Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Status of Claims
Claims 1-30 are subject to examination.  

Claim Limitation Interpreted under 35 U.S.C. 112(f) or 
pre-AIA  35 USC § 112, Sixth Paragraph

Claims 9, 16, limitation “an arithmetic unit” contains generic placeholder “unit” preceded by a structural modifier.  
Claims 10, 17, limitation “a detector unit” contains generic placeholder “unit” preceded by a structural modifier.  



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1, 2, 9, 16, 22, 24, 29, 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al., 2009/0282477 in view of David et al., 2018/0247045 and Koga, Toyota Jidosha Kabushiki Kaisa., 2017/0261947 and “Official Notice”.
Referring to claim(s) 1, 22, Chen discloses a program generation method comprising: a non-transitory physical computer-readable medium comprising instructions being executed by a computer, the instructions including a computer-implemented method for generating a program, the method including:
extracting a control flow that represents a call-return relationship between functions as well as extracting the functions themselves from a program code (control flow achieved without unsafe instructions after removal of functions, call-return instructions from the code, para 59-65, restrict control transfer instructions, not allowing return, far call, far jump instructions, etc., to remove risk and make the software secure, para 59-65),

    PNG
    media_image1.png
    715
    462
    media_image1.png
    Greyscale

determining the extracted functions (determine the return address(es) from a stack location, para 59-65); and

    PNG
    media_image2.png
    581
    506
    media_image2.png
    Greyscale

inserting a check instruction into the program code, to properly perform the control flow based on each of the extracted functions (inserting a sequence of instructions in the code that use a register-specified destination instead and hence is not vulnerable to a race condition based on determine the return address(es) from a stack location, para 59-65).
[0059] In one embodiment of the present invention, the validator helps to achieve code, control-flow, and data integrity for an x86 native code module in part by ensuring that a set of "unsafe" instructions from the x86 ISA (instruction set architecture) are not included in a native code module.  For instance, the validator may disallow the use of the following instructions and/or features in a native code module: [0060] the syscall (system call) and int (interrupt) instructions, which attempt to directly invoke the operating system; [0061] all instructions that modify x86 segment state (including LDS, far calls, etc), because these instructions interfere with the memory segments that are used to enforce data integrity (see the segmented memory description below); [0062] the rdtsc (read time stamp counter) and rdmsr (read from model specific register) instructions, as well as other hardware performance instructions and/or features which may be used by a native code module to mount side-channel attacks (e.g., by covertly leaking sensitive information); [0063] various complex addressing modes that complicate the verification of 
Chen does not specifically mention about, which is well-known in the art, which David discloses, a predetermined importance of a user safety, the predetermined importance of the user safety corresponding to each of the functions (para 41-43, 7, 35), modifying (updates/version(s) of software, para 36) a program code (software/security policy for defining processes and contexts, the software being different for different ECUs, para 41) writing the modified program code to an electronic control unit (ECU) (updated software/security policy is loaded on the ECU/Iot device, 110, figure 1A), modified code executable by the ECU (adding of processes, scripts, etc. embedded in ECUs, para 42, adding of updated security layers, policies/software to ECUs para 43),

    PNG
    media_image3.png
    527
    719
    media_image3.png
    Greyscale



    PNG
    media_image4.png
    418
    514
    media_image4.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide 
Chen and David do not disclose which Koga-Toyota discloses the determination that the importance of the extracted function exceeds an importance threshold (usage of ECU with surpassing degree/frequency/level for a situation in the vehicle, para 109). 


    PNG
    media_image5.png
    674
    962
    media_image5.png
    Greyscale


    PNG
    media_image6.png
    684
    1002
    media_image6.png
    Greyscale

    PNG
    media_image7.png
    690
    971
    media_image7.png
    Greyscale


Chen, Koga-Toyota and David do not specifically mention “before”. However, one of ordinary skilled in the art would readily know that when the program code is modified after writing to the ECU would also be modified before the program code is written to the ECU. One of ordinary skilled in the art would also readily know that it is harder to modify the program code after it is written to the ECU as compared to modifying the program code before it is written to the ECU. “Official Notice” is taken that before writing modified program code to the ECU / modifying a program code before writing the modified code to the ECU is well-known and expected in the art. 
For example, please see,
KR 101600460 B1, pages 1-9
KR 101600460 B1, discloses, before writing modified program code to ECU (software including modified code/program is first updated and then it is written to the ECU).

When the server provides automotive manufacturers (10) for the upgrade of the software sends the binary files for the upgrade using the Secure FOTA (Firmware Over-TheAir) protocol to a personal digital assistant (20). The software upgrade is a software (or firmware) for the vehicle, allows for software upgrades offered only if you have to be upgraded by comparing the version of the software that will version currently stored in the vehicle. Software transfer of automotive companies server 10 for an upgrade is transmitted together with the code for generating the verification to verify the change of the binary file from the vehicle electronic control device 40 according to the authentication method used for authentication, software upgrades. The verification code is generated by using the conventional chain hash (hash chain) algorithm. For example, you need to check whether the ECU software update service updates in the ECU of the vehicle with the vehicle manufacturer. Model of the vehicle includes the identification number and the vehicle number, social security number, etc. of the owner of the vehicle in the vehicle registration number or the vehicle manufacturer. Further, a unique ID code in the ECU. Vehicle and is connected to the smart devices (personal digital assistant), and checks the vehicle specific code and the ID code for user authentication ECU) (last paragraph of page 4- second paragraph of page 5),
Binary software update is stored in the memory (RAM), it is determined if the binary code is safe to
proceed with the update to the ECU. Upgrading the control unit 41 reads the binary file from the
memory, and reprogrammed into FlashROM. And upgrade the control unit 41 compares the program
reads from the memory and re-extracted verification code and the initial hash values to a check for
changes in the binary file, first paragraph, page 6.

WO 0002106 A1, ADACHI NORIYASU, 
(code is first modified for a vehicle ECU and then it is written to the ECU, Page 7, fourth paragraph, first paragraph page 10)

CN 110582430 A, NAGASHIMA et al., (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, page 12, para 5-7



Referring to claim(s) 2, Chen also discloses a check instruction that checks whether the program code is executable based on the extracted control flow (data integrity, checking program executions based on the flow, para 109).

Referring to claim(s) 9, Chen discloses an electronic control unit comprising: a memory, an arithmetic unit configured to perform a program that has a check instruction inserted into a program code (inserting a sequence of instructions in the code that use a register-specified destination instead and hence is not vulnerable to a race condition based on determine the return address(es) from a stack location, para 59-65) based on functions (determine the return address(es) from a stack location, para 59-65) for properly performing a control flow that represents a call-return relationship of the function written in the program code (control flow achieved without unsafe instructions after removal of functions, call-return instructions from the code, para 59-65, restrict control transfer instructions, not allowing return, far call, far jump instructions, etc., to remove risk and make the software secure, para 59-65.

Chen does not specifically mention about, which is well-known in the art, which David discloses, a predetermined importance of a user safety corresponding to the function (para 41-43, 7, 35), as modified (updates/version(s) of software, para 36) program code executable by the electronic control unit (software/security policy for defining processes and contexts, the software being different for different ECUs, para 41) writing the modified program code to an electronic control unit (ECU) (updated software/security policy is loaded on the ECU/Iot device, 110, figure 1A), modified code executable by the ECU (adding of processes, scripts, etc. embedded in ECUs, para 42, adding of updated security layers, policies/software to ECUs para 43).


    PNG
    media_image3.png
    527
    719
    media_image3.png
    Greyscale



    PNG
    media_image4.png
    418
    514
    media_image4.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide 
Chen and David do not disclose which Koga-Toyota discloses the determination that the importance of the extracted function exceeds an importance threshold (usage of ECU with surpassing degree/frequency/level for a situation in the vehicle, para 109). 


    PNG
    media_image5.png
    674
    962
    media_image5.png
    Greyscale


    PNG
    media_image6.png
    684
    1002
    media_image6.png
    Greyscale

    PNG
    media_image7.png
    690
    971
    media_image7.png
    Greyscale


Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing of determining of an importance of a function to exceed a threshold. Based on the number of times / use of the function, a level/frequency/degree selection of the function would enable updating situation related to the function in a device such as a vehicle. Stored history of the usage including information related to functions would enable knowing which functions are more important versus less important. Necessary functions would be utilized for updating the program, Koga-Toyota para 109. 
Chen, Koga-Toyota and David do not disclose “before”. However, one of ordinary skilled in the art would readily know that when the program code is modified after writing to the ECU would also be modified before the program code is written to the ECU. One of ordinary skilled in the art would also readily know that it is harder to modify the program code after it is written to the ECU as compared to modifying the program code before it is written to the ECU. “Official Notice” is taken that before writing modified program code to the ECU / modifying a program code before writing the modified code to the ECU is well-known and expected in the art. 
For example, please see,
KR 101600460 B1, pages 1-9
KR 101600460 B1, discloses, before writing modified program code to ECU (software including modified code/program is first updated and then it is written to the ECU).

When the server provides automotive manufacturers (10) for the upgrade of the software sends the binary files for the upgrade using the Secure FOTA (Firmware Over-TheAir) protocol to a personal digital assistant (20). The software upgrade is a software (or firmware) for the vehicle, allows for software version currently stored in the vehicle. Software transfer of automotive companies server 10 for an upgrade is transmitted together with the code for generating the verification to verify the change of the binary file from the vehicle electronic control device 40 according to the authentication method used for authentication, software upgrades. The verification code is generated by using the conventional chain hash (hash chain) algorithm. For example, you need to check whether the ECU software update service updates in the ECU of the vehicle with the vehicle manufacturer. Model of the vehicle includes the identification number and the vehicle number, social security number, etc. of the owner of the vehicle in the vehicle registration number or the vehicle manufacturer. Further, a unique ID code in the ECU. Vehicle and is connected to the smart devices (personal digital assistant), and checks the vehicle specific code and the ID code for user authentication ECU) (last paragraph of page 4- second paragraph of page 5),
Binary software update is stored in the memory (RAM), it is determined if the binary code is safe to
proceed with the update to the ECU. Upgrading the control unit 41 reads the binary file from the
memory, and reprogrammed into FlashROM. And upgrade the control unit 41 compares the program
reads from the memory and re-extracted verification code and the initial hash values to a check for
changes in the binary file, first paragraph, page 6.

WO 0002106 A1, ADACHI NORIYASU, 
(code is first modified for a vehicle ECU and then it is written to the ECU, Page 7, fourth paragraph, first paragraph page 10)

CN 110582430 A, NAGASHIMA et al., (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, page 12, para 5-7

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known modifying a program code, either before and/or after, the modified program code is written to the ECU. The modification of the program code would enable updating the code for improved functionality and/or selection of necessary functionality. One of ordinary skilled in the art would also readily know that millions of vehicles around the world include ECU and the updates to the software/program code of the ECU are also provided for the vehicles prior to writing the program code to the ECU to update the recalls of the vehicles and/or better security features. 

Referring to claim(s) 16, Chen discloses an arithmetic unit configured to perform a program that has a check instruction inserted in a program code based on functions for properly performing a control flow that represents a call-return relationship of the functions written in the program code (control flow achieved without unsafe instructions after removal of functions, call-return instructions from the code, para 59-65, restrict control transfer instructions, not allowing return, far call, far jump instructions, etc., to remove risk and make the software secure, para 59-65), wherein the instruction inserted in the program code is selectively performed based on the functions (determine the return address(es) from a stack location, para 59-65); and an instruction selector configured to select, at execution time, the instruction to be performed based on the functions (inserting a sequence of instructions in the code that use a register-specified destination instead and hence is not vulnerable to a race condition based on determine the return address(es) from a stack location, para 59-65).
[0059] In one embodiment of the present invention, the validator helps to achieve code, control-flow, and data integrity for an x86 native code module in part by ensuring that a set of "unsafe" instructions from the x86 ISA (instruction set architecture) are not included in a native code module.  For instance, the validator may disallow the 
Chen does not specifically mention about, which is well-known in the art, which David discloses, a predetermined importance of a user safety corresponding to the functions (para 41-43, 7, 35), as modified (updates/version(s) of software, para 36) program code executable by the electronic control unit (software/security policy for defining processes and contexts, the software being different for different ECUs, para 41) writing the modified program code to an electronic control unit (ECU) (updated software/security policy is loaded on the ECU/Iot device, 110, figure 1A), modified code executable by the ECU (adding of processes, scripts, etc. embedded in ECUs, para 42, adding of updated security layers, policies/software to ECUs para 43).

    PNG
    media_image3.png
    527
    719
    media_image3.png
    Greyscale



    PNG
    media_image4.png
    418
    514
    media_image4.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide 
Chen and David do not disclose which Koga-Toyota discloses the determination that the importance of the extracted function exceeds an importance threshold (usage of ECU with surpassing degree/frequency/level for a situation in the vehicle, para 109). 
    PNG
    media_image5.png
    674
    962
    media_image5.png
    Greyscale


    PNG
    media_image6.png
    684
    1002
    media_image6.png
    Greyscale

    PNG
    media_image7.png
    690
    971
    media_image7.png
    Greyscale


Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing of determining of an importance of a function to exceed a threshold. Based on the number of times / use of the function, a level/frequency/degree selection of the function would enable updating situation related to the function in a device such as a vehicle. Stored history of the usage including information related to functions would enable knowing which functions are more important versus less important. Necessary functions would be utilized for updating the program, Koga-Toyota para 109. 
Chen, Koga-Toyota and David do not disclose “before”. However, one of ordinary skilled in the art would readily know that when the program code is modified after writing to the ECU would also be modified before the program code is written to the ECU. One of ordinary skilled in the art would also readily know that it is harder to modify the program code after it is written to the ECU as compared to modifying the program code before it is written to the ECU. “Official Notice” is taken that before writing modified program code to the ECU / modifying a program code before writing the modified code to the ECU is well-known and expected in the art. 
For example, please see,
KR 101600460 B1, pages 1-9
KR 101600460 B1, discloses, before writing modified program code to ECU (software including modified code/program is first updated and then it is written to the ECU).

When the server provides automotive manufacturers (10) for the upgrade of the software sends the binary files for the upgrade using the Secure FOTA (Firmware Over-TheAir) protocol to a personal digital assistant (20). The software upgrade is a software (or firmware) for the vehicle, allows for software version currently stored in the vehicle. Software transfer of automotive companies server 10 for an upgrade is transmitted together with the code for generating the verification to verify the change of the binary file from the vehicle electronic control device 40 according to the authentication method used for authentication, software upgrades. The verification code is generated by using the conventional chain hash (hash chain) algorithm. For example, you need to check whether the ECU software update service updates in the ECU of the vehicle with the vehicle manufacturer. Model of the vehicle includes the identification number and the vehicle number, social security number, etc. of the owner of the vehicle in the vehicle registration number or the vehicle manufacturer. Further, a unique ID code in the ECU. Vehicle and is connected to the smart devices (personal digital assistant), and checks the vehicle specific code and the ID code for user authentication ECU) (last paragraph of page 4- second paragraph of page 5),
Binary software update is stored in the memory (RAM), it is determined if the binary code is safe to
proceed with the update to the ECU. Upgrading the control unit 41 reads the binary file from the
memory, and reprogrammed into FlashROM. And upgrade the control unit 41 compares the program
reads from the memory and re-extracted verification code and the initial hash values to a check for
changes in the binary file, first paragraph, page 6.

WO 0002106 A1, ADACHI NORIYASU, 
(code is first modified for a vehicle ECU and then it is written to the ECU, Page 7, fourth paragraph, first paragraph page 10)

CN 110582430 A, NAGASHIMA et al., (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, page 12, para 5-7

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known modifying a program code, either before and/or after, the modified program code is written to the ECU. The modification of the program code would enable updating the code for improved functionality and/or selection of necessary functionality. One of ordinary skilled in the art would also readily know that millions of vehicles around the world include ECU and the updates to the software/program code of the ECU are also provided for the vehicles prior to writing the program code to the ECU to update the recalls of the vehicles and/or better security features. 

Referring to claim(s) 24, Chen also discloses checking whether the control flow is properly performable based on a check instruction in the instructions (data integrity, checking program executions based on the flow, para 109).

Referring to claim(s) 29, David also discloses writing the modified program code into an ECU disposed in a vehicle (para 41).

Referring to claim(s) 30, David also discloses writing the modified program code into an ECU disposed in a vehicle (para 41); and executing, by the ECU, the modified program code written in the ECU (para 29, 41-43).

Claim(s) 3, 4, 11, 12, 18, 19, 25, 26, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Koga-Toyota, David, “Official Notice” and Black et al., 2013/0283245.
Referring to claim(s) 3, 11, 18, 25, Chen, Koga-Toyota and David do not disclose which Black discloses, the program code includes a caller function (para 68) and, a callee function that is called by the caller function and returns control to the caller function (para 68), and the instruction includes a return instruction that (i) stores a return address from the callee function to the caller function in a secure region ( para 68, 69) and (ii) performs a return process to return from the callee function to the caller function based on the stored return address ( para 68, 69, along with enforcing control flow integrity (CFI), para 65). 

    PNG
    media_image8.png
    580
    740
    media_image8.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known a caller function and a callee function. The usage of secure data region would be utilized to store addresses for enforcing control flow integrity, Black, para 68, 69.  

Referring to claims 4, 12, 19, 26, Chen also discloses the return instruction performs the return process that returns to the return address stored in the secure region (usage of secure data region 424, para 75).

Claim(s) 5, 13, 20, 27, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Black, Koga-Toyota, “Official Notice” and Basak et al., 20180341767.
Referring to claim(s) 5, 13, 20, 27, Chen discloses the secure region (usage of secure data region 424, para 75). Chen, Bradt, Black, Koga-Toyota do not disclose which Basak discloses, the return instruction compares a first return address and a second return address, the first return address stored in storage and the second return address stored in a stack region (para 120) when the caller function calls the callee function for returning from the callee function to the caller function (para 146), and performs the return process to return to the first return address or the second return address (para 117) upon determining a match between the first return address and the second return address (para 119). 

    PNG
    media_image9.png
    705
    558
    media_image9.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known caller functions and callee functions. The usage of secure data region and stack region would be utilized to store necessary addresses for enforcing necessary return of address based on storage, Black, para 68, 69.  

Claim(s) 6, 14, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Koga-Toyota, “Official Notice” and Puzovic 9753731.
Referring to claim(s) 6, 14, Chen also discloses extracted functions para 59-65. Chen, Koga-Toyota, Bradt, do not disclose which Puzovic discloses, the predetermined importance the user safety corresponding to each of the functions is determined based on frequency of use of the functions, (frequency of functions usage, col., 4, lines 15-25). 
    PNG
    media_image10.png
    720
    503
    media_image10.png
    Greyscale


    PNG
    media_image11.png
    601
    736
    media_image11.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known tracking usage of functions. The functions that are used more would be considered as important functions as compared to lesser usage of functions. The functions that are used frequently would be used for program generation, Puzovic, col., 4, lines 15-25.  

Claim(s) 7, 15, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Koga-Toyota, “Official Notice”, Maiwand et al., 2017/0352215.
Referring to claim(s) 7, 15, Chen also discloses extracted functions para 59-65. Chen, Koga-Toyota, Bradt, do not disclose which Maiwand discloses, the program code is written in an electronic control unit disposed in a vehicle (vehicle’s ECU, para 49), and the predetermined importance of the user safety corresponding to each of the functions (controls/vehicle control file/vehicle controls, para 109) is determined according to a safety of a vehicle user (controls on a vehicle to enhance the safety of the vehicle for child, versus employees, etc., para 109)s when the functions are relevant to the safety of the vehicle user (controls on a vehicle to enhance the safety of the vehicle for child/employees, etc., para 109). 

    PNG
    media_image12.png
    708
    555
    media_image12.png
    Greyscale

.
  
Claim(s) 8, 23, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Koga-Toyota, “Official Notice”, Chafi et al., 2014/0082597.
Referring to claim(s) 8, 23, Chen also discloses extracted functions para 59-65. Chen, Bradt, do not disclose which Chafi discloses, the instruction is configured to be selectively performable based on the predetermined importance of the user safety corresponding to each of the user safety corresponding to the functions (based on frequency of functions used with control flow collection of code is selected for implementation, para 38). 

    PNG
    media_image13.png
    573
    826
    media_image13.png
    Greyscale

.

Claim(s) 10, 17, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Koga-Toyota, “Official Notice” and Lipton et al., 2017/0249460.
Referring to claim(s) 10, 17, Chen and David do not disclose which Lipton discloses, the instruction includes a check instruction that checks whether the program code is executable based on the control flow (verifying code using control flow, para 7, 125), and a detector unit configured to detect an abnormality of the control flow by monitoring an output of the check instruction (monitoring and detecting abnormality of the control flow, para 7, 125); and a processor configured to perform a predetermined process based on a detection result of the processor (preforming of a process based on the abnormality, para 7, 125). 

    PNG
    media_image14.png
    294
    463
    media_image14.png
    Greyscale

.  

Claim(s) 21, is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of David, Maiwand, “Official Notice”, Koga-Toyota and Sakai 2018/0037160.
Referring to claim(s) 21, Chen, Bradt, do not disclose which Maiwand discloses, the program code is written in an electronic control unit disposed in a vehicle (vehicle’s ECU, para 49), and the an operation state detector configured to receive an operation state of the vehicle (controls/vehicle control file/vehicle controls, para 109, controls on a vehicle to enhance the safety of the vehicle for child, versus employees, etc., para 109, controls on a vehicle to enhance the safety of the vehicle for child/employees, etc., para 109). 

    PNG
    media_image15.png
    767
    576
    media_image15.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known ECU of vehicle. The functions would be utilized for performing controls for the vehicle. The controls on the vehicle would enhance safety of people in the vehicle, Maiwand, para 109. 
.

Claim(s) 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Koga-Toyota, David, “Official Notice” and JP 6270965 B1, page 4.
Referring to claim(s) 31, please refer to claim 1 rejections, writing the modified program code into an electronic control unit that is installed in a vehicle (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, including official notice). David discloses changing the predetermined importance of the check instruction in the modified program code in the electronic control unit (para 41-43, 7, 35). Chen, Koga-Toyota and David do not disclose which JP 6270965 B1 discloses, according to an operation state of the vehicle, abstract, para 6-9, page 4. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known operation state of the vehicle for update/replacement of a function in the ECU. When the vehicle .    

Claim(s) 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Koga-Toyota, David, “Official Notice” and JP 6270965 B1, page 4.
Referring to claim(s) 32, please refer to claim 1 rejections, the program code is written to the electronic control unit installed in a vehicle (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, including official notice). David discloses the electronic control unit further includes: an importance changer configured to change the importance of the function written in the program code (para 41-43, 7, 35). Chen, Koga-Toyota and David do not disclose which JP 6270965 B1 discloses, an operation state detector configured to receive an operation state of the vehicle; and according to the detected operation state. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide usage of well-known usage of operation state of the vehicle for update/replacement of a function in the ECU. When the detected/received vehicle operation state is such that it is safe to update/replace the function/software/program code; the software of the ECU would be updated for updated functionality.  When the vehicle operation state is such that it is unsafe to update/replace the function/software/program code; the software of the ECU would not be updated for safety, para 6-9, page 4.    


Response to Arguments
Applicant's arguments filed 12/30/21, pages 13-24 have been fully considered but they are not persuasive.  Therefore, rejection of claims 1-27, 29-32 is maintained. 
Regarding applicant’s concern for the amended limitations, the rejections are updated accordingly. Please refer to above updated rejections.
Chen discloses a program generation method comprising: a non-transitory physical computer-readable medium comprising instructions being executed by a computer, the instructions including a computer-implemented method for generating a program, the method including:
extracting a control flow that represents a call-return relationship between functions as well as extracting the functions themselves from a program code (control flow achieved without unsafe instructions after removal of functions, call-return instructions from the code, para 59-65, restrict control transfer instructions, not allowing return, far call, far jump instructions, etc., to remove risk and make the software secure, para 59-65),

    PNG
    media_image1.png
    715
    462
    media_image1.png
    Greyscale

determining the extracted functions (determine the return address(es) from a stack location, para 59-65); and

    PNG
    media_image2.png
    581
    506
    media_image2.png
    Greyscale

inserting a check instruction into the program code, to properly perform the control flow based on each of the extracted functions (inserting a sequence of instructions in the code that use a register-specified destination instead and hence is not vulnerable to a race condition based on determine the return address(es) from a stack location, para 59-65).
[0059] In one embodiment of the present invention, the validator helps to achieve code, control-flow, and data integrity for an x86 native code module in part by ensuring that a set of "unsafe" instructions from the x86 ISA (instruction set architecture) are not included in a native code module.  For instance, the validator may disallow the use of the following instructions and/or features in a native code module: [0060] the syscall (system call) and int (interrupt) instructions, which attempt to directly invoke the operating system; [0061] all instructions that modify x86 segment state (including LDS, far calls, etc), because these instructions interfere with the memory segments that are used to enforce data integrity (see the segmented memory description below); [0062] the rdtsc (read time stamp counter) and rdmsr (read from model specific register) instructions, as well as other hardware performance instructions and/or features which may be used by a native code module to mount side-channel attacks (e.g., by covertly leaking sensitive information); [0063] various complex addressing modes that complicate the verification of 
Chen does not specifically mention about, which is well-known in the art, which David discloses, a predetermined importance of a user safety, the predetermined importance of the user safety corresponding to each of the functions (para 41-43, 7, 35), modifying (updates/version(s) of software, para 36) a program code (software/security policy for defining processes and contexts, the software being different for different ECUs, para 41) writing the modified program code to an electronic control unit (ECU) (updated software/security policy is loaded on the ECU/Iot device, 110, figure 1A), modified code executable by the ECU (adding of processes, scripts, etc. embedded in ECUs, para 42, adding of updated security layers, policies/software to ECUs para 43),

    PNG
    media_image3.png
    527
    719
    media_image3.png
    Greyscale



    PNG
    media_image4.png
    418
    514
    media_image4.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Chen to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide 
Chen and David do not disclose which Koga-Toyota discloses the determination that the importance of the extracted function exceeds an importance threshold (usage of ECU with surpassing degree/frequency/level for a situation in the vehicle, para 109). 


    PNG
    media_image5.png
    674
    962
    media_image5.png
    Greyscale


    PNG
    media_image6.png
    684
    1002
    media_image6.png
    Greyscale

    PNG
    media_image7.png
    690
    971
    media_image7.png
    Greyscale


Chen, Koga-Toyota and David do not specifically mention “before”. However, one of ordinary skilled in the art would readily know that when the program code is modified after writing to the ECU would also be modified before the program code is written to the ECU. One of ordinary skilled in the art would also readily know that it is harder to modify the program code after it is written to the ECU as compared to modifying the program code before it is written to the ECU. “Official Notice” is taken that before writing modified program code to the ECU / modifying a program code before writing the modified code to the ECU is well-known and expected in the art. 
For example, please see,
KR 101600460 B1, pages 1-9
KR 101600460 B1, discloses, before writing modified program code to ECU (software including modified code/program is first updated and then it is written to the ECU).

When the server provides automotive manufacturers (10) for the upgrade of the software sends the binary files for the upgrade using the Secure FOTA (Firmware Over-TheAir) protocol to a personal digital assistant (20). The software upgrade is a software (or firmware) for the vehicle, allows for software upgrades offered only if you have to be upgraded by comparing the version of the software that will version currently stored in the vehicle. Software transfer of automotive companies server 10 for an upgrade is transmitted together with the code for generating the verification to verify the change of the binary file from the vehicle electronic control device 40 according to the authentication method used for authentication, software upgrades. The verification code is generated by using the conventional chain hash (hash chain) algorithm. For example, you need to check whether the ECU software update service updates in the ECU of the vehicle with the vehicle manufacturer. Model of the vehicle includes the identification number and the vehicle number, social security number, etc. of the owner of the vehicle in the vehicle registration number or the vehicle manufacturer. Further, a unique ID code in the ECU. Vehicle and is connected to the smart devices (personal digital assistant), and checks the vehicle specific code and the ID code for user authentication ECU) (last paragraph of page 4- second paragraph of page 5),
Binary software update is stored in the memory (RAM), it is determined if the binary code is safe to
proceed with the update to the ECU. Upgrading the control unit 41 reads the binary file from the
memory, and reprogrammed into FlashROM. And upgrade the control unit 41 compares the program
reads from the memory and re-extracted verification code and the initial hash values to a check for
changes in the binary file, first paragraph, page 6.

WO 0002106 A1, ADACHI NORIYASU, 
(code is first modified for a vehicle ECU and then it is written to the ECU, Page 7, fourth paragraph, first paragraph page 10)

CN 110582430 A, NAGASHIMA et al., (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, page 12, para 5-7






PERTINENT PRIOR ARTS:
Mori et al., 2014/0372995, Denso Corporation discloses a program generator comprising: a processor; a non-transitory computer-readable memory storing instructions that, when executed, cause the following to be performed: extract callable functions and control flows from a program (para 145, 64).

DOCUMENT-IDENTIFIER:    US 20170212746 A1 
 TITLE:                  UPDATING A CONTROLLER UNIT IN A VEHICLE 
[0014] In accordance with some implementations of the present disclosure, techniques or mechanisms are provided to allow for machine-readable instructions of ECUs provided by multiple different vendors to be conveniently downloaded to vehicles using wireless communications, such as over a cellular network, a WI-FI network, or other type of wireless network.  In this manner, the machine-readable instructions of ECUs of a vehicle can be updated as long as the vehicle is wirelessly connected over a specified wireless network (or any of various different wireless networks).  For example, the updates can be performed while the vehicle is in operation, or alternatively, while the vehicle is idle or turned off.  [0035] In addition, the update management engine 118 can receive information regarding a status relating to the updating of machine-readable instructions on at least one ECU in the vehicle 110.  The status that is indicated by the received information can be a success status (to indicate that the machine-readable instructions of at least one ECU has been successfully updated), a failure status (to indicate that the update of machine-readable instructions on an ECU has failed), a partial failure status (to indicate that the update of machine-readable instructions has partially failed), a rollback status (to indicate that an update of machine-readable instructions of an ECU has started, but for some reason the machine-readable instructions of the ECU has been rolled back to a prior version), and a retry status (to indicate that a previous attempt at performing an update of machine-readable instructions of an ECU has been made, and due to a failure, another update of the machine-readable instructions of the ECU is being retried).  In further examples, the status can indicate the progress through an update lifecycle, such as "download started," "download complete," "install started," "install complete," "rebooting," and so forth. 

DOCUMENT-IDENTIFIER:    US 20150128123 A1 
TITLE:                  System and Method for Preparing Vehicle for Remote Reflash Event
[0052] FIG. 3 is a flow chart summarizing an example process executed by a telematics unit of a vehicle for preparing for and undergoing a remote reflash event.  At step 300, the telematics unit receives a notification of a pending reflash event and instructions for preparing for the pending reflash event.  The notification of the pending reflash event may include information pertaining to the time at which the reflash event is scheduled or the location at which the reflash event is scheduled.  Furthermore, the notification may include information pertaining to actions that will be executed during the reflash event.  For example, the notification may indicate identities of one or more software versions that will be updated or one or more ECUs running software that will be updated.  The instructions received at step 300 direct the vehicle 102 to take measures to prepare for the remote reflash event such that the rehashing can be successfully accomplished white leaving the vehicle in a fully operational state.  For example, the instructions may direct a charging module of the vehicle to charge a vehicle battery to a stored energy level that is higher than the default stored energy level in order to enable the vehicle to undergo a remote reflash event and to retain sufficient battery charge to achieve satisfactory vehicle operation.  For example, the instructions may direct the charging module of the vehicle 102 to charge the battery to a level equal to ninety percent of the maximum charge capacity when a remote reflash event is pending while the default stored energy level is eighty percent of the maximum charge capacity.

Conclusion
This application was filed on 6/25/2018. The first non-final office action wad dated 5/28/2020. Applicant has made numerous amendments to the claims since 6/25/2018. Applicant is reminded that any further amendments that are similar to claim 28 would only be examined. Please see below:
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Since, one patent is for one invention, any further amendments to existing claims that would make the other claims, restrict-able subject matter that would not fall under claim 28; would not be part of the claim 28 invention that is already allowed.

Applicant chose to amend claim 28 with several limitations over prior rejections even though the claim 28 contained “before” limitation. Hence, applicant is suggested to cancel claims other than 
Applicant is reminded for compact prosecution rather extended prosecution. For example, Applicant merely relies on “before” limitation for independent claims except claim 28 that is amended as following:

    PNG
    media_image16.png
    729
    658
    media_image16.png
    Greyscale

Even though the claim 28 is allowed, the allowance of the claim subject matter of the claim 28 would be extended because:
Applicant merely relies on “before” limitation regarding modifying a code for the ECU for the claimed subject to be novel over the rejections of final office action dated 7/16/21.
well-known and expected in the art. 
For example, please see,
KR 101600460 B1, pages 1-9
KR 101600460 B1, discloses, before writing modified program code to ECU (software including modified code/program is first updated and then it is written to the ECU).

When the server provides automotive manufacturers (10) for the upgrade of the software sends the binary files for the upgrade using the Secure FOTA (Firmware Over-TheAir) protocol to a personal digital assistant (20). The software upgrade is a software (or firmware) for the vehicle, allows for software upgrades offered only if you have to be upgraded by comparing the version of the software that will provide the version currently stored in the vehicle. Software transfer of automotive companies server 10 for an upgrade is transmitted together with the code for generating the verification to verify the change of the binary file from the vehicle electronic control device 40 according to the authentication method used for authentication, software upgrades. The verification code is generated by using the conventional chain hash (hash chain) algorithm. For example, you need to check whether the ECU software update service updates in the ECU of the vehicle with the vehicle manufacturer. Model of the vehicle includes the identification number and the vehicle number, social security number, etc. of the owner of the vehicle in the vehicle registration number or the vehicle manufacturer. Further, a unique ID code in the ECU. Vehicle and is connected to the smart devices (personal digital assistant), and checks the vehicle specific code and the ID code for user authentication ECU) (last paragraph of page 4- second paragraph of page 5),
Binary software update is stored in the memory (RAM), it is determined if the binary code is safe to

memory, and reprogrammed into FlashROM. And upgrade the control unit 41 compares the program
reads from the memory and re-extracted verification code and the initial hash values to a check for
changes in the binary file, first paragraph, page 6.

WO 0002106 A1, ADACHI NORIYASU, 
(code is first modified for a vehicle ECU and then it is written to the ECU, Page 7, fourth paragraph, first paragraph page 10)

CN 110582430 A, NAGASHIMA et al., (code is modified for ECU of a vehicle and then only the updated code it is written to the ECU, page 12, para 5-7.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-

/HARESH N PATEL/Primary Examiner, Art Unit 2493