DETAILED ACTION
Notice of Pre-AIA  or AIA  StatusThe present application is being examined under the pre-AIA  first to invent provisions.

         This office action is a response to an application filed 02/19/2021 as a Divisional Application to 15/954/341, now US Patent 11003777, with priority date 04/16/2018.  In this application Claims 1-9 and 14-23 were cancelled.  Claims 10-13 and 24-42 are pending and ready for examination.  

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 02/19/2021 and 05/12/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 10, 24, 28, 32-33, and 37 are rejected under 35 U.S.C. 102(a2) as being anticipated by Clifton; Nick, US 20190311129 A1, October 10, 2019, hereafter referred to as Clifton.

As to claim 10, Clifton teaches a computer program product for detecting potentially malicious code accessing data from a storage – Clifton [0093]  non-transitory machine-readable medium is also configured to track a movement from at least one of a register and a stack, record the movement and an instruction of the set of instructions associated with the movement, and report a potential vulnerability. Here, the claimed ‘computer program product’ is taught by Clifton as ‘non-transitory machine-readable medium’ which is a product embedding detection code.  The claimed ‘potentially malicious code’ as taught by Clifton as ‘potential vulnerability’ since the vulnerability is noticing data movement. The claimed ‘storage’ is taught by Clifton as ‘medium’), the computer program product comprising a computer readable storage medium having computer readable program code embodied therein that when executed by a processor performs operations – Clifton [0093] … a non-transitory machine-readable medium storing code, which when executed by a processor, is configured to execute a first simulation of a set of instructions, track at least one of a register value and a stack value while executing the first simulation of the set of instructions.  Here, the claimed ‘computer readable storage medium’ is taught by Clifton as ‘machine-readable medium’.  The claimed ‘having program code’ is taught by Clifton as ‘storing code’ which positively places the code on the medium.  The claimed ‘performs operations’ is taught by Clifton as ‘execute a first simulation’ because to perform a simulation is the computer program product executing an operation), the operations comprising:
executing, by the processor, application code – Clifton [0017] … the scanner executes a simulation of a set of instructions and tracks register value(s) and/or stack value(s) while executing the simulation.  Here, the claimed ‘processor’ is taught by Clifton as ‘the scanner’ which is the computer program product whereas the claimed ‘application code’ is taught by Clifton as ‘simulation’ whereas the application code is being executed by the scanner);
speculatively executing, by the processor, conditional branches of the application code in advance of a location at which the application code is being executed – Clifton [0017] …. Once the vulnerabilities are identified, speculation denial instructions may be placed at the appropriate conditional branches to prevent any exploitable changes.  Here, the claimed ‘speculatively executing’ is taught by Clifton as ‘speculation denial instructions’ as issuing speculation denial instructions occurs when the scanner is speculatively executing code.  The claimed ‘in advance of a location’ is taught by Clifton as ‘simulation follows each leg’ since the speculative execution predicts code response before code is executed and tracks and records address of the branch) wherein a result of one of the speculatively executed conditional branches is maintained depending on a condition used to determine which of the conditional branches to traverse [0021] … By eliminating speculative execution for the portions of code that result in a security breach and allowing a processor to speculatively execute for the remaining portions of code, the scanner advantageously improves security without eliminating all of the benefits of speculative execution.  Here, the claimed ‘condition’ is taught by Clifton as ‘security breach’ which triggers decisions by the scanner.  The claimed ‘result’ is taught by Clifton as ‘remaining portions’ because the remaining branch is also result of the speculative execution that is okay.  The claimed ‘maintained’ is taught by Clifton as ‘and allowing’ because the speculative execution of the other branch is maintained and allowed to continue executing),
detecting potentially malicious activity – Clifton [0056] a potential vulnerability in the set of instructions is determined the scanner 160 may determine a potential vulnerability such as a specific instruction that triggers speculation or a data movement instruction that loads values from restricted memory into cache, which can ultimately be exploited and uncovered by an attacker or adversary.  Here, the claimed ‘detecting’ is taught by Clifton as ‘vulnerability is determined’ whereas the claimed ‘malicious activity’ is taught by Clifton as ‘data movement’); and
in response to detecting the potentially malicious activity, disabling the speculatively executing of the application code – Clifton [0057] Then, the potential vulnerability is eliminated with a load fence positioned at a conditional branch associated with the potential vulnerability (block 508). a speculative denial instruction or memory barrier, such as a load fence, may be positioned at the conditional branch associated with the potential vulnerability … memory barriers may be used such that no instructions after the barrier, for example a CSDB barrier, can be speculatively executed using the results of any data value predictions or other predicted values that have not already been resolved.  Here, the claimed ‘in response to detecting’ is taught by Clifton as ‘Then’ because the scanner transitions from discovery to protection.  The claimed ‘disabling the speculatively executing’ is taught by Clifton as ‘no instructions after the barrier,’ because after the barrier is in place speculative execution of the code is not allowed.  The claimed ‘application code’ is taught by Clifton as ‘data value’ because the data value is a variable of application code). 

As to claim 24, Clifton teaches a system (Clifton Figure 1 System 100) for detecting potentially malicious code accessing data from a storage (Clifton Figure 1 Host Memory 186 storage media), comprising:
 processor – Clifton [0018 Figure 1 Scanner 160]; and
 a computer readable storage medium having computer readable program – Clifton [0018] …The computing system 100 may include an operating system (e.g., host OS 186), when executed by a processor performs operations – Clifton [0093] … a non-transitory machine-readable medium storing code, which when executed by a processor, is configured to execute a first simulation of a set of instructions, track at least one of a register value and a stack value while executing the first simulation of the set of instructions.  Here, the claimed ‘computer readable storage medium’ is taught by Clifton as ‘machine-readable medium’.  The claimed ‘having program code’ is taught by Clifton as ‘storing code’ which positively places the code on the medium.  The claimed ‘performs operations’ is taught by Clifton as ‘execute a first simulation’ because to perform a simulation is the computer program product executing an operation), the operations comprising:
executing, by the processor, application code – Clifton [0017] … the scanner executes a simulation of a set of instructions and tracks register value(s) and/or stack value(s) while executing the simulation.  Here, the claimed ‘processor’ is taught by Clifton as ‘the scanner’ which is the computer program product whereas the claimed ‘application code’ is taught by Clifton as ‘simulation’ whereas the application code is being executed by the scanner);
speculatively executing, by the processor, conditional branches of the application code in advance of a location at which the application code is being executed – Clifton [0017] …. Once the vulnerabilities are identified, speculation denial instructions may be placed at the appropriate conditional branches to prevent any exploitable changes.  Here, the claimed ‘speculatively executing’ is taught by Clifton as ‘speculation denial instructions’ as issuing speculation denial instructions occurs when the scanner is speculatively executing code.  The claimed ‘in advance of a location’ is taught by Clifton as ‘simulation follows each leg’ since the speculative execution tracks and records address of the branch) wherein a result of one of the speculatively executed conditional branches is maintained depending on a condition used to determine which of the conditional branches to traverse [0021] … By eliminating speculative execution for the portions of code that result in a security breach and allowing a processor to speculatively execute for the remaining portions of code, the scanner advantageously improves security without eliminating all of the benefits of speculative execution.  Here, the claimed ‘condition’ is taught by Clifton as ‘security breach’ which triggers decisions by the scanner.  The claimed ‘result’ is taught by Clifton as ‘remaining portions’ because the remaining branch is also result of the speculative execution that is okay.  The claimed ‘maintained’ is taught by Clifton as ‘and allowing’ because the speculative execution of the other branch is maintained and allowed to continue executing),
detecting potentially malicious activity – Clifton [0056] a potential vulnerability in the set of instructions is determined the scanner 160 may determine a potential vulnerability such as a specific instruction that triggers speculation or a data movement instruction that loads values from restricted memory into cache, which can ultimately be exploited and uncovered by an attacker or adversary.  Here, the claimed ‘detecting’ is taught by Clifton as ‘vulnerability is determined’ whereas the claimed ‘malicious activity’ is taught by Clifton as ‘data movement’); and
in response to detecting the potentially malicious activity, disabling the speculatively executing of the application code – Clifton [0057] Then, the potential vulnerability is eliminated with a load fence positioned at a conditional branch associated with the potential vulnerability (block 508). a speculative denial instruction or memory barrier, such as a load fence, may be positioned at the conditional branch associated with the potential vulnerability … memory barriers may be used such that no instructions after the barrier, for example a CSDB barrier, can be speculatively executed using the results of any data value predictions or other predicted values that have not already been resolved.  Here, the claimed ‘in response to detecting’ is taught by Clifton as ‘Then’ because the scanner transitions from discovery to protection.  The claimed ‘disabling the speculatively executing’ is taught by Clifton as ‘no instructions after the barrier,’ because after the barrier is in place speculative execution of the code is not allowed.  The claimed ‘application code’ is taught by Clifton as ‘data value’ because the data value is a variable of application code). 

As to claim 28, Clifton teaches a computer implemented method – Clifton [0011] FIG. 5 illustrates a flowchart of an example process for detecting a vulnerability in code for detecting potentially malicious code accessing data from a storage – Clifton [0005] the data movement instruction involves a data movement in cache memory, and the potential vulnerability is detected by the scanner.  Here, the claimed ‘computer program product’ is taught by Clifton as ‘the scanner’ which is a processor that detects the claimed ‘potentially malicious code’ as taught by Clifton as ‘potential vulnerability’ since the vulnerability is noticing data movement out of a register. The claimed ‘storage’ is taught by Clifton as ‘cache memory’), the computer program product comprising a computer readable storage medium having computer readable program code embodied therein that when executed by a processor performs operations – Clifton [0093] … a non-transitory machine-readable medium storing code, which when executed by a processor, is configured to execute a first simulation of a set of instructions, track at least one of a register value and a stack value while executing the first simulation of the set of instructions.  Here, the claimed ‘computer readable storage medium’ is taught by Clifton as ‘machine-readable medium’.  The claimed ‘having program code’ is taught by Clifton as ‘storing code’ which positively places the code on the medium.  The claimed ‘performs operations’ is taught by Clifton as ‘execute a first simulation’ because to perform a simulation is the computer program product executing an operation), the operations comprising:
executing, by the processor, application code – Clifton [0017] … the scanner executes a simulation of a set of instructions and tracks register value(s) and/or stack value(s) while executing the simulation.  Here, the claimed ‘processor’ is taught by Clifton as ‘the scanner’ which is the computer program product whereas the claimed ‘application code’ is taught by Clifton as ‘simulation’ whereas the application code is being executed by the scanner);
speculatively executing, by the processor, conditional branches of the application code in advance of a location at which the application code is being executed – Clifton [0017] …. Once the vulnerabilities are identified, speculation denial instructions may be placed at the appropriate conditional branches to prevent any exploitable changes.  Here, the claimed ‘speculatively executing’ is taught by Clifton as ‘speculation denial instructions’ as issuing speculation denial instructions occurs when the scanner is speculatively executing code.  The claimed ‘in advance of a location’ is taught by Clifton as ‘simulation follows each leg’ since the speculative execution tracks and records address of the branch) wherein a result of one of the speculatively executed conditional branches is maintained depending on a condition used to determine which of the conditional branches to traverse [0021] … By eliminating speculative execution for the portions of code that result in a security breach and allowing a processor to speculatively execute for the remaining portions of code, the scanner advantageously improves security without eliminating all of the benefits of speculative execution.  Here, the claimed ‘condition’ is taught by Clifton as ‘security breach’ which triggers decisions by the scanner.  The claimed ‘result’ is taught by Clifton as ‘remaining portions’ because the remaining branch is also result of the speculative execution that is okay.  The claimed ‘maintained’ is taught by Clifton as ‘and allowing’ because the speculative execution of the other branch is maintained and allowed to continue executing),
detecting potentially malicious activity – Clifton [0056] a potential vulnerability in the set of instructions is determined the scanner 160 may determine a potential vulnerability such as a specific instruction that triggers speculation or a data movement instruction that loads values from restricted memory into cache, which can ultimately be exploited and uncovered by an attacker or adversary.  Here, the claimed ‘detecting’ is taught by Clifton as ‘vulnerability is determined’ whereas the claimed ‘malicious activity’ is taught by Clifton as ‘data movement’); and
in response to detecting the potentially malicious activity, disabling the speculatively executing of the application code – Clifton [0057] Then, the potential vulnerability is eliminated with a load fence positioned at a conditional branch associated with the potential vulnerability (block 508). a speculative denial instruction or memory barrier, such as a load fence, may be positioned at the conditional branch associated with the potential vulnerability … memory barriers may be used such that no instructions after the barrier, for example a CSDB barrier, can be speculatively executed using the results of any data value predictions or other predicted values that have not already been resolved.  Here, the claimed ‘in response to detecting’ is taught by Clifton as ‘Then’ because the scanner transitions from discovery to protection.  The claimed ‘disabling the speculatively executing’ is taught by Clifton as ‘no instructions after the barrier,’ because after the barrier is in place speculative execution of the code is not allowed.  The claimed ‘application code’ is taught by Clifton as ‘data value’ because the data value is a variable of application code). 

As to claim 32, the combination of Clifton and Kapoor teaches the computer program product of claim 10, wherein parameters and information from the speculatively executed conditional branches are available to an application process when the application processes reaches a point in the application code that was speculatively executed – Clifton [0015] … a processor may execute instructions along both legs of a speculative branch (e.g., a “true” branch and a “false” branch) before determining whether the “if statement” associated with the speculative branch is actually true or false. Once the processor knows whether the “if statement” is true or false, the processor has a head start on each leg of the speculative branch, which speeds up processing overall.  Here, the claimed ‘parameters and information’ is taught by Clifton as a “true” branch and a “false” which are values needed to traverse the branches.  The claimed ‘reaches a point’ is taught by Clifton as ‘once the processor knows’).

As to claim 33, Clifton teaches the computer program product of claim 10, wherein the operations further comprise:
injecting trap code into a path of the conditional branches to speculatively execute wherein the trap code when executed allocates trap addresses or trap data for access by a malicious program – Clifton [0058] … once vulnerabilities are located, the scanner 160 may automatically place speculation denial instructions at the appropriate spots in the program code. By positioning speculation denial instructions at vulnerable code sections while allowing a processor to speculatively execute other portions of code, security is improved while maintaining the performance benefits of speculative execution.  Here, the claimed ‘injecting’ is taught by Clifton as ‘automatically place’ whereas the claimed ‘trap code’ in this instance is taught by Clifton as ‘speculation denial instructions’ because the instructions ‘halt’ or capture the activity.  The claimed ‘conditional branch’ is taught by Clifton as ‘vulnerabilities’ because the conditional branch is automatically associated with potential vulnerabilities taught at Clifton [0057]).

As to claim 37, Clifton teaches the system of claim 24, wherein the operations further comprise:
injecting trap code into a path of the conditional branches to speculatively execute wherein the trap code when executed allocates trap addresses or trap data for access by a malicious program – Clifton [0058] … once vulnerabilities are located, the scanner 160 may automatically place speculation denial instructions at the appropriate spots in the program code. By positioning speculation denial instructions at vulnerable code sections while allowing a processor to speculatively execute other portions of code, security is improved while maintaining the performance benefits of speculative execution.  Here, the claimed ‘injecting’ is taught by Clifton as ‘automatically place’ whereas the claimed ‘trap code’ in this instance is taught by Clifton as ‘speculation denial instructions’ because the instructions ‘halt’ or capture the activity.  The claimed ‘conditional branch’ is taught by Clifton as ‘vulnerabilities’ because the conditional branch is automatically associated with potential vulnerabilities taught at Clifton [0057]).
 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 11-12, 25, 27, and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton; Nick, US 20190311129 A1, October 10, 2019, hereafter referred to as Clifton in view of Kapoor; Aditya et al, US 20130312098 A1, November 21, 2013 hereafter referred to as Kapoor.

As to claim 11, Clifton teaches the computer program product of claim 10.  CLIFTON DOES NOT TEACH wherein the operations further comprise:
executing trap code in response to processing a specified type of command in application code to allocate a trap address range used to detect potentially malicious code, and 
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE PARTICULAR PROBLEM TO BE SOLVED KAPOOR TEACHES wherein the operations further comprise:
executing trap code in response to processing a specified type of command in application code– Kapoor [0184 and 0040] since at ‘184… microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code.  In such a case, microcode security agent 708 may be configured to trap the execution of "JMP" instructions in combination with the sensitive memory ranges. Microcode security agent 708 may be configured to analyze from where the "JMP" instruction originated.  Here, the claimed ‘executing trap code’ is taught by Kapoor as ‘configured to trap’ because the configuring uses code that identifies the at least JMP instruction where jumping involves both an origin and destination address range.  The claimed ‘in response’ is taught by Kapoor as ‘by monitoring’ which detects the jump instruction and responds.  The claimed ‘specified type of command’ is taught by Kapoor "JMP" whereby a jump command indicates potential data movement out of protected spaces to allocate a trap address range used to detect potentially malicious code  since at ’60 … SVMM 216 may be configured to initialize the allocated memory after protection of the memory is established to eliminate the opportunity for malware to add malicious code between the time when the memory is allocated by in-O/S security agent 218 and the protection is established by SVMM 216.  Here, the claimed ‘allocate trap address range’ is taught by Kapoor as ‘initialize the allocated memory’ whereas the claimed ‘malicious code’ is taught by Kapoor as ‘malware’; and
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range – Kapoor [0122] … firmware security agent 516 may be configured to access security rules 518 to determine whether a triggered event is malicious or not… security rules 518 may contain instructions for firmware security agent 516 to process the triggered event. Firmware security agent 516 may be configured to use such instructions to determine whether to allow or deny the request, or to take another corrective action. Here, the claimed ‘executing the specified type command’ is taught by Kapoor as ‘process the triggered event’ because a specific command in the request will be processed by the security agent for analysis whereas the claimed ‘potentially malicious activity’ is taught by Kapoor as ‘event is malicious or not’.  The claimed ‘detecting’ is taught by Kapoor as ‘triggered’. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention the modify Clifton speculative execution engine to use trap codes as a redirection trigger.  Clifton uses addresses to relocate possible threats but does not include trap codes.  Kapoor trap codes enables Clifton scanner to inject and route potential code to a secure space thereby improving Clifton’s computer security).

As to claim 12, the combination of Clifton and Kapoor teaches the computer program product of claim 11, wherein the trap code is executed in a conditional branch of the speculatively executed conditional branches by the processor when speculatively executing the conditional branches - Kapoor [0184] microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code. In such a case, microcode security agent 708 may be “configured to trap” instructions in combination with the sensitive memory ranges.  Here, the claimed ‘trap code is executed’ is taught by Kapoor as ‘configured to trap’ and the claimed ‘conditional branch’ is taught by Kapoor as ‘branching instructions’ because branching instructions at least point to the address and triggering code.  The consideration to combine Clifton with Kapoor trap codes in claim 11 apply here in claim 12).  

As to claim 25, Clifton teaches the system of claim 24. CLIFTON DOES NOT TEACH  wherein the operations further comprise:
executing trap code in response to processing a specified type of command in application code to allocate a trap address range used to detect potentially malicious code, and 
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE PARTICULAR PROBLEM TO BE SOLVED KAPOOR TEACHES wherein the operations further comprise:
executing trap code in response to processing a specified type of command in application code– Kapoor [0184 and 0040] since at ‘184… microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code.  In such a case, microcode security agent 708 may be configured to trap the execution of "JMP" instructions in combination with the sensitive memory ranges. Microcode security agent 708 may be configured to analyze from where the "JMP" instruction originated.  Here, the claimed ‘executing trap code’ is taught by Kapoor as ‘configured to trap’ because the configuring uses code that identifies the at least JMP instruction where jumping involves both an origin and destination address range.  The claimed ‘in response’ is taught by Kapoor as ‘by monitoring’ which detects the jump instruction and responds.  The claimed ‘specified type of command’ is taught by Kapoor "JMP" whereby a jump command indicates potential data movement out of protected spaces to allocate a trap address range used to detect potentially malicious code  since at ’60 … SVMM 216 may be configured to initialize the allocated memory after protection of the memory is established to eliminate the opportunity for malware to add malicious code between the time when the memory is allocated by in-O/S security agent 218 and the protection is established by SVMM 216.  Here, the claimed ‘allocate trap address rang’ is taught by Kapoor as ‘initialize the allocated memory’ whereas the claimed ‘malicious code’ is taught by Kapoor as ‘malware’; and
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range – Kapoor [0122] … firmware security agent 516 may be configured to access security rules 518 to determine whether a triggered event is malicious or not… security rules 518 may contain instructions for firmware security agent 516 to process the triggered event. Firmware security agent 516 may be configured to use such instructions to determine whether to allow or deny the request, or to take another corrective action. Here, the claimed ‘executing the specified type command’ is taught by Kapoor as ‘process the triggered event’ because a specific command in the request will be processed by the security agent for analysis whereas the claimed ‘potentially malicious activity’ is taught by Kapoor as ‘event is malicious or not’.  The claimed ‘detecting’ is taught by Kapoor as ‘triggered’. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention the modify Clifton’s scanner with Kappor use of trap code.  Clifton does not include the use of trap codes as triggering mechanisms in his speculative execution in detecting malicious activity and code such as malware.  Kapoor provides trap codes to identify potential malicious code such as malware.  Since malware can operate and reside at the same level as security software, particularly in the operating system kernel and thus compromise both the operating system and the integrity of the security software itself Kapoor combined with Clifton improves security for speculative execution).

As to claim 27, the combination of Clifton and Kapoor teaches the computer program product of claim 11, wherein the trap code is executed in a conditional branch of the speculatively executed conditional branches by the processor when speculatively executing the conditional branches - Kapoor [0184] microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code. In such a case, microcode security agent 708 may be “configured to trap” instructions in combination with the sensitive memory ranges.  Here, the claimed ‘trap code is executed’ is taught by Kapoor as ‘configured to trap’ and the claimed ‘conditional branch’ is taught by Kapoor as ‘branching instructions’ because branching instructions at least point to the address and triggering code.  The consideration to combine Clifton with Kapoor trap codes in claim 25 apply here in claim 27).  

As to claim 29, Clifton teaches the method of claim 28. CLIFTON DOES NOT TEACH
further comprising:
executing trap code in response to processing a specified type of command in application code to allocate a trap address range used to detect potentially malicious code, and 
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE PARTICULAR PROBLEM TO BE SOLVED KAPOOR TEACHES wherein the operations further comprise:
executing trap code in response to processing a specified type of command in application code – Kapoor [0184 and 0040] since at ‘184… microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code.  In such a case, microcode security agent 708 may be configured to trap the execution of "JMP" instructions in combination with the sensitive memory ranges. Microcode security agent 708 may be configured to analyze from where the "JMP" instruction originated.  Here, the claimed ‘executing trap code’ is taught by Kapoor as ‘configured to trap’ because the configuring uses code that identifies the at least JMP instruction where jumping involves both an origin and destination address range.  The claimed ‘in response’ is taught by Kapoor as ‘by monitoring’ which detects the jump instruction and responds.  The claimed ‘specified type of command’ is taught by Kapoor "JMP" whereby a jump command indicates potential data movement out of protected spaces to allocate a trap address range used to detect potentially malicious code  since at ’60 … SVMM 216 may be configured to initialize the allocated memory after protection of the memory is established to eliminate the opportunity for malware to add malicious code between the time when the memory is allocated by in-O/S security agent 218 and the protection is established by SVMM 216.  Here, the claimed ‘allocate trap address rang’ is taught by Kapoor as ‘initialize the allocated memory’ whereas the claimed ‘malicious code’ is taught by Kapoor as ‘malware’; and
executing the specified type of command in the application code, wherein the detecting the potentially malicious activity comprises detecting that an application has accessed the trap address range – Kapoor [0122] … firmware security agent 516 may be configured to access security rules 518 to determine whether a triggered event is malicious or not… security rules 518 may contain instructions for firmware security agent 516 to process the triggered event. Firmware security agent 516 may be configured to use such instructions to determine whether to allow or deny the request, or to take another corrective action. Here, the claimed ‘executing the specified type command’ is taught by Kapoor as ‘process the triggered event’ because a specific command in the request will be processed by the security agent for analysis whereas the claimed ‘potentially malicious activity’ is taught by Kapoor as ‘event is malicious or not’.  The claimed ‘detecting’ is taught by Kapoor as ‘triggered’. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention the modify Clifton’s scanner with Kappor use of trap address ranges.  Clifton does not include the use of trap address ranges as triggering mechanisms in his speculative execution.  Kapoor provides trap address ranges to identify potential malicious code such as malware.  The trap address ranges isolate malicious code thereby increasing computer security).

As to claim 30, the combination of Clifton and Kapoor teaches the method of claim 29, wherein the trap code is executed in a conditional branch of the speculatively executed conditional branches by the processor when speculatively executing the conditional branches - Kapoor [0184] microcode security agent 708 may be configured to monitor the execution of "JMP" or similar branching instructions which would move the operation of processor 304 into the middle of sensitive data or code. In such a case, microcode security agent 708 may be “configured to trap” instructions in combination with the sensitive memory ranges.  Here, the claimed ‘trap code is executed’ is taught by Kapoor as ‘configured to trap’ and the claimed ‘conditional branch’ is taught by Kapoor as ‘branching instructions’ because branching instructions at least point to the address and triggering code. The consideration to combine Clifton with Kapoor trap codes in claim 25 apply here in claim 30). 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Clifton and Kapoor, in view of Gupta; Satya V, (US 20200372129 A1), November 26, 2020 hereafter referred to as Gupta.

As to claim 13, the combination of Gupta and Kapoor teaches the computer program product of claim 11.  THE COMBINATION OF CLIFTON AND KAPOOR DO NOT TEACH wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code
restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code – Gupta [0074] The method 192 inserts 509 instructions to monitor the data cache of the speculative execution engine. Using the monitoring instructions, the method 192 applies a read time stamp technique to check the actions of the potential attacker process. … The method 192 maintains 511 a count of such reads of a cache line by the identified process. If the count exceeds a threshold, the method 192 takes 512 a protective action, such as terminates the attacker process, moves the attacker process to a quarantine area.  Here, the claimed ‘detecting’ is taught by Gupta as ‘exceeds a threshold’ which is the trigger for the detecting during monitoring of the cache reads.  The claimed ‘absence’ is taught by Gupta as ‘identified process’ which has not reached a threshold and therefore indicates the absence of malicious activity.   The claimed ‘potentially malicious activity’ is taught by Gupta as ‘potential attacker process’ whereas the claimed ‘time period’ is taught by Gupta as ‘read time stamp’ whereby the stamp indicates the time period); and
 restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity – Gupta [0074] … restores a valid copy of the process file, load one or more patches to remedy the process file, and report the process as malicious to the user.  Here, the claimed ‘restarting’ is taught by Gupta as ‘restore copy of process file’ which allows the speculative execution for subsequent potential activity to continue).

Claims 26, 31, 34-36, 38-42 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton, in view of Gupta; Satya V, (US 20200372129 A1), November 26, 2020 hereafter referred to as Gupta.
As to claim 26, Clifton teaches the system of claim 24. CLIFTON DOES NOT TEACH wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code
restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code – Gupta [0074] The method 192 inserts 509 instructions to monitor the data cache of the speculative execution engine. Using the monitoring instructions, the method 192 applies a read time stamp technique to check the actions of the potential attacker process. … The method 192 maintains 511 a count of such reads of a cache line by the identified process. If the count exceeds a threshold, the method 192 takes 512 a protective action, such as terminates the attacker process, moves the attacker process to a quarantine area.  Here, the claimed ‘detecting’ is taught by Gupta as ‘exceeds a threshold’ which is the trigger for the detecting during monitoring of the cache reads.  The claimed ‘absence’ is taught by Gupta as ‘identified process’ which has not reached a threshold and therefore indicates the absence of malicious activity.   The claimed ‘potentially malicious activity’ is taught by Gupta as ‘potential attacker process’ whereas the claimed ‘time period’ is taught by Gupta as ‘read time stamp’ whereby the stamp indicates the time period); and
 restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity – Gupta [0074] … restores a valid copy of the process file, load one or more patches to remedy the process file, and report the process as malicious to the user.  Here, the claimed ‘restarting’ is taught by Gupta as ‘restore copy of process file’ which allows the speculative execution for subsequent potential activity to continue.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Clifton’s scanner with Gupta’s timer establishing a window for start and stopping speculative execution.  Clifton is silent on implementing a time period for detecting the absence of malicious code.  Gupta provides such a feature thereby providing an additional filter for Clifton’s scanner in certifying the absence of malicious code.  Certifying the absence of malicious code can enhance processing of downstream providers if Clifton certify the build at the earliest possible stage of execution).

As to claim 31, Clifton teaches the method of claim 28, further comprising: the combination of Gupta and Kapoor teaches the computer program product of claim 11.  CLIFTON DOES NOT TEACH wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code
restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES wherein the operations further comprise:
 detecting an absence of potentially malicious activity for a time period after disabling the speculatively executing the application code – Gupta [0074] The method 192 inserts 509 instructions to monitor the data cache of the speculative execution engine. Using the monitoring instructions, the method 192 applies a read time stamp technique to check the actions of the potential attacker process. … The method 192 maintains 511 a count of such reads of a cache line by the identified process. If the count exceeds a threshold, the method 192 takes 512 a protective action, such as terminates the attacker process, moves the attacker process to a quarantine area.  Here, the claimed ‘detecting’ is taught by Gupta as ‘exceeds a threshold’ which is the trigger for the detecting during monitoring of the cache reads.  The claimed ‘absence’ is taught by Gupta as ‘identified process’ which has not reached a threshold and therefore indicates the absence of malicious activity.   The claimed ‘potentially malicious activity’ is taught by Gupta as ‘potential attacker process’ whereas the claimed ‘time period’ is taught by Gupta as ‘read time stamp’ whereby the stamp indicates the time period); and
 restarting the speculatively executing of the application code in response to detecting the absence of potentially malicious activity – Gupta [0074] … restores a valid copy of the process file, load one or more patches to remedy the process file, and report the process as malicious to the user.  Here, the claimed ‘restarting’ is taught by Gupta as ‘restore copy of process file’ which allows the speculative execution for subsequent potential activity to continue.  The consideration to consider modifying Clifton scanner with Gupta’s timer in claim 26 apply here in claim 31).

As to claim 34, the combination of Clifton teaches the computer program product of claim 10. CLIFTON DOES NOT TEACH   
determining whether a processed command in one of the speculatively executed conditional branches comprises a system call, and
executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call, HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES
determining whether a processed command in one of the speculatively executed conditional branches comprises a system call - Gupta [0087] Through the monitoring instructions, the method 193 changes 523 the indirect branch instructions (JMP instructions) to direct branch instructions (CALL instructions).  Here, the claimed ‘determining’ is taught by Gupta as ‘through the monitoring instructions’ which is how the scanner determines whereas the claimed ‘processed command’ is taught by Gupta as ‘JMP instructions’ because the operations were commanded to an indirect branch but is now being redirected to a direct branching operation whereas the claimed ‘system call’ is taught by Gupta at least as ‘direct branch instructions’); and
executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call – Gupta [0128] the method 195 dynamically insert 543 a RSB stuffing sequence (e.g., address of a benign delay gadget/instruction) into the RSB (e.g., in the application code) to mitigate the return stack buffer from becoming empty.  Here, the claimed ‘trap code’ is taught by Gupta as ‘RSB stuffing sequence’ because it is fake having benign instructions whereas the claimed ‘physical location’ is taught by Gupta as (‘e.g. address of a … gadget.  It would have been obvious to a person of ordinary experience before the effective filing date of the claimed invention to modify Clifton’s scanner to identify and map system calls to trapped address range.  Clifton does not provide trap address ranges.  Gupta trap address ranges can capture Clifton’s system calls thereby increasing the efficiency of debugging code which improves security).

As to claim 35, the combination of Clifton and Gupta teaches the computer program product of claim 34, wherein during the speculatively executing the application code, performing:
 executing the processed command after executing the trap code to continue the speculatively executing the application code – Gupta [0129] Using the monitoring instructions, the method 195 further monitors 544 if the RSB becomes empty (and the application will be resorting to the Indirect Branch Predictor.  Here, the claimed ‘processed command’ is taught by Gupta as ‘Indirect Branch’ where an indirect branch is the next command after the buffer becomes empty.  The claimed ‘after executing’ is taught by Gupta as ‘further monitors’ since at method sept 543 code injection was performed.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Clifton’s scanner logic to continue speculative execution of the application code after executing processed command upon executing the trap code.  Clifton does not explicitly teach the use of trap codes in his speculative execution but Gupta provides trap codes and the logic to continue speculative execution which makes for increased efficiency in data protection).

As to claim 36, Clifton teaches the system of claim 24.  CLIFTON DOES NOT TEACH wherein parameters and information from the speculatively executed conditional branches are available to an application process when the application processes reaches a point in the application code that was speculatively executed, HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES wherein parameters and information from the speculatively executed conditional branches are available to an application process when the application processes reaches a point in the application code that was speculatively executed - Gupta [0128] The method 195 inserts monitoring instructions between the application space and CPU 541. Using the monitoring instructions, as the application executes, the method 195 identifies 542 a condition indicative of the vulnerability of the return stack buffer being attacked by an attacker process.  Here, the claimed ‘parameters and information’ is taught by Gupta as ‘monitoring instructions’ whereas the claimed ‘conditional branches’ is taught by Gupta as ‘return stack buffer’ as each buffer is associated or branched to memory.  The claimed ‘point’ is taught by Gupta as ‘indicative of the vulnerability’ as the objective of execution is to look ahead for malicious code.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Clifton to consult metadata at the time of the conditional branch.  Clifton does not include branch or execution point decision support but Gupta provides the ability to consult metadata at the branch or other execution point in the path thereby allowing Clifton to consult up to date information thereby increasing operational security).

As to claim 38, Clifton teaches the system of claim 24.  CLIFTON DOES NOT TEACH wherein during the speculatively executing the application code, performing:
determining whether a processed command in one of the conditional branches comprises a system call;
            executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR GUPTA TEACHES
wherein during the speculatively executing the application code, performing:
determining whether a processed command in one of the conditional branches comprises a system call - Gupta [0087] Through the monitoring instructions, the method 193 changes 523 the indirect branch instructions (JMP instructions) to direct branch instructions (CALL instructions).  Here, the claimed ‘processed command’ is taught by Gupta as ‘indirect branch instruction’ because the operations were commanded to an indirect branch but is now being redirected to a direct branching operation whereas the claimed ‘system call’ is taught by Gupta at least as ‘JMP’); and
executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call – Gupta [0128] the method 195 dynamically insert 543 a RSB stuffing sequence (e.g., address of a benign delay gadget/instruction) into the RSB (e.g., in the application code) to mitigate the return stack buffer from becoming empty.  Here, the claimed ‘trap code’ is taught by Gupta as ‘RSB stuffing sequence’ because it is fake having benign instructions whereas the claimed ‘physical location’ is taught by Gupta as (‘e.g. address of a … gadget.  The consideration to combine Clifton with Gupta in claim 36 apply here in claim 38).

As to claim 39, the combination of Clifton and Gupta teaches the system of claim 38, wherein during the speculatively executing the application code, performing:
executing the processed command after executing the trap code to continue the speculatively executing the application code – Gupta [0129] Using the monitoring instructions, the method 195 further monitors 544 if the RSB becomes empty (and the application will be resorting to the Indirect Branch Predictor.  Here, the claimed ‘after executing’ is taught by Gupta as ‘further monitors’ since at method sept 543 code injection was performed. The consideration to combine Clifton with Gupta in claim 35 apply here in claim 39).

As to claim 40, Clifton teaches the method of claim 28.  CLIFTON DOES NOT TEACH further comprising:
injecting trap code into a path of the conditional branches to speculatively execute 
wherein the trap code when executed allocates trap addresses or trap data for access by a malicious program HOWEVER IN AN ANALOGOUS ART GUPTA TEACHES 
further comprising:
injecting trap code into a path of the conditional branches to speculatively execute – Gupta [0120] … In response, through the monitoring instructions, the method 195 dynamically insert 543 a RSB stuffing sequence (e.g., address of a benign delay gadget/instruction) into the RSB (e.g., in the application code) to mitigate the return stack buffer from becoming empty), wherein the trap code when executed allocates trap addresses or trap data for access by a malicious program – Gupta [0121] If the return stack buffer becomes empty, the method 195 takes 545 a protective action, such as terminates the attacker process, moves the attacker process to a quarantine area, restores a valid copy of the process file, load one or more patches to remedy the process file, and report the process as malicious to the user). The consideration to combine Clifton with Gupta in claim 26 apply here in claim 40).

As to claim 41, Clifton teaches the method of claim 28.  CLIFTON DOES NOT TEACH wherein during the speculatively executing the application code, further performing:
determining whether a processed command in one of the speculatively executed conditional branches comprises a system call
executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call, HOWEVER IN AN ANALOGOUS ART GUPTA TEACHES 
 wherein during the speculatively executing the application code, further performing:
determining whether a processed command in one of the speculatively executed conditional branches comprises a system call - Gupta [0087] Through the monitoring instructions, the method 193 changes 523 the indirect branch instructions (JMP instructions) to direct branch instructions (CALL instructions).  Here, the claimed ‘processed command’ is taught by Gupta as ‘indirect branch instruction’ because the operations were commanded to an indirect branch but is now being redirected to a direct branching operation whereas the claimed ‘system call’ is taught by Gupta at least as ‘JMP’); and
executing trap code to allocate a trap address range mapping to an invalid physical location in response to determining that the processed command comprises a system call – Gupta [0128] the method 195 dynamically insert 543 a RSB stuffing sequence (e.g., address of a benign delay gadget/instruction) into the RSB (e.g., in the application code) to mitigate the return stack buffer from becoming empty.  Here, the claimed ‘trap code’ is taught by Gupta as ‘RSB stuffing sequence’ because it is fake having benign instructions whereas the claimed ‘physical location’ is taught by Gupta as (‘e.g. address of a … gadget. The consideration to combine Clifton with Gupta in claim 36 apply here in claim 41).
 
As to claim 42, the combination of Clifton and Gupta teaches the method of claim 41, wherein during the speculatively executing the application code, further performing: 
executing the processed command after executing the trap code to continue the speculatively executing the application code – Gupta [0129] Using the monitoring instructions, the method 195 further monitors 544 if the RSB becomes empty (and the application will be resorting to the Indirect Branch Predictor.  Here, the claimed ‘after executing’ is taught by Gupta as ‘further monitors’ since at method sept 543 code injection was performed The consideration to combine Clifton with Gupta in claim 26 apply here in claim 42).).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249107/30/2022