DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1–20 are presented for examination in the non-provision application filed on 08/31/2020.

Drawings
3.	The drawings were received on 08/31/2020 (in the filings).  These drawings are acceptable.


Claim Interpretation Under 35 USC § 112
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

4.	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

5.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:

a.   “a processing device,” recited in independent claim 16;

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


6.	Claim limitations:
a.   “a processing device,” recited in independent claim 16;

invoke 35 U.S.C. 112(f).

However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function.  In this instance, and as filed, the disclosure is either devoid of any structure that performs the function in the claims, or (to the extent that a structure is sufficiently disclosed) that the structure described in the specification does not perform the entire function in the claim.

7.	Therefore, claims 16–18 are indefinite and rejected under 35 U.S.C. 112(b).

Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f); 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.


Examiner’s Remarks
8.	Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution.
Although the cited portions of the references are representative of the best teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well.  It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention.

Abbreviations
9.	Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s):
i.	figure / figures:		Fig. / Figs.
ii.	column / columns:		Col. / Cols.
iii.	page / pages:			p. / pp.

References Cited
10.	(A)	Oh, US 2017/0031692 A1.
	(B)	Terasaki, US 2011/0154325 A1.


Notice re prior art available under both pre-AIA  and AIA 
11.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

A.
12.	Claims 1–4, 8–12, and 16–20 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Oh in view of (B) Terasaki.

See “References Cited” section, above, for full citations of references.

13.	Regarding claim 1, (A) Oh teaches/suggests the invention substantially as claimed, including:
“A method comprising:
	identifying ... a security policy associated with a virtual machine, wherein the security policy specifies one or more validation rules”
(¶ 121: the security policy may be sent and applied to at least one of a plurality of guest operating systems (e.g., the first guest operating system 850 or the second guest operating system 860);
¶ 66: apply the security policy received through the device management module 231 to at least one of the host operating system 230 or the guest operating system 250 based on the security policy);

	“causing ... the security policy to be imported into a guest operating system of the virtual machine ...”
(¶ 66: apply the security policy received through the device management module 231 to at least one of the host operating system 230 or the guest operating system 250 based on the security policy;
¶ 83: apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220); and 

	“responsive to receiving, by the guest operating system, a first request to perform a system call, validating, by the guest operating system, the first request in accordance with the validation rules of the security policy”
(¶ 72: may provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: the guest management module 255 may map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250).


Oh teaches a “virtualization platform” (¶ 57: virtualization platform 237 may operate based on the hypervisor 236, and the guest operating system 250 may be installed thereon) and a type-1 hypervisor (¶ 40: The hypervisor may be installed between the kernel (hardware) and the operating system (Type-1)).

Thus, Oh at least suggests or renders obvious using “a hypervisor on a host machine” to identify the security policy and cause the security policy to be imported, in a type-1 hypervisor configuration.

Additionally, (B) Terasaki also teaches or suggests:
““a hypervisor on a host machine” to perform these functions.
(Fig. 1 and ¶¶ 30–33: hypervisor includes: ... a setting applying unit that ... applies the setting value indicated by the setting item information to the guest OS or application that is the setting target of the setting item;
¶ 101: setting notifying unit 322 performs a notifying operation according to an instruction from the setting information managing unit 333 of the host OS unit 330, to apply the correct value of the setting item ( the value according to the security policy) to the guest OS 341).


It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Terasaki with those of Oh to identify and apply Guest OS’s security policy/setting using a hosted hypervisor. The motivation or advantage to do so is to allow of the implementation of hosted guest/application’s security policy in a type-1 hypervisor/virtualization configuration.


14.	Regarding claim 2, Oh and Terasaki teach/suggest:
“responsive to successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy, allowing the system call to proceed”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


15.	Regarding claim 3, Oh and Terasaki teach/suggest:
“wherein the validation rules of the security policy specify one or more of: one or more allowed system calls, one or more allowed files, one or more allowed network addresses, or one or more allowed host devices”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


16.	Regarding claim 4, Oh and Terasaki teach/suggest:
“wherein successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy comprises:
determining, by the guest operating system, that the requested system call corresponds to at least one of the allowed system calls”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).

17.	Regarding claim 8, Oh and Terasaki teach/suggest:
	“responsive to successfully validating, by the guest operating system, the first request to perform the system call, generating, by the guest operating system, a second request to perform the system call”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set); and

	“responsive to receiving, by the hypervisor, the second request to perform the system call, validating, by the hypervisor, the second request in accordance with the validation rules of the security policy”
(Oh, ¶ 83: host management module 235 may directly control the backend device driver 236a of the virtualization platform 237 to apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220).

18.	Regarding claim 9, Oh and Terasaki teach/suggest:
	“responsive to successfully validating, by the hypervisor, the second request, performing, by the hypervisor, the system call”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
¶ 83: host management module 235 may directly control the backend device driver 236a of the virtualization platform 237 to apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set); and

19.	Regarding claim 10, Oh and Terasaki teach/suggest:
“responsive to not successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy, preventing, by the guest operating system, the system call from proceeding”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 73: if a policy in which the operation of the guest operating system 250 is restricted when a designated anti-virus software does not exist is received, the host management module 235 may provide the policy to the guest operating system 250;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
¶ 86: host management module 235 may limit hardware access of the guest operating system 250 such that the guest operating system 250 recognizes a designated device driver is removed or is disabled;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


20.	Regarding claim 11, Oh teaches/suggests:
“wherein preventing the system call from proceeding comprises one or more of: ... generating an error indication”
(¶ 86: host management module 235 may limit hardware access of the guest operating system 250 such that the guest operating system 250 recognizes a designated device driver is removed or is disabled;
¶¶ 105–106: user 290 may try to use the hardware resource 270 by using a first application... first application 281 may notify the user 290 that the hardware resource 270 is unavailable to use).

21.	Regarding claim 12, Oh and Terasaki teach/suggest:
“wherein the guest operating system comprises a guest operating system kernel, the method further comprising: providing, by the hypervisor, the guest operating system kernel to the virtual machine, wherein validating, by the guest operating system, the first request in accordance with the validation rules of the security policy is performed by the guest operating system kernel.”
(Oh, ¶ 58: guest operating system 250 may include a guest kernel 252;
(¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


22.	Regarding claims 16–18, they are the corresponding system claim reciting similar limitations of commensurate scope as the method of claims 1–3. Therefore, they are rejected on the same basis as claims 1–3 above, further including the following rationale:

Oh teaches/suggests: “a memory; and a processing device communicably coupled to the memory, the processing device to” (Fig. 9, processor and memory).

23.	Regarding claims 19–20, they are the corresponding computer program product claims reciting similar limitations of commensurate scope as the method of claims 1–2, respectively. Therefore, they are rejected on the same basis as claims 1–2 above.


Allowable Subject Matter
24.	Claims 5–7 and 13–15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN C WU whose telephone number is (571)270-5906.  The examiner can normally be reached on Monday through Friday, 8:30 A.M. to 5:00 P.M..

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571)272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BENJAMIN C WU/Primary Examiner, Art Unit 2195                                                                                                                                                                                                        
July 23, 2022