DETAILED ACTION
This office action is in response to the correspondence filed on 09/29/2020. This application is a continuation or CIP of various applications that have provisional applications with earliest filing date of 05/15/2014. Claims 5-6, 20, 25-26, 30-43, and 60 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 


Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 07/27/2021 and 02/25/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement filed 07/27/2021 fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed.  It has been placed in the application file, but the information referred to therein has not been considered. Please see strikethrough items of NPL listing of 8-9, 12-13, and 15.

Claim Objections
Claim 5 is objected to because of the following informalities:
Claim 5, “in time and/or space from eact1 other” should read “in time and/or space from [[eact1-]]each other”.
Claim 25, “CPU” should be spelled out before acronym is used the first time in a claim set even if it is a commonly known term.
Claim 42, “CPU/ABI” should be spelled out before acronym is used the first time in a claim set.
Appropriate correction is required.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 5, and/or claims 6, 25, 31-33, 41-42, 60 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-70 of U.S. Patent No. US 10671727 B2 (instant claim 5), over claims 1-20 of U.S. Patent No. US 9940174 B2 (instant claims 5, 25, 32-33, and 42), over claims 1-20 of U.S. Patent No. US 10051008 B2 (instant claims 5, 32-33, and 42), over claims 1-41 of U.S. Patent No. US 10095538 B2 (instant claims 5, 25, 31-33), over claims 1-28 of U.S. Patent No. US 10789105 B2 (instant claims 5 and 60), over claims 1-27 of U.S. Patent No. US 9607151 B2 (instant claim 5), over claims 1-29 of U.S. Patent No. US 8745745 B2 (instant claims 5-6, 32, and 41), over claims 1-19 of U.S. Patent No. US 9218489 B2 (instant claim 5), over claims 31-60 of U.S. Patent No. US 9390267 B2 (instant claims 5-6), over claims 19-25 of U.S. Patent No. US 9213840 B2 (instant claim 5), and over claims 5-25 of U.S. Patent No. US 9203855 B2 (instant claims 5-6). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the instant application are anticipated by the patented claims. The claims in the instant application are essentially the same while broader in scope than the ones in the issued patents. The instant application has the basic elements of separation kernel hypervisor and isolated domains in time and/or space while the issued patents have the same basic elements and additional features as seen in the examples below comparing claim 5 of the instant application and various claims of the issued patents. Please note this might not be an exhaustive list due to the large numbers of related patents.

Instant Application
U.S. Patent No. 11316876 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method of processing information involving a separation kernel hypervisor, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
isolating the domains in time and space from each other;
hosting the plurality of guest operating system virtual machine protection domains by the separation kernel hypervisor;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
hosting at least one suspect code defense mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
triggering entry into the separation kernel hypervisor upon execution of code involving a Master Boot Record (MBR) access attempt in a suspect guest operating system;
transitioning execution of the access attempt from the separation kernel hypervisor to the dedicated virtualization assistance layer in a manner isolated from the suspect guest operating system;
transitioning execution of the access attempt from the dedicated virtualization assistance layer to a suspect code defense mechanism;
analyzing by the suspect code defense mechanism behavior of the suspect guest operating system and determining a policy decision;
passing the policy decision and transitioning execution of the access attempt from the suspect code defense mechanism to the dedicated virtualization assistance layer; and
passing the policy decision and transitioning execution of the access attempt from the dedicated virtualization assistance layer to the separation kernel hypervisor, wherein the separation kernel hypervisor performs enforcement or executes an action based on the policy decision.


Instant Application
U.S. Patent No. 9940174 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine;
providing a virtualization assistance layer (VAL) in each of the protection domains;
isolating and/or securing the domains in time and/or space from each other;
hosting a map mechanism to unmap specified pages on demand from another guest;
processing an unmapped page exception taken by the virtual machine;
mapping the previously unmapped page;
sending a notification of memory access and associated context information to a requesting guest, wherein the virtual machine comprises a virtual motherboard including a virtual CPU and memory;
allowing the virtual machine to execute a single instruction;
returning control to the VAL;
mapping the page as inaccessible again; and
returning control to the virtual machine.


Instant Application
U.S. Patent No. 10051008 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine;
isolating and/or securing the domains in time and/or space from each other;
providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by an authorized guest;
performing processing associated with at least one detection mechanism, each which may be different from each other, that executes within one or more of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
implementing at least one routine and/or component to prohibit the guest operating system virtual machine protection domains from tampering with, corrupting, and/or bypassing the detection mechanism;
executing the detection mechanism while preventing interference corruption, tampering, and/or bypassing by the plurality of guest operating system virtual machine protection domains;
providing a list of memory locations of an authorized guest to another guest;
associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations; and
providing the execution context information to the another guest.


Instant Application
U.S. Patent No. 10095538 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
isolating the domains in time and space from each other;
providing a list of memory locations of an authorized guest to another guest;
providing a message of the authorized guest to the another guest;
providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest;
hosting a mechanism to unmap specified pages on demand from another guest;
processing an unmapped page exception taken by the virtual machine;
mapping the previously unmapped page;
sending a notification of memory access and associated context information to a requesting guest, wherein the virtual machine comprises a virtual motherboard including a virtual CPU and memory by the VAL;
allowing the virtual machine to execute a single instruction;
returning control to the VAL;
mapping the page as inaccessible again; and
returning control to the virtual machine.


Instant Application
U.S. Patent No. 10789105 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating the domains in time and/or space from each other;
hosting a mechanism to unmap specified pages on demand from another guest;
processing an unmapped page exception taken by the virtual machine;
mapping an unmapped page previously processed by the virtual machine;
sending a notification of memory access and associated context information to a requesting guest, wherein the virtual machine comprises a virtual motherboard including a virtual CPU and memory by a virtualized assistance layer (VAL);
allowing the virtual machine to execute a single instruction;
returning control to the VAL;
mapping the unmapped page as inaccessible again; and
returning control to the virtual machine.


Instant Application
U.S. Patent No. 9607151 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method of processing information involving a separation kernel hypervisor, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; isolating the domains in time and space from each other;
hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor;
triggering entry into the separation kernel hypervisor upon execution of code involving an I/O port access attempt in a suspect guest operating system;
transitioning execution of the access attempt from the separation kernel hypervisor to the virtualization assistance layer in a manner isolated from the suspect guest operating system;
transitioning execution of the access attempt from the virtualization assistance layer to a malicious code defense mechanism;
analyzing by the malicious code defense mechanism behavior of the suspect guest operating system and determining a policy decision;
passing the policy decision and transitioning execution of the access attempt from the malicious code defense mechanism to the virtualization assistance layer; and
passing the policy decision and transitioning execution of the access attempt from the virtualization assistance layer to the separation kernel hypervisor, wherein the separation kernel hypervisor performs enforcement or executes an action based on the policy decision.


Instant Application
U.S. Patent No. 8745745 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising: partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
isolating the domains in time and space from each other;
hosting the plurality of guest operating system virtual machine protection domains by the separation kernel hypervisor;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
hosting at least one rootkit defense mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
upon detection of suspect behavior, securely transition execution to the rootkit defense mechanism within the VAL in a manner isolated from the guest operating system;
securely determining, via the rootkit defense mechanism, a policy decision regarding the suspect behavior; and
transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.


Instant Application
U.S. Patent No. 9218489 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
1. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; and
isolating the domains in time and/or space from each other; hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor:
upon detection of a disk sector access attempt, securely transition execution to the malicious code defense mechanism within the VAL in a manner isolated from the quest operating system;
securely determining, via the malicious code defense mechanism, a policy decision regarding the disk sector access attempt: and
transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.


Instant Application
U.S. Patent No. 9390267 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
31. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
isolating the domains in time and space from each other;
providing a list of memory locations of an authorized guest to another guest;
providing a message of the authorized guest to the another guest;
providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest, wherein the virtual representation of the hardware platform is a virtual machine comprising a virtual motherboard including a virtual CPU and memory by the VAL;
hosting a mechanism to unmap specified pages on demand from the another guest;
processing an unmapped page exception taken by the virtual machine;
pausing an execution of the virtual machine;
injecting a page-not-found exception into the virtual machine; and
sending a notification of memory access and associated context information to a requesting guest.


Instant Application
U.S. Patent No. 9213840 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
19. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
isolating the domains in time and space from each other;
providing a list of specified interfaces or memory locations of an authorized guest to another guest;
associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations;
providing a message of the specification to the another guest; and
providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest.
20. The method of claim 19 wherein the virtual representation of the hardware platform is a virtual machine comprising a virtual motherboard including a virtual CPU and memory by the VAL.
21. The method of claim 20 further comprising;
hosting a mechanism to copy the contents of the physical memory address into a private memory location;
hosting a mechanism to overwrite the address with an instruction that will trap into the separation kernel hypervisor;
processing exceptions due to execution attempts of the overwritten address by the associated virtual machine;
hosting another mechanism to determine whether the physical memory locations are accessed;
pausing or resuming execution of the virtual machine;
replacing the over written instruction with the stored copy;
allowing the virtual machine to execute the original instruction;
trapping back into the virtualization assistance layer;
overwriting the original instruction with the trapping instruction; and
sending a notification of the interface or memory access and the specification to a requesting guest.
22. The method of claim 19 further comprising:
hosting a mechanism to map physical memory pages as non-executable;
processing exceptions to non-executable page execution attempts by the associated virtual machine;
hosting another mechanism to determine whether the physical memory locations are accessed;
pausing or resuming execution of the virtual machine; and
sending a notification of memory access and the specification to a requesting guest.
23. The method of claim 19 further comprising one or more of:
providing execution context associated with access to one of the specified interfaces or memory locations to the another guest.
24. The method of claim 19, further comprising:
implementing a mechanism wherein execution context associated with access to one of the specified interfaces or memory locations is configured to be sent to at least one other guest.
25. The method of claim 19 further comprising one or both of:
implementing a VAL such that the VAL is configured to send a notification regarding access to one of the specified interfaces or memory locations and context information associated with the one of the specified interfaces or memory locations to a requesting guest; and
implementing the VAL such that the VAL implements a mechanism to receive context information regarding access to one of the specified interfaces or memory locations from a requesting guest.


Instant Application
U.S. Patent No. 9203855 B2
5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other.
5. A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
isolating and/or securing the domains in time and/or space from each other;
hosting or processing at least one detection mechanism, each which may be different from each other, that executes within one or more of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor;
implementing at least one routine and/or component to prohibit the quest operating system virtual machine protection domains from tampering with, corrupting, and/or bypassing the detection mechanism; and/or
executing the detection mechanism while preventing interference, bypassing, corrupting, and/or tampering associated with the plurality of guest operating system virtual machine protection domains;
providing a list of memory locations of an authorized quest to another quest;
associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations; and
providing the execution context information to the another quest.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 26, and 30-43 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claims 26, it recites that it is dependent upon the method of independent claim 5, yet it refers to ‘the mapping/remapping/unmapping’ which is only recited in dependent claim 25 not independent claim 5. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 30, it recites that it is dependent upon the method of independent claim 5, but the limitation of “returning control to the VAL” has no context from independent claim 5. Dependent claim 25 already has the same limitation so it is also not narrowing down the dependent claim if it should be dependent on claim 25 instead.
Regarding claims 31, 35-41, and 43, they recite that it is dependent upon the method of independent claim 5, yet it refers to ‘the mechanism” which is not recited before. It’s likely referring to dependent claim 6, but “detection” is deleted from “detection mechanism” also and does not correspond to “the mechanism” referred to here. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 32, it recites “the loss of security” which is not recited before. It should probably read “a loss of security”. There is insufficient antecedent basis for this limitation in the claim.
Regarding claims 33 and 34, they recite “the virtual hardware platform” which is not recited before. It should likely be defined first in independent claim 5 or dependent claim 33. There is insufficient antecedent basis for this limitation in the claim.
Regarding claims 36 and 39-40, they recite “the guest operating system” which is not recited before. It should likely be defined first in independent claim 5. Only “guest operating system virtual machine protection domains” was defined previously in independent claim 5. There is insufficient antecedent basis for this limitation in the claim.
Regarding claims 42 and 43, they recite “the virtualization assistance layer” which is not recited before. It should probably read “a virtualization assistance layer”. Only “a virtualized assistance layer” was defined previously in dependent claim 25 which is not in the dependency path. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 32, it recites “the corresponding guest operating system” which is not recited before. It should probably read “a corresponding guest operating system”. There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction is required.
Examiner suggests applicant to review the claim set thoroughly for accuracy.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
f
Claims 5, 32, and 41 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Day et al. (US Pub No. “Hardware Virtualization puts a new spin on secure System” per IDS submitted on 02/25/2022, referred to as Day).
	Regarding claim 5, Day anticipates,
	5. (original) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and (See Day, page 3; leveraging Multicore Processors; Software virtualization can be used across single-core processors, but when running larger desktop operating system that are used to having full control of a processor, multicore parts that often also have hardware virtualization support are the best way to maintain near-native performance of all of the secure domains. See also fig 1; separation kernel technology) 
isolating and/or securing the domains in time and/or space from eac[h] other. (See Day, page 1-2; separation kernel technology and fig 1: the separate kernel a technology that provides an underlying real-time platform with multiple secure domains housing software applications that cannot interfere with each other)


	Regarding claim 32, Day anticipates,
32. (previously presented) The method of claim 5, wherein:
the plurality of guest operating system virtual machine protection domains includes corresponding guest operating systems; and (See Day, Page 3, Section: Leveraging Multicore Processors; Software virtualization can be used across single-core processors, but when running larger desktop operating system that are used to having full control of a processor, multicore parts that often also have hardware virtualization support are the best way to maintain near-native performance of all of the secure domains. Also, See Fig. 1 and Page 1, Section: Separation-Kernel technology)
wherein isolating the loss of security in one of the guest operating system virtual machine protection domains to the one lost security domain such that security is not broken in all the domains. (See Day, Page 2-3; the desktop functionality and connection to the outside world can be hosted in another domain, using a more traditional desktop OS like windows or Linux. Any cyber-attacks will be contained to this domain and cannot spread to the critical functions or hamper the performance of the real-time domain.)


	Regarding claim 41, Day anticipates,
41. (currently amended) The method of claim 5, further comprising:
enforcing policy for activities monitored by the mechanism within the guest operating system virtual machine protection domain. Day, page 1-2; separation kernel technology and fig 1: the separation kernel is a technology developed for use in secure military systems that provides an underlying realtime platform with multiple secure domains. This security virtualization system provides security and trust by containing the operating systems and applications from one another and enforcing strict security policies with any desired communication between the domains.)



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 31, 34, and 38 are rejected under 35 U.S.C. 103 as being unpatentable over Day in view of Freericks et al. (US Pub No. 2009/0288167 A1, referred to as Freericks).
Regarding claim 31, Day discloses,
31. (currently amended) The method of claim 5, further comprising one or more of:
Day does not explicitly disclose, however Freericks teaches,
implementing at least one routine and/or component to prohibit the guest operating systems from tampering with, corrupting, and/or bypassing the mechanism; and executing the mechanism while preventing interference and/or bypass, corruption, and/or tampering by the plurality of guest operating systems. (Freericks et al. discloses a virtualization environment security module enhances the security of the virtualization environment and the guest operating system 118 and 120. The virtualization environment security module enhances security by communicating security information between itself and the guest operating system security module 122 and 124 (See Paragraph 0047. Also, see paragraphs 0044 and 0063). As well, Freericks et al. discloses the virtualization environment security module may alert other guest operating system... or terminate the guest OS executing the malware (See Paragraph 0047). Also, Freericks et al. discloses a virtualization environment is protected against tampering by securely monitoring events with a system monitor toolkit (See Paragraph 0010).) 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Freericks into the teachings of Day with a motivation to protect a virtualization environment against malware by providing a guest operating system security module in the guest operating system (Freericks abstract).


Regarding claim 34, Day discloses,
34. (currently amended) The method of claim 5, further comprising:
Day does not explicitly disclose, however Freericks teaches,
detecting in each of the domains their own malicious code as a function of the isolated domains; (Freericks discloses guest operating system security modules 122 and 124 employ methods to identify malware executing in the guest operating system 118 and 120. See Paragraph 0047) or wherein viewing the virtual hardware platform within each domain as separate hardware by a guest such that bypass is prevented. 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Freericks into the teachings of Day with a motivation to protect a virtualization environment against malware by providing a guest operating system security module in the guest operating system (Freericks abstract).


Regarding claim 38, Day discloses,
38. (currently amended) The method of claim 5, further comprising:
Day does not explicitly disclose, however Freericks teaches,
executing the mechanism while preventing interference, corruption, tampering and/or bypassing by the plurality of guest operating system virtual machine protection domains. (Freericks et al. discloses a virtualization environment security module enhances the security of the virtualization environment and the guest operating system 118 and 120. The virtualization environment security module enhances security by communicating security information between itself and the guest operating system security module 122 and 124 (See Paragraph 0047. Also, see paragraphs 0044 and 0063). As well, Freericks et al. discloses the virtualization environment security module may alert other guest operating system... or terminate the guest OS executing the malware (See Paragraph 0047). Also, Freericks et al. discloses a virtualization environment is protected against tampering by securely monitoring events with a system monitor toolkit (See Paragraph 0010).) 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Freericks into the teachings of Day with a motivation to protect a virtualization environment against malware by providing a guest operating system security module in the guest operating system (Freericks abstract).


Claim 33 is rejected under 35 U.S.C. 103 as being unpatentable over Day in view of McGee et al. (US Pub No. 2009/0254990 A1, referred to as McGee).
Regarding claim 33, Day discloses,
33. (currently amended) The method of claim 5, further comprising:
Day does not explicitly disclose, however McGee teaches,
moving virtualization processing to the virtual hardware platforms within each guest operating system protection domain so that substantially all analysis and security testing is performed within each guest operating system protection domain such that the separation kernel hypervisor is of reduced size and/or complexity. (McGee: [0105], [0112]; packet inspection and filtering is provided by the inspection engine 408 under control of the security agent 406, both of which reside in the pre-configured VM 306-2. In this case, the security-VM 304 configures the associated networking driver 318-2 in a fast-path mode, that is to pass all packet traffic with minimum filtering. By using the fast-path driver 324, higher efficiency may be obtained while the security-VM 304 is still in control and is able to intervene in the event that the pre-configured VM 306-2 is mis-behaving (inspection engine and security agent in the VM so separation kernel hypervisor is less complicated).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of McGee into the teachings of Day with a motivation to provide intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server by using inspection engine and security agent reside in the VM (McGee abstract).


Claim 42 is rejected under 35 U.S.C. 103 as being unpatentable over Day in view of Zheng et al. (US Pub No. 2009/0158432 A1, referred to as Zheng).
Regarding claim 42, Day discloses,
42. (currently amended) The method of claim 5, 
Day does not explicitly disclose, however Zheng teaches,
wherein the virtualization assistance layer virtualizes portions of the hardware platform resources including a virtual CPU/ABI, a virtual chipset ABI, a set of virtual devices, a set of physical devices, and firmware exported to the corresponding guest operating system. (Zheng: [0035]; virtualization layer 514 comprises a layer of executable code in the virtualized computer system 500 for managing guest VMs 502a-c and for providing an interface between guest VMs 502a-c and one or more physical resources of the host platform 504 as described above with reference to FIGS. 1A and 1B.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Zheng into the teachings of Day with a motivation to allow virtualization process of the platform by using a virtualization layer (Zheng abstract and [0035]).


Claim 60 is rejected under 35 U.S.C. 103 as being unpatentable over Day in view of Osiseket al. (US Patent No. 5,555,385, referred to as Osiseket).
Regarding claim 60, Day discloses,
60. (new) A method for processing information securely, the method comprising:
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; (See Day, page 3; leveraging Multicore Processors; Software virtualization can be used across single-core processors, but when running larger desktop operating system that are used to having full control of a processor, multicore parts that often also have hardware virtualization support are the best way to maintain near-native performance of all of the secure domains. See also fig 1; separation kernel technology)
isolating the domains in time and/or space from each other; (See Day, page 1-2; separation kernel technology and fig 1: the separate kernel a technology that provides an underlying real-time platform with multiple secure domains housing software applications that cannot interfere with each other)
Day does not explicitly disclose, however Osiseket teaches,
sharing a list of memory locations of an authorized guest to another guest; and (Osiseket: P.22; Summary of the Invention; a virtual machine computer system which permits more than one guest/virtual machine to share a single address space (memory locations)  and each control access by its applications to the shared address space. The computer system comprises a host operating system for creating first (authorized guest) and second (another guest) virtual machine guests.) 
hosting a mechanism to control access to specified locations and/or pages from the another guest. (Osiseket: P.22; Summary of the Invention; the first guest responds to a request from a first application executing in the first guest to allocate an address space, by determining at least in part a storage region for the address space. The first guest also responds to a request from the first application to grant shared access by a second application executing in the second guest to the address space, by notifying the host operating system that the second guest or the second application is authorized to access the address space (a mechanism to control access).) 
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Osiseket into the teachings of Day with a motivation to provide an address space allocation process within a virtual machine environment which permits more than one guest/virtual machine to share a single address space and each central access by its applications to the shared address space by using a request mechanism between two guests (Osiseket: Coln. 2, l. 66 - Coln. 3, l. 3).


Allowable Subject Matter
Claims 6-7, 20, 25-26, 35-37, 39-40, and 43 contains allowable subject matter but remain rejected under Obvious Double Patenting (ODP) rejection and/or 112 rejections. It is also objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and the stated rejection(s) are resolved.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Day, Freericks, McGee, Zheng and Osiseket above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses providing a list of memory locations of an authorized guest to another guest; and associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations; hosting a mechanism to unmap specified pages on demand from another guest; processing an unmapped page exception taken by the virtual machine; mapping an unmapped page previously processed by the virtual machine; passing control and mapping the unmapped page as inaccessible again as described in the claims. 
At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Alladi; Mahadeva et al.	US-PGPUB	US 20120084381 A1	guest operating system is authorized to execute to the virtual machine via the shared region of memory
Tuch; Harvey et al.	US-PGPUB	US 20130185720 A1	hypervisor map and unmap the file at one or more locations in the guest process address space

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435