DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement filed 04/14/2022 complies with all requirements and has been considered.  Note that 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document is met because the required documents were filed on 01/11/2022.  

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Elizabeth Iglesias on 11 May 2022.

The application has been amended as follows: 
In the claims: 
In claim 20, line 1, add “non-transitory” before “computer-readable storage medium”.  

Allowable Subject Matter
Claims  1, 3-5, 8-9, 11-13, 16-17, and 19-27 are allowed. 
The following is the listing of the closest prior art:
Hakewill (US 2012/0079164) teaches controlling guest virtual machine access to a context.  (Note that a context reads on the recited “view” of claim 2.)  Hackewill teaches guest physical addresses to (host) physical addresses.  See Hackewill Abstract.  Hackewill also teaches allowing (kernel privileged code to execute (and by implication does not allow non-privileged code to execute) in a privileged context (e.g. the kernel).  Hackewill does not clearly teach the combination of storing external code in one view and internal code in the other view of the host physical address range and for at least that reason fails to teach the combination of “determining, by a processor of a computer, a page table of a sample process based on a page directory base address of the sample process, wherein the sample process is generated after a monitored sample program runs, the page table of the sample process comprises a plurality of entries, the plurality of entries are in a one-to-one correspondence to a plurality of guest virtual addresses, each entry of the plurality of entries comprises first information, the respective first information of each entry indicates whether a guest virtual address corresponding to the respective entry has been assigned a guest physical address, and wherein, for each entry in which the first information of the respective entry indicates that the guest virtual address corresponding to the respective entry has been assigned the guest physical address, the respective entry further comprises second information, the second information indicating an access permission of the corresponding assigned guest physical address; determining, by the processor, a target entry from the page table of the sample process, wherein a value of first information of the target entry indicates that a guest virtual address corresponding to the target entry has been assigned a guest physical address, and an access permission indicated by second information of the target entry is execution allowed; determining, by the processor, a target guest physical address based on the target entry, wherein the target guest physical address is the guest physical address that has been assigned to the guest virtual address corresponding to the target entry; determining, by the processor, a target host physical address corresponding to the target guest physical address; and monitoring, by the processor, behavior of accessing a memory space indicated by the target host physical address, wherein the memory space is of a memory comprised in the computer . . . wherein monitoring behavior of accessing the memory space indicated by the target host physical address comprises: separately recording, by the processor, a mapping relationship between the target guest physical address and the target host physical address in a first view and a second view, wherein an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store external code is access forbidden, an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store internal code is access allowed, an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store external code is access allowed, and an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store internal code is access forbidden; determining, by the processor, whether target code stored in the memory space indicated by the target host physical address is external code or internal code; when the target code is external code, setting, by the processor, the access rule for the target host physical address in the first view to access forbidden, and setting the access rule for the target host physical address in the second view to access allowed; when the target code is internal code, setting, by the processor, the access rule for the target host physical address in the first view to access allowed, and setting the access rule for the target host physical address in the second view to access forbidden; receiving, by the processor, exception information sent by a memory controller, wherein the exception information is sent when an access rule for the target host physical address in a target view is access forbidden when the memory controller receives a memory access request for the target host physical address, the target view is a view used by the memory controller to control the access to the target host physical address, and the target view is one of the first view or the second view; and monitoring, by the processor based on the exception information, the sample process that generates the memory access request, and controlling the memory controller to switch the target view between the first view and the second view” as a whole.
Warkentin (US 10,002,084) teaches checking access privilege levels for different memory areas in a virtual machine using page table entries including access permissions in the page table entries.  See Warkentin paragraph 20.  Warkentin does not clearly discuss page tables mapping guest physical and host physical addresses so the reference cannot teach the access rule of claim 2 or render obvious the recited material of claims 1 and 2 of “determining, by a processor of a computer, a page table of a sample process based on a page directory base address of the sample process, wherein the sample process is generated after a monitored sample program runs, the page table of the sample process comprises a plurality of entries, the plurality of entries are in a one-to-one correspondence to a plurality of guest virtual addresses, each entry of the plurality of entries comprises first information, the respective first information of each entry indicates whether a guest virtual address corresponding to the respective entry has been assigned a guest physical address, and wherein, for each entry in which the first information of the respective entry indicates that the guest virtual address corresponding to the respective entry has been assigned the guest physical address, the respective entry further comprises second information, the second information indicating an access permission of the corresponding assigned guest physical address; determining, by the processor, a target entry from the page table of the sample process, wherein a value of first information of the target entry indicates that a guest virtual address corresponding to the target entry has been assigned a guest physical address, and an access permission indicated by second information of the target entry is execution allowed; determining, by the processor, a target guest physical address based on the target entry, wherein the target guest physical address is the guest physical address that has been assigned to the guest virtual address corresponding to the target entry; determining, by the processor, a target host physical address corresponding to the target guest physical address; and monitoring, by the processor, behavior of accessing a memory space indicated by the target host physical address, wherein the memory space is of a memory comprised in the computer . . . wherein monitoring behavior of accessing the memory space indicated by the target host physical address comprises: separately recording, by the processor, a mapping relationship between the target guest physical address and the target host physical address in a first view and a second view, wherein an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store external code is access forbidden, an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store internal code is access allowed, an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store external code is access allowed, and an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store internal code is access forbidden; determining, by the processor, whether target code stored in the memory space indicated by the target host physical address is external code or internal code; when the target code is external code, setting, by the processor, the access rule for the target host physical address in the first view to access forbidden, and setting the access rule for the target host physical address in the second view to access allowed; when the target code is internal code, setting, by the processor, the access rule for the target host physical address in the first view to access allowed, and setting the access rule for the target host physical address in the second view to access forbidden; receiving, by the processor, exception information sent by a memory controller, wherein the exception information is sent when an access rule for the target host physical address in a target view is access forbidden when the memory controller receives a memory access request for the target host physical address, the target view is a view used by the memory controller to control the access to the target host physical address, and the target view is one of the first view or the second view; and monitoring, by the processor based on the exception information, the sample process that generates the memory access request, and controlling the memory controller to switch the target view between the first view and the second view” as a whole.    
Steinberg (US 10,447, 728) teaches different permissions for different contexts in a system with mapping between guest physical and host physical mappings.  Steinberg does not clearly state that the guest physical and host physical mapping entries indicate a rule that allows/forbids access by internal/external code and therefore cannot teach the recited “determining, by a processor of a computer, a page table of a sample process based on a page directory base address of the sample process, wherein the sample process is generated after a monitored sample program runs, the page table of the sample process comprises a plurality of entries, the plurality of entries are in a one-to-one correspondence to a plurality of guest virtual addresses, each entry of the plurality of entries comprises first information, the respective first information of each entry indicates whether a guest virtual address corresponding to the respective entry has been assigned a guest physical address, and wherein, for each entry in which the first information of the respective entry indicates that the guest virtual address corresponding to the respective entry has been assigned the guest physical address, the respective entry further comprises second information, the second information indicating an access permission of the corresponding assigned guest physical address; determining, by the processor, a target entry from the page table of the sample process, wherein a value of first information of the target entry indicates that a guest virtual address corresponding to the target entry has been assigned a guest physical address, and an access permission indicated by second information of the target entry is execution allowed; determining, by the processor, a target guest physical address based on the target entry, wherein the target guest physical address is the guest physical address that has been assigned to the guest virtual address corresponding to the target entry; determining, by the processor, a target host physical address corresponding to the target guest physical address; and monitoring, by the processor, behavior of accessing a memory space indicated by the target host physical address, wherein the memory space is of a memory comprised in the computer . . . wherein monitoring behavior of accessing the memory space indicated by the target host physical address comprises: separately recording, by the processor, a mapping relationship between the target guest physical address and the target host physical address in a first view and a second view, wherein an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store external code is access forbidden, an access rule recorded in the first view for a memory space that is indicated by the host physical address and used to store internal code is access allowed, an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store external code is access allowed, and an access rule recorded in the second view for a memory space that is indicated by the host physical address and used to store internal code is access forbidden; determining, by the processor, whether target code stored in the memory space indicated by the target host physical address is external code or internal code; when the target code is external code, setting, by the processor, the access rule for the target host physical address in the first view to access forbidden, and setting the access rule for the target host physical address in the second view to access allowed; when the target code is internal code, setting, by the processor, the access rule for the target host physical address in the first view to access allowed, and setting the access rule for the target host physical address in the second view to access forbidden; receiving, by the processor, exception information sent by a memory controller, wherein the exception information is sent when an access rule for the target host physical address in a target view is access forbidden when the memory controller receives a memory access request for the target host physical address, the target view is a view used by the memory controller to control the access to the target host physical address, and the target view is one of the first view or the second view; and monitoring, by the processor based on the exception information, the sample process that generates the memory access request, and controlling the memory controller to switch the target view between the first view and the second view” as a whole.    








Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL M KNIGHT whose telephone number is (571)272-8646.  The examiner can normally be reached on Monday - Friday 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Reginald Bragdon can be reached on 571 272 4204.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


PAUL M. KNIGHT
Examiner
Art Unit 2139



/PAUL M KNIGHT/Examiner, Art Unit 2139