Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/29/2022 has been entered.

Response to Amendment
This is in response to the amendments filed on 6/29/2022 Claim 1 has been amended. Claims 1-19 are currently pending and have been considered below. 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-5 and 7-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over “LeMay” (US 2016/0283714) in view of “Yamada” (US 2017/0185791).

Regarding Claim 1:
LeMay teaches:
A method of detecting an exploit of a vulnerability of a computing device (¶0019, “… control flow exploit detection and mitigation”; ¶0031, “… the computing device may execute a method 300 for control flow exploit mitigation”), the method comprising: 
receiving an execution flow of at least one process running in a first physical processor of the computing device (¶0019, “… the computing device 100 executes software with RTIT support enabled and the processor 120 automatically outputs trace data indicate of control flow of the software”), wherein the execution flow is received from a performance monitoring unit (PMU) of the first physical processor (¶0027, “The processor trace module 204 is configured to generate trace data indicative of control flow”); 
receiving memory pages from a memory of the computing device (¶0019, “An exploit detector periodically analyzes the trace data to identify potential control flow exploits”; ¶0021, “The trace data, in combination with the in-memory image of the executed application…”); 
…
reconstructing the execution flow of the process on the another … processor based on the execution flow received from the PMU and the memory pages (¶0021, “The trace data, in combination with the in-memory image of the executed application, may then be used to reconstruct the control flow executed by the processor 120”: ¶0028, “The exploit detector module 208 is configured to analyze the trace data to identify a suspected control flow exploit …”); 
running at least one exploit detection algorithm on the reconstructed execution flow of the process in order to identify an exploit attempt (¶0019, “An exploit detector periodically analyzes the trace data to identify potential control flow exploits … the exploit detector may apply one or more heuristic checks to the trace data to identify suspicious behavior”); and 
issuing an alert (¶0030, “The security response module 216 may be configured to … notify the user of the suspected exploit”).
LeMay does not disclose:
continuously checking, by another physical processor which is physically separate from the first processor, the execution flow of the first processor; 
reconstructing the execution flow of the process on the another physical processor based on the execution flow received from the PMU and the memory pages; 
Yamada teaches:
continuously checking, by another physical processor (Fig. 1, element 106) which is physically separate from the first processor (¶0012, “… the BT circuitry may be to determine at least one section of the native code for BT generation, the execution flow of the first processor (Fig. 1, element 106 and 102 are physically separate; ¶0013, “In performing API monitoring the BT circuitry may be able to inspect at least one program call made by the at last one thread when an exception is generated by the at least one thread executing the at least one jump instruction”); 
reconstructing the execution flow of the process on the another physical processor based on the execution flow received from the PMU and the memory pages (¶0034, “Alternatively, the code sections themselves may be modified to add an intercept jump after the header and/or to modify some or all of the body section of the code section to include at least one trap instruction”; i.e., reconstructing the execution flow by adding a trap instruction); 
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify LeMay’s system for control flow exploit mitigation by enhancing LeMay’s platform to utilize a separate, physical processor to provide monitoring of an execution flow and reconstruction of the execution flow as required, as taught by Yamada, in order to provide dedicated monitoring to a dynamic system for detecting exploits.
	The motivation is to ensure that monitoring services are provided to a system that is actively searching for exploit code processes in order to reduce the likelihood that the exploit code can bypass detection mechanisms. 

Regarding Claim 2:
The method of claim 1, LeMay in view of Yamada further comprising interrupting the process running on the first physical processor of the computing device when an exploit is detected (LeMay, ¶0030, “The security response module 216 is to handle the suspected control … terminate the process/thread 202…”).

Regarding Claim 3:
The method of claim 1, LeMay in view of Yamada further comprising maintain map of addresses in memory of the first physical processor (LeMay, ¶0021, “The RTIT support 112 may log data packets relating to … target addresses of indirect branch instructions, target addresses of mispredicted return instructions … The trace data, in combination with the in-memory image of the executed application, may be used to reconstruct the control flow … For example, RTIT support 112 may log the return addresses associated with call instructions as they are executed”).

Regarding Claim 4:
The method of claim 1, LeMay in view of Yamada further comprising mapping a structured exception handler (SEH) of the operating system of the first physical processor (LeMay, ¶0029, “The mispredicted return handler 210 may be embodied as any function … The mispredicted return handler 210 may encode data in the trace data area 206 using a handler key 212 … the handler key 212 may be stored as an immediate value in a memory page marked execute-only using extended page tables (EPT) support of the processor 120”; i.e., the mispredicted return handler 210 may be embodied as any function, and given that the claim does not further specify what the “mapping” is associated with, then the examiner maintains that said “mapping” is disclosed by the embodied as any function teaching of LeMay).

Regarding Claim 5:
The method of claim 4, LeMay in view of Yamada further comprising adding a memory address of the SEH (LeMay, ¶0029, “The mispredicted return handler 210 may be embodied as any function … The mispredicted return handler 210 may encode data in the trace data area 206 using a handler key 212 … the handler key 212 may be stored as an immediate value in a memory page marked execute-only using extended page tables (EPT) support of the processor 120”).

Regarding Claim 7:
The method of claim 1, LeMay in view of Yamada further comprising mapping at least one of memory allocation addresses and memory deallocation addresses (LeMay, ¶0021, “The RTIT support 112 may log data packets relating to … target addresses of indirect branch instructions, target addresses of mispredicted return instructions … The trace data, in combination with the in-memory image of the executed application, may be used to reconstruct the control flow … For example, RTIT support 112 may log the return addresses associated with call instructions as they are executed”).

Regarding Claim 8:
The method of claim 7, LeMay in view of Yamada further comprising checking if at least one of memory allocation function and memory deallocation function is called (LeMay, ¶0055, “In block 612, the computing device 100 determines whether a mispredicted return instruction has been executed … when a call instruction is executed, a return address … is pushed onto the system stack. When a return address is executed, a return address is popped off the stack and the processor 120 jumps to that return address. For a computing device 100 performing conservative call/return consistency checks”).

Regarding Claim 9:
The method of claim 7, LeMay in view of Yamada further comprising increasing at least one of allocation counter and deallocation counter (LeMay, ¶0063, “Referring back to block 716, if the encoded MAC values match the method 700 advances to block 720 … The computing device 100 may push return addresses corresponding to recorded call instructions onto the shadow stack, pop return addresses corresponding to predicted return instructions, push or pop stack base pointers …”; i.e., pushing and popping addresses to and from a stack discloses “allocating” and “deallocating” a counter).

Regarding Claim 10:
The method of claim 7, LeMay in view of Yamada further comprising checking if difference of allocation counter and deallocation counter is greater than a predefined value (LeMay, ¶0045, “The computing device may determine … the distance between the addresses of the return instructions … the computing device 100 determines whether the distance between the addresses is greater than a threshold distance”).

Regarding Claim 11:
The method of claim 1, LeMay in view of Yamada further comprising receiving at least one instruction (LeMay, ¶0021, “… call instructions as they are executed”).

Regarding Claim 12:
The method of claim 1, LeMay in view of Yamada further comprising maintaining a shadow stack (LeMay, ¶0002, “Certain ROP exploits may be prevented by maintaining a “shadow stack”…”; ¶0063, “Referring back to block 716, if the encoded MAC values match the method 700 advances to block 720 … The computing device 100 may push return addresses corresponding to recorded call instructions onto the shadow stack …”).

Regarding Claim 13:
The method of claim 12, LeMay in view of Yamada further comprising checking if a call instruction in the execution flow has been executed (LeMay, ¶0048, “The method 500 begins in block 502, in which the computing device 100 determines whether a call instruction is being executed by the process/thread 202”).

Regarding Claim 14:
The method of claim 12, LeMay in view of Yamada further comprising pushing expected return address to the shadow stack (LeMay, ¶0063, “Referring back to block 716, if the encoded MAC values match the method 700 advances to block 720 … The computing device 100 may push return addresses corresponding to recorded call instructions onto the shadow stack …”).

Regarding Claim 15:
The method of claim 12, LeMay in view of Yamada further comprising checking if a return instruction has been executed (LeMay, ¶0051, “In block 512, the computing device 100 determines whether a return address is being executed by the process/thread 202”).

Regarding Claim 16:
The method of claim 12, LeMay in view of Yamada further comprising checking if target address is different from top address on shadow stack (LeMay, ¶0035, “… the computing device 100 may construct and/or maintain a shadow stack in the shadow stack area 214 based on the trace data and identify suspected ROP exploits by comparing he active system stack to the shadow stack”).

Regarding Claim 17:
The method of claim 12, LeMay in view of Yamada further comprising popping an address from the stack (LeMay, ¶0063, “Referring back to block 716, if the encoded MAC values match the method 700 advances to block 720 … The computing device 100 may push return addresses corresponding to recorded call instructions onto the shadow stack, pop return addresses corresponding to predicted return instructions, push or pop stack base pointers …”).

Regarding Claim 18:
The method of claim 1, LeMay in view of Yamada further comprising: 
maintaining a database of legal addresses to transfer control indirectly to (LeMay, ¶0021, “The RTIT support 112 may log data packets relating to … target addresses of indirect branch instructions, target addresses of mispredicted return instructions … The trace data, in combination with the in-memory image of the executed application, may be used to reconstruct the control flow … For example, RTIT support 112 may log the return addresses associated with call instructions as they are executed”); and 
receiving instructions for indirect branch from the reconstructed execution flow (LeMay, ¶0050, “An indirect call determines the destination addressed based on the contents of a register or memory location”).

Regarding Claim 19:
The method of claim 18, LeMay in view of Yamada further comprising checking if the received instruction corresponds to the database of legal addresses to transfer control indirectly to (LeMay, ¶0087, “… wherein to analyze the trace data to identify the suspected control flow exploit comprises to identify a first target instruction pointer packet in the trace data, wherein the first target instruction pointer packet is associated with a destination address; determine whether the destination address is a predefined legitimate branch target …”).

Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over “LeMay” (US 2016/0283714) in view of “Yamada” (US 2017/0185791) in further view of “Mann” (US 8707433).

Regarding Claim 6:
LeMay in view of Yamada teaches:
The method of claim 4, …
LeMay in view of Yamada does not disclose:
… further comprising checking if the structured exception handler (SEH) is registered.
Mann teaches:
… further comprising checking if the structured exception handler (SEH) is registered (Col. 1, lines 21-35, “One known exploit of this type involves an attacker over writing the Structured Exception Handling (SEH) record on the stack … When an exception occurs, the exception handler pointed to by the first record is called. If the exception handler can process the exception that occurred, it does so and then returns”; Col. 2, lines 23-26, “Another SEH validation method involves checking the memory attributes of the exception handler’s address. If the handler is not in an executable section of memory … it is flagged as an exploit”; i.e., checking if the SEH is registered by determining whether the memory attributes of the SEH’s address are in an executable section of memory).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify LeMay in view of Yamada’s system for control flow exploit mitigation by enhancing LeMay in view of Yamada’s platform to further check the memory attributes of an exception handler, as taught by Mann, in order to detect fake exception handlers.
	The motivation is to protect a system that employs exception handlers by checking that the exception handler is not fraudulent, thus preventing the system from being exposed to buffer overflow attacks.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491