DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 	2.	The Office action is in response to the patent application filed on November 26, 2019.  The application contains 20 claims.  Claims 1-20 are directed to a method, an apparatus, and a computer-readable storage media for selective runtime activation of anti-ROP defense.

Claim Objections
3.	Claims 1-20 objected to because of the following informalities: Claims include unnecessary line numbering: 5, 10, 15, 20, 25, 30.   

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-20  are rejected under 35 U.S.C. 103 as being unpatentable over Ruan et al. (“Survey of return-oriented programming defense mechanisms”, published online 21 December, 2015 in Wiley Online Library), hereinafter “Ruan”, in view of Davi et al. (“ROPdefender: A detection Tool to defend Against Return-Oriented Programming Attacks”, ASIACCS ’11, March 22-24, 2011), hereinafter “Davi”.
Referring to claims 1, 13, 20:
	 	Ruan teaches:
                      A method comprising: 
           providing security information regarding a computer code to a dynamic  agent, wherein the security information comprises: one or more memory exposure vulnerabilities within the computer code and one or more control flow hijack vulnerabilities within the computer code (see Ruan, p1250, section ‘Dynamic approaches’ ‘however, some approaches are involved in pre-processing stage, where
the compiled binary is examined to identify potential gadgets that could be used during runtime for comparison.’); and
           executing the dynamic agent while the computer code is being executed (see Ruan, p1250, section ‘Dynamic approaches’ ‘These approaches perform checking dynamically by monitoring the control-flow integrity of the program. Some of the usual patterns observed and handled by dynamic approaches are checking for the source/destination of indirect control transfer instructions – “ret”, “jmp”, and “call”, saving and checking for matching “call/ret” addresses, checking for the frequency of “ret” instructions, and others.’; p1262, section 6.3.2. ‘runtime overhead’, ‘ROPDefender [i.e., where the ROPDefender’ corresponds to the dynamic agent]  and control flow monitoring’);
           wherein the dynamic agent is configured to monitor for exploitation of the 
one or more memory exposure vulnerabilities (see Ruan, p1258, section 5.3.5. ‘ROPguard’, 4th dot, ‘Check the stack frames: If the EBP (Base Pointer) register is used as the stack frame pointer, check if the EBP points to a location outside the stack region
and if it does it means a corruption and possible ROP exploitation.’), 
                      wherein the dynamic agent is configured to identify, during execution of the computer code, an exposed portion of the computer code that was exposed by the exploitation of the one or more memory exposure vulnerabilities (see Ruan, p1258, section 5.3.5. ‘ROPguard’, 4th dot, ‘Check the stack frames: If the EBP (Base Pointer) register is used as the stack frame pointer, check if the EBP points to a location outside the stack region and if it does it means a corruption and possible ROP exploitation.’), 
           wherein in response to the identification of the exposed portion of the 
computer code, the dynamic agent is configured to perform an anti-Return-Oriented Programming (ROP) defense (see Ruan, p1250, section ‘Randomization’, ‘(1) Address space layout randomization (ASLR)’, ‘(2) Instruction randomization’, section ‘Dynamic approaches’ ‘These approaches perform checking dynamically by monitoring the control-flow  integrity of the program.’).
	Ruan suggests the dynamic agent (see Ruan, p1262, section 6.3.2. ‘runtime overhead’, ‘ROPDefender [i.e., where the ROPDefender’ corresponds to the dynamic agent]  and control flow monitoring’). However, Ruan does not elaborate on it.
	Davi discloses and elaborates on the dynamic agent (see Davi, p44, fig. 4 ‘general architecture of ROPdefender’).
	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Davi into the system of Ruan to implement a dynamic agent.  Ruan teaches "certain criteria that many recently proposed approaches concentrate on for detection of ROP.” (see Ruan, p1249, section 3. ‘defense strategies’, 1st para.)  Therefore, Davi’s teaching could enhance the teaching of Ruan,  because Davi teaches “We incorporate ROPdefender directly into the dynamic binary instrumentation (DBI) framework.” (see Davi, p44, section 3.4 ‘generation architecture’, 1st para.)
Referring to claim 2:
	 	Ruan and Davi further disclose:
 		wherein the anti-ROP defense comprises performing an on- the-fly randomization of at least a portion of the computer code (see Ruan, p1253, section 5.1.3 ‘Marlin’, ‘this technique randomizes every function block of the program.’).
Referring to claim 3:
	 	Ruan and Davi further disclose:
                      wherein the anti-ROP defense comprises randomizing locations of instructions within the exposed portion of the computer code (see Ruan, p1252, section 5.1.2 ‘Instruction location randomization’).
Referring to claim 4:
	 	Ruan and Davi further disclose:
           wherein the anti-ROP defense comprises modifying entry points of all control flow hijack vulnerabilities located within the exposed portion of the computer code (see Ruan, p1250, section ‘Randomization’, ‘(2) Instruction randomization – This approach primarily aims at randomizing a single or block of instruction(s), thereby affecting the attackers’ entry point itself.’).
Referring to claim 5:
	 	Ruan and Davi further disclose:
		identifying an address potentially injected to be utilized during exploitation of a control flow hijack vulnerability, wherein the address points to an instruction; and
modifying a location of the instruction pointed to by the address (see Ruan, p1257, section ‘5.3.4. ROPecker’, last para (on p1258). ‘In case that the adversary can form gadgets less or more than six, and insert [i.e., injected ] them in between regular gadgets,’).
Referring to claim 6:
	 	Ruan and Davi further disclose:
		wherein the dynamic agent is configured to record potential control flow values utilized by the one or more control-flow hijack vulnerabilities; and wherein the anti-ROP defense comprises overwriting a control flow value that is utilized by at least one control-flow hijack vulnerability (see Ruan, p1256, section 5.3.2. ‘Control-flow monitoring’ ‘(2) … to maintain the “ret” integrity, the authors proposed to maintain a shadow stack mechanism similar to the ROPdefender approach [7], in which after each “ret” instruction, the popped return address from the program stack is checked against the saved return address in the shadow stack.’; p1249, section 3. ‘defense strategies’ ‘storing values [i.e., recording ] into the register… restoring values [i.e., overwriting ] from the register’).
Referring to claims 7, 15:
	 	Ruan and Davi further disclose:
		wherein the anti-ROP defense is performed only with respect to control flow values of the exposed portion of the computer code (see Ruan, p1247, ‘abstract’, ‘An return-oriented programming … attempts to execute unintended instructions by overwriting the stack exploiting the buffer overflow vulnerability. … defense mechanisms have been proposed …dynamic methods that monitor the control-flow integrity during execution and randomization methods that aim at randomizing instruction locations.’).
Referring to claims 8, 16:
	 	Ruan and Davi further disclose:
		performing static analysis of the computer code to determine the one or more memory exposure vulnerabilities and the one or more control flow hijack vulnerabilities within the computer code (see Ruan, p1256, section 5.3.2. ‘control-flow monitoring’, last para. ‘static and dynamic analysis of the libraries’).
Referring to claim 9:
	 	Ruan and Davi further disclose:
		wherein the static analysis is performed offline prior to executing the computer code (see Ruan, p1257, section 5.3.4. ‘ROPecker’, ‘(1) Offline pre-processing: The application binary is analyzed for potential gadgets,’).
Referring to claims 10, 17:
	 	Ruan and Davi further disclose:
		wherein said executing the dynamic agent is performed during execution of the computer code, wherein the dynamic agent is executed separately from the computer code (see Davi, p44, fig. 4 ‘ROPdefender’).
Referring to claims 11, 18:
	 	Ruan and Davi further disclose
		wherein the dynamic agent is embedded into an executable of the computer code, whereby execution of the computer code also executes the dynamic agent (see Davi, p44, fig. 4 ‘ROPdefender’; p49, section 7. ‘taint tracking’ ‘ROPdefender can be incorporated [i.e., embedded ] into existing taint analysis systems’).
Referring to claims 12, 19:
	 	Ruan and Davi further disclose:
		determining one or more exploitation conditions for exploiting the one or more memory exposure vulnerabilities or the one or more control flow hijack vulnerabilities (see Ruan, p1252, section 5.1.2. ‘instruction location randomization’ ‘An ROP attack is typically carried out by populating addresses in the stack in which the attacker needs to be aware of the addresses of the instructions in advance.’); 
                       wherein the anti-ROP defense is performed in response to the one or more exploitation conditions being met (see Ruan, p1252, section 5.1.2. ‘instruction location randomization’, ‘Therefore, randomizing the addresses would prevent the attacker’s intended behavior.’).
Referring to claim 14:
	 	Ruan and Davi further disclose:
		wherein the anti-ROP defense comprises at least one of: 
                      performing an on-the-fly randomization of at least a portion of the computer code (see Ruan, p1253, section 5.1.3 ‘Marlin’, ‘this technique randomizes every function block of the program.’); 
                     randomizing locations of instructions within the exposed portion of the  computer code (see Ruan, p1252, section 5.1.2 ‘Instruction location randomization’); 
                      modifying entry points of all control flow hijack vulnerabilities located within the exposed portion of the computer code (see Ruan, p1250, section ‘Randomization’, ‘(2) Instruction randomization – This approach primarily aims at randomizing a single or block of instruction(s), thereby affecting the attackers’ entry point itself.’); 
                      modifying a location of an instruction pointed to by an address potentially injected to be utilized during exploitation of a control flow hijack vulnerability (see Ruan, p1257, section ‘5.3.4. ROPecker’, last para (on p1258). ‘In case that the adversary can form gadgets less or more than six, and insert [i.e., injected ] them in between regular gadgets,’); and
                      overwriting a control flow value that is utilized by at least one control-flow hijack vulnerability (see Ruan, p1256, section 5.3.2. ‘Control-flow monitoring’ ‘(2) … to maintain the “ret” integrity, the authors proposed to maintain a shadow stack mechanism similar to the ROPdefender approach [7], in which after each “ret” instruction, the popped return address from the program stack is checked against the saved return address in the shadow stack.’; p1249, section 3. ‘defense strategies’ ‘storing values [i.e., recording ] into the register… restoring values [i.e., overwriting ] from the register’). 
 
Conclusion

6.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Sethumadhavan; Lakshminarasimhan et al.( US 20220019657 A1) disclose control flow protection based on phantom addressing;
(b)	DAVIDOVICH; Yitzhack et al. (US 20210397705 A1) disclose return-oriented programming protection;
(c)	FRY; SHANE PAULSEN et al. (US 20210200857 A1) disclose systems and methods for defeating stack-based cyber attacks by randomizing stack frame size;
(d)	Peles; Or et al. (US 20200371945 A1) disclose Dynamic Identification of Stack Frames;
(e)	Franz; Michael et al. (US 9250937 B1) disclose Code randomization for just-in-time compilers;
(f)	Pizlo; Filip J. et al. (US 8972952 B2) disclose Tracer based runtime optimization for dynamic programming languages;
(g)	Grover; Vinod K. et al. (US 7707566 B2) disclose Software development infrastructure. 

 	7.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492