Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-9, 11, 13-15, 17 and 19-20 are pending.
Claims 1-9, 11, 13-15, 17 and 19-20 are allowed.
Claims 10, 12, 16 and 18 are cancelled.
Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Matt Nicholson on April 25, 2022.

Please amend claims 1, 9-12,  15-18 as follows: 

(Currently Amended)	A computing device, comprising: 
a plurality of hardware resources including a set of one or more hardware processors, memory, and storage devices, wherein the storage devices include instructions that when executed by the set of hardware processors, cause the computing device to operate a virtualized system, the virtualized system including: 
a set of one or more virtual machines (VMs) that execute one or more guest operating systems; 
a formally verified microkernel running in a most privileged level to abstract hardware resources of the computing device, wherein the formally verified microkernel controls access to the hardware resources using explicit authorization; and 
a plurality of formally verified hyper-processes including: 
a set of one or more virtual machine monitors (VMMs) corresponding to the set of one or more VMs respectively, wherein a particular VMM manages interactions between the corresponding VM and physical resources of the computing device; 
a set of one or more active security policy enforcers corresponding to the set of one or more VMMs respectively, wherein each active security policy enforcer uses virtual machine introspection (VMI) for introspection of at least some of the hardware resources including one or more hardware processors, wherein each active security policy enforcer enforces a plurality of policies based at least in part on the introspection; and  
a virtual switch coupled with each of the VMMs, wherein the virtual switch is not directly coupled with any of the set of VMs, wherein a virtual network policy enforcer enforces a set of one or more network policies at the virtual switch that affect communication of the one or more guest operating systems. 


9.   (Currently Amended)	A method in a computing device, comprising:
executing a formally verified microkernel in a most privileged level to abstract hardware resources of the computing device, wherein the formally verified microkernel controls access to the hardware resources using explicit authorization; 
executing a plurality of virtual machine monitors (VMMs), wherein each of the plurality of VMMs runs as a user-level application in a different address space on top of the formally verified microkernel, wherein each of the plurality of VMMs support execution of a different guest operating system running in a different virtual machine (VM), [[and]] wherein a particular VMM manages interactions between a corresponding VM and hardware resources of the computing device, and wherein the plurality of VMMs are formally verified; 
for each of the plurality of VMMs, continuously monitoring at least a portion of the hardware resources of the computing device including performing virtual machine introspection (VMI) on at least the portion of the hardware resources of the computing device outside of the guest operating system running in the virtual machine corresponding to that VMM;
determining, from the continuously monitoring, a violation of a policy through one of the guest operating systems running in one of the VMs; and  
responsive to the determination of the violation of policy, taking one or more remedial steps, wherein taking the one or more remedial steps includes causing a virtual network policy enforcer to enforce a network policy at a virtual switch executing in the computing device that affects communication of that guest operating system, wherein the virtual network policy enforcer is formally verified.

10. (Cancelled)

11. (Currently Amended)	The method of claim [[10]]9, wherein the virtual switch is coupled with the set of one or more virtual machine monitors and is not directly coupled with any VM. 


12. (Cancelled)

15. (Currently Amended)	A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor of a computing device, will cause said processor to carry out the following operations:
executing a formally verified microkernel in a most privileged level to abstract hardware resources of the computing device, wherein the formally verified microkernel controls access to the hardware resources using explicit authorization; 
executing a plurality of virtual machine monitors (VMMs), wherein each of the plurality of VMMs runs as a user-level application in a different address space on top of the formally verified microkernel, wherein each of the plurality of VMMs support execution of a different guest operating system running in a different virtual machine (VM), [[and]] wherein a particular VMM manages interactions between a corresponding VM and hardware resources of the computing device, and wherein the plurality of VMMs are formally verified; 
for each of the plurality of VMMs, continuously monitoring at least a portion of the hardware resources of the computing device including performing virtual machine introspection (VMI) on at least the portion of the hardware resources of the computing device outside of the guest operating system running in the virtual machine corresponding to that VMM;
determining, from the continuously monitoring, a violation of a policy through one of the guest operating systems running in one of the VMs; and
responsive to the determination of the violation of policy, taking one or more remedial steps, wherein taking the one or more remedial steps includes causing a virtual network policy enforcer to enforce a network policy at a virtual switch executing in the computing device that affects communication of that guest operating system, wherein the virtual network policy enforcer is formally verified.


16.	(Cancelled)

17. (Currently Amended)	The non-transitory machine-readable storage medium of claim [[16]]15, wherein the virtual switch executing in the computing device is coupled with the set of one or more virtual machine monitors and is not directly coupled with any VM. 

18.	(Cancelled)

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
As per independent claims 1, 9 and 15, the primary reason for allowance is the inclusion of  “a formally verified microkernel running in a most privileged level to abstract hardware resources of the computing device, wherein the formally verified microkernel controls access to the hardware resources using explicit authorization …network policy enforcer to enforce a network policy at a virtual switch executing in the computing device that affects communication of that guest operating system, wherein the virtual network policy enforcer is formally verified” in conjunction with the rest of the limitations of the claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MEHRAN KAMRAN whose telephone number is (571)272-3401. The examiner can normally be reached on 9-5.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Emerson Puente, can be reached on (571)272-3652.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MEHRAN KAMRAN/
 Primary Examiner, Art Unit 2196