Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  



Claims 1 – 15 are rejected under 35 U.S.C. 103 as being unpatentable over Blaich (US Pub. No. 2013/0139244 A1) in view of Clark (US Pub. No. 2001/0023449 A1) in view of Zhang (US Pub. No. 2009/0271844 A1).

Per claim 1, Blaich suggests a method for providing restricted access to (reads on deciding which applications should be allowed to send or receive data from the network, see Blaich para 0017) hardware component interfaces (HWCIs) of (reads on the at least implied internal network interface and external network interface exemplified by the arrows entering and leaving the firewall of Blaich Figure 2, Figure 4 and Figure 5) a network device (1) (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1) by one or more software components (SWCs) of (reads on the exemplary Application A of the applications of the computing device that wants to send or receive data from the network via the appropriate network interface, see Blaich para 0017, 0037 and claim 1) said network device (1) (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1), wherein an access to (reads on applications/processes are allowed to send or receive data from the network using the corresponding network interface after it is determined the application/process has been permitted access to the network interface by comparing the MAC label of the process to the MAC attributes in the rule set, see Blaich para 0017, 0037 and claim 1, 4 and 5) a hardware component interface (HWCI) (reads on the at least implied internal network interface and external network interface exemplified by the arrows entering and leaving the firewall of Blaich Figure 2, Figure 4 and Figure 5) requested by (reads on the application/process desires to send or receive data from the network, see Blaich para 

[0017] One aspect of the present invention is deciding which applications should be allowed to send or receive data from the network and how to enforce this policy in a MAC environment. The present invention enables firewalls to take advantage of the method of enforcement of MAC technologies to provide a tighter integration with the MAC, while indirectly enhancing the network control ability of the MAC. Exemplary implementations include the use of security labels or defined paths, leveraging off of MAC mechanisms used for different purposes. Referring to FIG. 3, MAC mechanisms employ a subject-object paradigm for accesses. If Application (App) A wants to write to a LogFile, the MAC checks the security policy to allow or deny the access. MAC is a type of access control on a computing device in which the system determines which subjects have access to what objects in order to perform an operation such as read, write, or execute. Subjects and objects are any and all objects on a file-system. MAC controls can constrain users that have limited privileges, but also users that have administrator privileges, unlike in a Discretionary Access Control (DAC). In the case of a MAC the system determines the policy that is followed, not the users. Examples of MACs include Security Enhanced Linux.RTM. (SELinux) and the Simplified Mandatory Access Control Kernel or SMACK. Discretionary Access Controls or DAC is similar to a MAC because subjects are requesting access to objects in order to perform specific operations. However, in a DAC environment users can change or modify the policy. 
[0037] Also shown in the bottom portion of the diagram FIG. 5 in use an application App A generates packets that are to be sent to a network interface. The firewall 515 inspects the packets and looks to match them against the rules it ahs to determine what action to perform on them. In this example App A has an extended attribute or security label set for itself of security.SMACK64EXEC equal to com.security.appa. In this example, a packet is allowed out of the system by the firewall 515 if it was generated by a process having the extended attribute security label that matches the security label in module 525. This means when App A is executing it is running as the subject with the label com.security.apps. Based on the previous labeling, a rule can be added to the firewall system, iptables in this case, that can include the traditional restrictions like ip address, port number, mac address, etc; but can also include the new security label matching module that will provide another matching parameter to the rule before it can be considered a full match for a packet. Thus, any packet that is created by a process with a SMACK64EXEC label, in this example, equal to com.samsung.appa will have an action performed on it. 

[0047] FIG. 8 illustrates an exemplary computing device 800 including a MAC aware firewall. The MAC aware firewall 815 is part of the Operating System layer. The computing device also includes a Kernel layer 840 and least one processor 850 and memory 860. While the firewall 815 may be installed on a computing device it will be understood that more generally firewall 815 may also be stored as computer program code on a non-transitory computer readable medium which when executed on a processor implemented the MAC aware firewall. The various aspects, features, embodiments or implementations of the invention described above can be used alone or in various combinations.

1.A computing device include a processor and a memory, comprising: a firewall, the firewall having a firewall rule set extended to include Mandatory Access Control (MAC) attributes; the firewall configured to examine the MAC attributes of a process running within the protection of the firewall that is generating or receiving packets and performing rule checking for the process based at least in part by comparing the MAC attributes of the process to the MAC attributes in the firewall rule set; wherein the firewall obtains MAC attribute information for the process based on local information not included within the contents of individual packets.
3. The computing device of claim 1, wherein the firewall obtains MAC attributes for a process directly or indirectly from the process via a network layer.
MAC attributes include at least one of a label and a path attribute of a process.
5. The computing device of claim 1, wherein the MAC attributes include security labels for SELinux or SMACK.




    PNG
    media_image1.png
    614
    901
    media_image1.png
    Greyscale





    PNG
    media_image2.png
    422
    918
    media_image2.png
    Greyscale



The prior art of record is silent on explicitly stating MAC security policy comprising access rights defined as access relations between software component 
Clark suggests 
a method for providing restricted access to (reads on using mandatory access control comparing the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card, see Clark para 0009 and 0022) hardware component interfaces (reads on the network interface, see Clark para 0022, 0027, 0060 and 0117) of a network device (see Clark Figure 2 blocks 10, 20 and 30) by one or more software components (reads on a combination of user process #1 and user process #2, see Clark Figure 2 blocks 11 and 12 and para 0009) of said network device (see Clark Figure 2 blocks 10, 20 and 30), wherein an access to (reads on software process having a network endpoint attribute consist of the compartment label associated with the process, where processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or the data transfer is aborted, see Clark para 0009, 0040 and 0060) a hardware component interface (reads on a network interface which is assigned a mandatory access control label, see Clark para 0022) requested by (reads on software process having a network endpoint attribute consist of the compartment label associated with the process, where processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or the data transfer is aborted, see Clark para 0009, 0040, 0060 and claim 1) a software component (reads on a combination of user process #1 and user process #2, see Clark Figure 2 blocks 11 and 12 and para 0009) is permitted on the basis of (reads on software process having a 

[0009] The invention provides a system and method for implementing a streams based network access control for a computer. The invention may be conceptualized as a streams based network access control system that includes a software process operating on a computer and having a network endpoint attribute. The software process is configured to communicate a packet through a streams-based network protocol stack to a network interface card that includes an interface attribute. A session filter module and a network filter module are in communication with the network protocol stack. A table of network attributes, associated with the session filter module and network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card. 

[0022] Each network interface is assigned a mandatory access control (MAC) label. Processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or must possess sufficient privilege to override the network security policy decisions.

[0027] The attribute map table includes information about each network endpoint associated with a process, and each network interface. For each network endpoint, this information includes, but is not limited to, the protocol, the local port and address assigned to it, the address and port of the endpoints peer if a session is established, session flags for each endpoint and the security attributes for each endpoint. The session flags include, but are not limited to, a connected flag, a bound flag and an indicator flag. The indicator flag signifies if the session is a client, server or listen type. The endpoint security attributes include, but are not limited to, a sensitivity label, a netmultilevelserver privilege, an allownetaccess privilege, netrawaccess privilege, netsetid privilege, netprivsession privilege and a netprivador privilege. For each network interface, this information includes, but is not limited to, the interface name, the sensitivity label associated with the interface, and the hostile/nonhostile disposition flag of the interface.

[0040] The session filter module (SFM) 110 is responsible for assigning and maintaining attributes on network endpoints, as well as controlling access between endpoints during local-to-local communication. The attributes associated with a network endpoint consist of the compartment label associated with the process, as well as a representation of relevant privileges in effect, when the endpoint is created. When packets are sent between local endpoints, the receiving endpoint compares its attributes with its peer endpoint's attributes. A satisfactory attribute comparison allows the data to be delivered, whereas a failed comparison causes the data transfer to be aborted.

[0060] The network filter module (NLM) 170 is responsible for controlling access to the network interface(s) 47. The network interfaces 47 are labeled with a set of attributes when the interface is brought on-line. When data is sent or received on the network interface(s) 47, the attributes of the interface are compared with the attributes of the endpoint receiving or sending the data. If the attributes specify that the communication is not allowed, the data is either dropped or an error is returned.

[0114] The system and method for a streams based network access control system 100 can be implemented in hardware, software, firmware, or a combination thereof. In the preferred embodiment(s), the invention is implemented in software or firmware that is stored in a memory and that is executed by a suitable instruction execution system. If implemented in hardware, as in an alternative embodiment, the invention can be implemented with any or a combination of the following technologies, which are all well known in the art: a discrete logic circuit(s) having logic gates for implementing logic functions upon data signals, an application specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array(s) (PGA), a field programmable gate array (FPGA), etc.

[0115] The streams based network access control system 100, which comprises an ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. In the context of this document, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[0117] It will be apparent to those skilled in the art that many modifications and variations may be made to the preferred embodiments of the present invention, as set forth above, without departing substantially from the principles of the present invention. For example, although illustrated using only two processes, the streams based network access control system of the invention is capable of supporting many additional application programs and their corresponding processes, such as, for example but not limited to, a file transfer process, a mail server process, etc. Furthermore, it is contemplated that an application program may have more than one process running simultaneously. Further still, although illustrated using only two network interface cards, the network filter system of the invention is capable of supporting many additional network interface cards. All such modifications and variations are intended to be included herein within the scope of the present invention, as defined in the claims that follow.

1. A streams based network access control system, comprising: a software process operating on a computer, said software process including a network endpoint attribute and configured to communicate a packet through a streams based network protocol stack to a network interface card, said network interface card including an interface attribute; a session filter module communicating with said network protocol stack; a network filter module communicating with said network protocol stack; and a table of network attributes associated with said session filter module and said network filter module, wherein said session filter module and network filter module compare said network endpoint attribute with said interface attribute in said table of network attributes to determine whether said software process can access said network interface card.

2. The system of claim 1, wherein said table of network attributes further comprises: at least one network endpoint attribute; and at least one interface attribute.

3. The system of claim 1, wherein each of said at least one network endpoint attribute and said at least one interface attribute further comprise: a compartment label; and at least one privilege value.

since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the network interface teachings of Clark which include the network interface having a compartment label that must be matched to the requesting process for the process to have access to the network interface for network interface of the primary reference. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. The motivation to combine the references applies to all claims under this heading.
Zhang suggests 
MAC security policy comprising (reads on allowing a particular type of subject to have a set of access permissions with respect with one or more other types of objects, see Zhang para 0085) access rights defined as access relations between (reads on a set of access permissions with respect with one or more other types of objects, see Zhang para 0085) software component security labels (reads on subjects/processes associated with labels of the form user:role:type, see Zhang para 0085) assigned to software component types (reads on subjects/processes associated with labels of the form user:role:type, see 
[0084] As noted above, the trusted access monitoring manager 302a (shown in FIG. 3A) can serve as a reference monitor in accordance with one embodiment of the invention. To further elaborate, FIG. 4 depicts a reference monitoring architecture compatible with the techniques of the invention as will be known to those skilled in the art. Those skilled in the art will readily appreciate that various access control or reference monitoring techniques can be utilized in accordance with the invention as no specific assumptions need to be made regarding the architecture of the access control or reference monitoring utilized to make or use the invention. Secure operating system (e.g., SELinux Operating System) can offer additional advantages. In particular, the invention is especially well suited for SELinux Operating System because of the Mandatory Access Control (MAC) mechanism that it can provide. As such, the reference monitoring mechanisms of SELinux Operating System is described in greater detail below.
[0085] SELinux can associate "labels" of the form "user:role:type" to all "subjects" (e.g., processes) and "objects" (e.g., files, directories, programs, sockets). This "labeling" can be referred to as a "security context". Within the security context, the "type" attribute can represent the type of an "subject" and/or an "object" (e.g., sshd_t and syslogd_t, as generally known in the art). Instead of directly associating a user with a type, SELinux can associate a user with a "role" and a "role" with a set of types. The "role" can effectively simplify the management of various users supported by the SELinux Operating System. This means that access control in SELinux can be primarily enforced via a "Type-Enforcement" policy model, as is generally known in the art. A typical policy rule in SELinux can, for example, allow a particular type of subject to have a set of access permissions (or permissions) with respect with one or more other types of objects. By way of example, access permissions can be defined according to: object classes (e.g., file: {read, write}, append, lock, and netif: {tcp send,tcp recv}). As a simple example, the following rules can define two types: "qtmail_t and qtaddressbook_t" within a mobile device (e.g., a cell phone):


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify MAC policy teachings of the prior art of record by 
Per claim 2, the prior art of record further suggests wherein the restricted access to a requested hardware component interface (HWCI) by a requesting software component (SWC) permitted by said MAC mechanism provides a non-reactive unidirectional dataflow (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017. The Examiner asserts based on the exemplary read, write, or execute teaching of the prior art, any known in the art access operation would be obvious because it is within the realm of conventional computer science in order to meet the needs of the business).  
Per claim 3, the prior art of record further suggests wherein the access relations indicate access types of access to the hardware component interfaces (HWCI) by the software components (SWC) permitted according to the access rights of the MAC security policy (MAC-SP) (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017).  
Per claim 4, the prior art of record further suggests wherein the access types of the access relations comprise a read only, RO, access type, a write only, WO, access type, a read and write, RW, access type, a client mode access type, and a server mode access type (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017. The Examiner asserts based on the exemplary read, write, or execute teaching of the prior art, any known in the art access operation would be obvious because it is within the realm of conventional computer science in order to meet the needs of the business).  
Per claim 5, the prior art of record further suggests wherein the software components (SWC) comprise applications including control applications, real-time control applications, safety applications, device status applications, configuration applications and data validation applications (The Examiner construes this to be an obvious limitation of the prior art’s  combination of the Application/App/process/subjects of Blaich para 0017, 0037 and claim 1, see Clark Figure 2 blocks 11 and 12 and para 0009 and Zhang para 0085. The Examiner asserts the claims specific recitations of applications are reasonably scoped as the prior art’s disclosure of 
Per claim 6, the prior art of record further suggests wherein the hardware component interfaces (HWCI) comprise 10 interfaces, network interfaces, memory interfaces and configuration interfaces (The Examiner construes this to be an obvious limitation of the prior art’s combination of the network interfaces/objects of Blaich Figure 2, Figure 4 and Figure 5, see Clark para 0009, 0022 and Zhang para 0085. The Examiner asserts the claims specific recitations of interfaces are reasonably scoped as the prior art’s disclosure of network interfaces/objects because one of ordinary skill in the art would consider them all network interfaces/objects that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).   
Per claim 7, the prior art of record further suggests wherein the hardware component interface (HWCI) types comprise a configuration type, a device intern type, a control network type, a real-time control type, a safety control type, and an open network type (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of objects associated with labels of the form user:role:type, see Zhang para 0085, because the prior art explicitly teaches types and Applicant’s disclosure of the various types without defining those various types appears to be nothing more than exemplary known in the art recitations of known in the art types. The Examiner asserts one of ordinary skill in the art would consider them all object types that were known in the art and within the 
Per claim 8, the prior art of record further suggests wherein the software component, SWC, types comprise a control network domain, an open network domain, a domain intern domain, a control domain, a real-time control domain, a safety control domain, an external communication domain and a device intern cross domain (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of subjects/processes associated with labels of the form user:role:type, see Zhang para 0085, because the prior art explicitly teaches types/domains and Applicant’s disclosure of the various types/domains without defining those various domains appears to be nothing more than exemplary known in the art recitations of known in the art domains. The Examiner asserts one of ordinary skill in the art would consider them all object domains that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).  
Per claim 9, the prior art of record further suggests wherein the MAC security policy (MAC-SP) is stored in a file system of said network device (1) loaded during booting of the network device's operating system (OS) (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Per claim 10, the prior art of record further suggests wherein the MAC security policy (MAC-SP) is compiled into the operating system kernel (OSK) of the device's (1) operating system (OS) (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Per claim 11, the prior art of record further suggests wherein the operating system (OS) comprises a non-real time operating system or a real time operating system (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Claim 12 is analyzed with respect to claim 1. The prior art of record further suggests kernel (OSK) implemented in a processor of said network device (see Blaich para 0047).  
Per claim 13, the prior art of record further suggests wherein the hardware component interfaces (HWCI) of said network device comprise IO interfaces, network interfaces, memory interfaces and/or configuration interfaces (see Blaich Figure 8, Clark Figure 1 block 10 and Figure 2).  
Per claim 14, the prior art of record further suggests wherein the network interfaces of said network device (1) comprise at least one internal network interface to an internal control network and at least one external network interface to an external network (reads on NIC 47A interfaces to network 9 and NIC 47B interfaces to network 8, see Clark Figure 1).  
Per claim 15, the prior art of record further suggests wherein the network device (1) comprises a programmable logic controller, PLC, an IoT gateway or a control device (reads on can be implemented in any combination of hardware and software, see Clark para 0114).  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.



                                                                                                                                                                                            
/BRIAN F SHAW/Primary Examiner, Art Unit 2496