DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 and 11 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1 and 5-6 of copending Application No. 16/938,930 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the the copending application are considered to anticipate those of the instant application. For instance, refer to the mapping of exemplary claim 1 below. Claim 11 is substantially similar to claim 1, and is therefore likewise rejected.
Instant Application
16/938,930
1. A method of allowing a guest operating system to control and manage computer resources, the method comprising: 

receiving, by a host operating system. a call from a guest operating system to control and manage computer resources; 


creating, by the host operating system, a secure sandbox executing on the host operating system; and 




creating, by the host operating system, a secure tunnel between the secure sandbox and the guest operating system, the secure tunnel having loopback networking;








wherein the secure sandbox is controlled and managed by the guest operating system but executing on the host operating system.


receiving, by a host operating system, a request to invoke a native process as a called procedure form a guest operating system;

loading the native process executable into a secure sandbox running on the host operating system; and 




5. The method of claim 1, wherein receiving includes receiving through a secure tunnel between the host operating system and the guest operating system.
6. The method of claim 5, wherein the secure tunnel is an encrypted communication path
between the guest operating system and the host operating system.
7. The method of claim 6, wherein the secure tunnel has loopback networking.between the guest operating system and the host operating system.

(1. cont.) transforming, data from the native process into a representation appropriate for the called the procedure in the host operating environment.



This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claims 1 and 11 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-4 of copending Application No. 16/938,933 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the the copending application are considered to anticipate those of the instant application. For instance, refer to the mapping of exemplary claim 1 below. Claim 11 is substantially similar to claim 1, and is therefore likewise rejected.
Instant Application
16/938,933


receiving, by a host operating system. a call from a guest operating system to control and manage computer resources; 


creating, by the host operating system, a secure sandbox executing on the host operating system; and 


creating, by the host operating system, a secure tunnel between the secure sandbox and the guest operating system, the secure tunnel having loopback networking;









wherein the secure sandbox is controlled and managed by the guest operating system but executing on the host operating system.
1. A method of creating 4 guest-native executable, the method comprising:

receiving, by a host operating system, a call from a guest operating system to construct an executable from a guest-native source;

creating an ecosystem for the guest-native source in a Secure sandbox running on a host operating system;


2. The method of claim 1, wherein receiving includes receiving via a secure tunnel to create
an encrypted communication path between the guest operating system and the host
operating system,
3. The method of claim 2, wherein the secure tunnel includes loop back networking.
4. The method of claim 3, wherein receiving the guest-native source includes receiving the
guest-native source through the loop back networking of the secure tunnel.

(1. cont.) receiving the guest-native source; and
executing the guest-native source in the ecosystem on the host operating system.


This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claims 1 and 11 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-3 and 5-6 of copending Application No. 16/938,931 (reference application). Although the claims at issue are not identical, they are not 
Instant Application
16/938,931
1. A method of allowing a guest operating system to control and manage computer resources, the method comprising: 

receiving, by a host operating system. a call from a guest operating system to control and manage computer resources; 


creating, by the host operating system, a secure sandbox executing on the host operating system; and 






creating, by the host operating system, a secure tunnel between the secure sandbox and the guest operating system, the secure tunnel having loopback networking;






wherein the secure sandbox is controlled and managed by the guest operating system but executing on the host operating system.
1. (Original) A method of compiling and executing a new program in a secure sandbox, the method comprising: 

receiving, by a host operating system, a request from a guest operating system to invoke an execution environment in a secure sandbox on a host operating system; and 

2. (Original) The method of claim 1, further comprising receiving, by a host operating system, a source code file from the guest operating system.
3. (Original) The method of claim 2, further comprising compiling by the host operating system the source code file into an executable file in the execution environment in the secure sandbox.

5. (Original) The method of claim 1, wherein receiving includes receiving, by a host operating system, via a secure tunnel a request from a guest operating system to invoke an execution environment in a secure sandbox on a host operating system.
6. (Original) The method of claim 5, wherein the secure tunnel is an encrypted communication path between the guest operating system and the host operating system and includes loop back networking.

(1. Cont.) executing the execution environment in the secure sandbox; whereby, a user can use the execution environment in the secure sand box from a guest operating system to 


This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Objections
Claims 10 and 20 are objected to because of the following informalities:  the recite “such that all services running on the guest operating system having the same credentials,” which is believed to be a typographical error (i.e., “having” rather than “have”).  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-12, and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ganesh (US 2020/0012511 A1) in view of Acharya (US 20180203681 A1).

A method of allowing a guest operating system to control and manage computer resources, the method comprising: 
receiving, by a host operating system (i.e., Host OS in Ganesh), a call from a guest operating system (i.e., Guest OS in Ganesh) to control and manage computer resources; 
Refer to at least [0076], [0087], and [0092] of Ganesh with respect to Guest OS calls and the Host OS. 
creating, by the host operating system, a secure sandbox executing on the host operating system; and 
Refer to at least [0054] and [0067]-[0069] of Ganesh with respect to creating a secure sandbox for the Guest OS by the Host OS via using a namespace container. 
creating, by the host operating system, a secure tunnel between the secure sandbox and the guest operating system; 
Refer to at least [0058], [0085], and [0091]-[0092] of Ganesh with respect to a secure channel between the Host OS and the Guest OS. 
wherein the secure sandbox is controlled and managed by the guest operating system but executing on the host operating system.
Refer to at least FIG. 5, [0089], [0090], and [0092] of Ganesh with respect to Guest OS applications operable via the sandbox to access Host OS resources. 
Ganesh discloses a secure channel, but does not specify: the secure tunnel having loopback networking. However, Ganesh in view of Acharya discloses: the secure tunnel having loopback networking. 
Refer to at least [0087] of Acharya, wherein a “communicative link may be established between the host operating system 521 and guest operating system(s) of the virtual machine 525, using a loopback interface or a static IP on a subnet.”

Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ganesh to further include the secure channel having loopback networking for at least the purpose of increased availability and/or flexibility achieved from utilizing a loopback interface.

Regarding claim 2, Ganesh-Acharya discloses: The method of claim 1, wherein creating a secure tunnel includes creating a secure tunnel to create an encrypted communication path between the guest operating system and the host operating system.
Refer to at least [0058], and [0153] of Ganesh with respect to encrypted communications via the secure channel. 

Regarding claim 4, Ganesh-Acharya discloses: The method of claim 1, wherein creating a secure sandbox includes creating a secure sandbox having a defined maximum size and a specific placement in memory of the host operating system.
Refer to at least [0061] and [0066] of Acharya with respect to virtual machine configurations specifying memory placement, as well as a maximum size limit. 
Refer to at least [0053], [0056], and [0078] of Ganesh with respect to restricting the Guest OS / Sandbox from access to Host OS resources. 
All of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time (i.e., a sandbox restricted to specific memory, and having a constrained size determined by the host system’s resources).

Regarding claim 5, Ganesh-Acharya discloses: The method of claim 1, wherein creating a secure sandbox includes connecting the secure sandbox to a storage through the guest operating system.
Refer to at least [0082] of Ganesh, wherein “processes operating in a guest OS container (for example, guest OS container 410 in FIG. 4) share device resources (for example, processor time and memory space) with processes running under the host OS.”

Regarding claim 6, Ganesh-Acharya discloses: The method of claim 5, wherein creating a secure sandbox includes preventing the secure sandbox from accessing local or virtualized storage in the host operating system.
Refer to at least [0053], [0056], and [0078] of Ganesh with respect to restricting the Guest OS / Sandbox from access to Host OS resources. 

Regarding claim 7, Ganesh-Acharya discloses: The method of claim 1, wherein creating a secure sandbox includes connecting the secure sandbox to networking through specific ports in the host operating system but preventing general access to networking in the host operating system.
Refer to at least [0153] of Ganesh concerning “implementing granular control over processes in a guest OS container's use of resources (for example, CPU, network or power resources) shared by a host OS and a guest OS container ”

Regarding claim 8, Ganesh-Acharya discloses: The method of claim 1, further comprising receiving a request by a user operating on the guest operating system and having user credentials to invoke a process in the secure sandbox.
Refer to at least [0069] of Ganesh with respect to user and process IDs respective to the Guest OS.

Regarding claim 9, Ganesh-Acharya discloses: The method of claim 8, further comprising searching a pool of credentials for the user credentials in the host operating system.
Refer to at least [0069] of Ganesh with respect to a user ID namespace for the container. 

Regarding claim 10, Ganesh-Acharya discloses: The method of claim 9, further comprising associating the user credentials with the process such that all services running on the guest operating system having the same credentials as the host operating system.
Refer to at least [0069]-[0070] of Ganesh with respect to process ID and user ID mapping together under the user ID namespace, as well as to making use of the Guest OS container namespace IDs via the Host OS.

Regarding independent claim 11, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and the obviousness rationale).

Regarding claims 12 and 14-20, they are substantially similar to claims 2 and 4-10 above, and are therefore likewise rejected.

Claims 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ganesh-Acharya as applied to claims 1-2, 4-12, and 14-20 above, and further in view of Teglas (US 20200389326 A1).

wherein creating a secure tunnel includes creating a self-signed certificate and storing the certificate in the loopback networking. However, Ganesh-Acharya in view of Teglas discloses: wherein creating a secure tunnel includes creating a self-signed certificate and storing the certificate in the loopback networking.
Refer to at least the abstract and [0012] of Teglas with respect to a self-signed certificate, secure connection, and loopback networking. 
The teachings of Ganesh-Acharya and Teglas concern a secure channel and loopback networking, and are considered to be combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ganesh to further include a self-signed certificate associated with the secure channel because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., substituting which particular implementation is used for the secure channel; in this case, TLS).

Regarding claim 13, it is substantially similar to claim 3 above, and is therefore likewise rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/V.S/Examiner, Art Unit 2432