such a comparison has indicated a wrong or potentially dangerous sequence of instructions or states for the firmware or finite state machine of the component (note paragraphs [0066], [0069] of Ghose, verification failure results in an exception signal).

	For claim 46, the combination of Ghose and Iyer teaches claim 42, wherein the first component is included in one of: a vehicle, an airplane, or a control system of a plant (note paragraphs [0027], [0058], [0089], [0103] of Iyer, ECU is included in a vehicle).


10.	Claims 36-38 and 43 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ghose and Iyer as applied to claims 30 and 42 above, and further in view of Wolf (U.S. Patent Application Publication 2014/0108812).
	For claim 36, the combination of Ghose and Iyer differs from the claimed invention in that they fail to teach:
	calculating cumulated HASH values of a sequence of instructions or states by linking a HASH value of a watchpoint under examination to HASH values of previous watchpoints according to the following formula:
	FT_HASHk = HASH[FT_HASHk-1|HASH(watchpoint WP#i)], wherein:

	watchpoint WP#i is watchpoint under examination,
	k is a current clock period,
	k-1 is a previous clock period, and
	| is a union between HASH values, and wherein the cumulated HASH value is calculated by applying the HASH function at each step of the routines of a firmware or at each transition between states of a finite state machine.

	Wolf teaches:
	calculating cumulated HASH values of a sequence of instructions or states by linking a HASH value of a watchpoint under examination to HASH values of previous watchpoints according to the following formula:
	FT_HASHk = HASH[FT_HASHk-1|HASH(watchpoint WP#i)], wherein:
	FT_HASH is a cumulated HASH value,
	watchpoint WP#i is watchpoint under examination,
	k is a current clock period,
	k-1 is a previous clock period, and
	| is a union between HASH values, and wherein the cumulated HASH value is calculated by applying the HASH function at each step of the routines of a firmware or at each transition between states of a finite state machine (note Fig. 2 and paragraphs [0046]-[0048], hash from first checkpoint is combined with hash from code in current time period to create second checkpoint hash).




	For claim 37, the combination of Ghose, Iyer and Wolf teaches claim 36, wherein the second HASH value of an end watchpoint of the sequence of instructions or states is the last cumulated HASH value as calculated (note paragraphs [0145]-[0146] of Ghose, accumulated hash value is used at the end of the basic block sequence for comparison; paragraph [0048] of Wolf, final result hash is used in final result authentication).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the combination of Ghose and Iyer and the cumulative hash values of Wolf. It would have been obvious because a simple substitution of one known element (cumulative hash values for watchpoints of Wolf) for another (reset of hash value after each watchpoint of Ghose) would yield the predictable results of generating a cumulative hash value for each section of a firmware program module to compare against a stored value to validate the execution of program flow.


	For claim 38, the combination of Ghose, Iyer and Wolf teaches claim 36, further comprising: storing the cumulated HASH values as calculated for each watchpoint being examined (note paragraphs [0047]-[0048] of Wolf, hash results are stored to use as input into the next hash function; note paragraph [0145] of Ghose, accumulated hash value is stored into a single variable).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the combination of Ghose and Iyer and the cumulative hash values of Wolf. It would have been obvious because a simple substitution of one known element (cumulative hash values for watchpoints of Wolf) for another (reset of hash value after each watchpoint of Ghose) would yield the predictable results of generating a cumulative hash value for each section of a firmware program module to compare against a stored value to validate the execution of program flow.


	For claim 43, the combination of Ghose, Iyer and Wolf teaches claim 42, wherein the first component is configured to: calculate cumulated HASH values of a sequence of instructions or states by linking a HASH value of a watchpoint under examination to HASH values of previous watchpoints according to the following formula:
	FT_HASHk = HASH[FT_HASHk-1|HASH(watchpoint WP#i)], wherein:
	FT_HASH is a cumulated HASH value,
	watchpoint WP#i is watchpoint under examination,

	k-1 is a previous clock period, and
	| is a union between HASH values, 
	calculate the cumulated HASH value by applying the HASH function at each step of the routines of the firmware or at each transition between states of the finite state machine (note Fig. 2 and paragraphs [0046]-[0048], hash from first checkpoint is combined with hash from code in current time period to create second checkpoint hash); and
	a register, wherein the register is configured to: store the cumulated HASH values corresponding to all already visited watchpoints of the firmware or finite state machine (note paragraphs [0047]-[0048] of Wolf, hash results are stored to use as input into the next hash function; note paragraph [0145] of Ghose, accumulated hash value is stored into a single variable).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the combination of Ghose and Iyer and the cumulative hash values of Wolf. It would have been obvious because a simple substitution of one known element (cumulative hash values for watchpoints of Wolf) for another (reset of hash value after each watchpoint of Ghose) would yield the predictable results of generating a cumulative hash value for each section of a firmware program module to compare against a stored value to validate the execution of program flow.


39 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ghose and Iyer as applied to claim 30 above, and further in view of Meyer et al. (U.S. Patent Application Publication 2010/0146624; hereafter “Meyer”).
	For claim 39, the combination of Ghose and Iyer differs from the claimed invention in that they fail to teach:
	wherein the first and second HASH values of a watchpoint are calculated by using a program counter value of the corresponding instruction for a firmware or a status for a finite state machine.

	Meyer teaches:
	wherein the first and second HASH values of a watchpoint are calculated by using a program counter value of the corresponding instruction for a firmware or a status for a finite state machine (note paragraph [0067], check value, i.e. hash value, is calculated using program counter).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the combination of Ghose and Iyer and the hash value calculated using the program counter of Meyer. It would have been obvious because a simple substitution of one known element (hash value calculated using the program counter of Meyer) for another (hash value calculations of Ghose; note paragraphs [0123] and [0134]-[0137]) would yield the predictable results of generating a cumulative hash value for each section of a firmware program module including the program counter to compare against a stored value to validate the execution of program flow.


12.	Claim 41 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ghose and Iyer as applied to claim 30 above, and further in view of Stall et al. (U.S. Patent Application Publication 2013/0332908; hereafter “Stall”).
	For claim 41, the combination of Ghose and Iyer differs from the claimed invention in that they fail to teach:
	wherein associating the significative instructions or states and the watchpoints is performed in a manual manner based on design choices during design of the firmware or finite state machine.

	Stall teaches:
	wherein associating the significative instructions or states and the watchpoints is performed in a manual manner based on design choices during design of the firmware or finite state machine (note paragraph [0037], step 304 user manually sets breakpoints).

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine the combination of Ghose and Iyer and the manually set breakpoints of Stall. It would have been obvious because a simple substitution of one known element (manually set breakpoints of Stall) for another (automatic breakpoints of Ghose) would yield the predictable results of generating a cumulative hash value for .


Conclusion
13.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wenn (U.S. Patent Application Publication 2017/0031750) teaches creating check values for each execution path (note paragraph [0032]) and then validating an executing path by comparing a current check value with those stored in a table (note paragraph [0036]).

Wang et al. (“ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters”) teaches detection of modification to firmware through computational path analysis using hardware performance counters (note Abstract and page 545 B. Hardware Performance Counters).

14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438