Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION

Response to Arguments
	 
Applicant’s arguments filed July 28, 2022 have been fully considered. After further consideration, the prior art of record still reads on Applicant’s claim language.

Applicant asserts the prior art of record does not suggest Applicant’s amended claim language.
In response, The Examiner respectfully disagrees because the prior art of record is relied upon to teach wherein the hardware component interfaces of (reads on the combination of a network interface 47A/47B/47C/47D which is assigned a mandatory access control label, see Clark para 0022, 0030, 0031 and Figure 1 blocks 47a-d and the at least implied internal network interface and external network interface exemplified by the arrows entering and leaving the firewall of Blaich Figure 2, Figure 4 and Figure 5) the network device (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1) include at least one internal network interface to an internal control network (reads on the computing device uses a network interface card to connect to any communication network such as a LAN or WAN, see Clark para 0030 – 0031 and Figure 1) and at least one external network interface to an external network (reads on the computing device uses a network interface card to connect to any communication network such as a LAN or WAN, see Clark para 0030 – 0031 and Figure 1), wherein a first security label is assigned to the at least one internal network interface (reads on MAC sensitivity label information assigned to each network interface where a satisfactory label comparison allows the process to access the network interface card, see Clark para 0022, 0027, claim 1 and claim 2), a second security label is assigned to the at least one external network interface (reads on MAC sensitivity label information assigned to each network interface where a satisfactory label comparison allows the process to access the network interface card, see Clark para 0022, 0027, claim 1 and claim 2), and the first security label and the second security label are different (The Examiner construes this to be a necessary if not obvious limitation of the prior art’s teaching of each network interface being assigned its own label, see Clark par 0022. The Examiner asserts each having its own label at least obviates the need for distinct labels to be different if for no other reason they are distinct).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  



Claims 1 – 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Blaich (US Pub. No. 2013/0139244 A1) in view of Clark (US Pub. No. 2001/0023449 A1) in view of Zhang (US Pub. No. 2009/0271844 A1).

Per claim 1, Blaich suggests a method for providing restricted access to (reads on deciding which applications should be allowed to send or receive data from the network, see Blaich para 0017) hardware component interfaces (HWCIs) of (reads on the at least implied internal network interface and external network interface exemplified by the arrows entering and leaving the firewall of Blaich Figure 2, Figure 4 and Figure 5) a network device (1) (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1) by one or more software components (SWCs) of (reads on the exemplary Application A of the applications of the computing device that wants to send or receive data from the network via the appropriate network interface, see Blaich para 0017, 0037 and claim 1) said network device (1) (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1), wherein an access to (reads on applications/processes are allowed to send or receive data from the network using the corresponding network interface after it is determined the application/process has been permitted access to the network interface by comparing the MAC label of the process to the MAC attributes in the rule set, see Blaich para 0017, 0037 and claim 1, 4 and 5) a hardware component interface (HWCI) (reads on the at least implied internal network interface and external network interface exemplified by the arrows entering and leaving the firewall of Blaich Figure 2, Figure 4 and Figure 5) requested by (reads on the application/process desires to send or receive data from the network, see Blaich para 0017, 0037 and claim 1) a software component (SWC) (reads on the exemplary process/Application A of the applications of the computing device that wants to send or receive data from the network via the appropriate network interface, see Blaich para 0017, 0037 and claim 1) is permitted by (reads on is allowed to send or receive data from the network, see Blaich para 0017 and 0037) a mandatory access control, MAC, mechanism implemented as part of (reads on a MAC Aware Firewall that employs a subject-object paradigm for access, wherein the MAC checks the security policy to allow or deny the access, see Blaich Figure 8 block 815, para 0017, 0037 and claim 1) the network device's (1) (reads on the computing device comprising a MAC aware firewall, see Blaich Figure 2, Figure 4, Figure 5, Figure 8, para 0047 and claim 1) operating system (OS) (reads on the MAC Aware Firewall that is part of the OS of the computing device, see Blaich Figure 8 and para 0047) on the basis of a MAC security policy (MAC-SP) (reads on MAC mechanisms that employ security labels in a subject-object paradigm for accesses in which the system determines which subjects have access to what objects in order to perform an operation such as read, write or execute, see Blaich para 0017) characterized in the MAC security policy (MAC-SP) (reads on MAC mechanisms that employ security labels in a subject-object paradigm for accesses in which the system determines which subjects have access to what objects in order to perform an operation such as read, write or execute, see Blaich para 0017) comprising access rights (reads on determines which subjects have access to what objects in order to perform an operation such as read, write or execute, see Blaich para 0017) defined as access relations between (reads on a subject-object paradigm for access where the system determines which subjects have access to what objects in order to perform an operation such as read, write or execute, see Blaich para 0017) software component security labels (SWC-SL) (reads on exemplary App A has a MAC attribute/security label set for itself, see Blaich para 0037 and claims 1, 4 and 5) assigned to software component types (The Examiner construes this to be a necessary if not obvious limitation of the prior art of record’s teaching of MACs including SELinux because one of ordinary skill in the art would know type enforcement is implemented in SELinux causing both objects and subjects to be assigned type labels, see Blaich para 0017 and claim 5) and network interface (reads on using the MAC environment to enforce the MAC subject-object access paradigm between the application/process and the network interface, see Blaich para 0017 and 0037) assigned to hardware component interface types (The Examiner construes this to be a necessary if not obvious limitation of the prior art of record’s teaching of MACs including SELinux because one of ordinary skill in the art would know type enforcement is implemented in SELinux causing both objects and subjects to be assigned type labels, see Blaich para 0017 and claim 5). 

[0017] One aspect of the present invention is deciding which applications should be allowed to send or receive data from the network and how to enforce this policy in a MAC environment. The present invention enables firewalls to take advantage of the method of enforcement of MAC technologies to provide a tighter integration with the MAC, while indirectly enhancing the network control ability of the MAC. Exemplary implementations include the use of security labels or defined paths, leveraging off of MAC mechanisms used for different purposes. Referring to FIG. 3, MAC mechanisms employ a subject-object paradigm for accesses. If Application (App) A wants to write to a LogFile, the MAC checks the security policy to allow or deny the access. MAC is a type of access control on a computing device in which the system determines which subjects have access to what objects in order to perform an operation such as read, write, or execute. Subjects and objects are any and all objects on a file-system. MAC controls can constrain users that have limited privileges, but also users that have administrator privileges, unlike in a Discretionary Access Control (DAC). In the case of a MAC the system determines the policy that is followed, not the users. Examples of MACs include Security Enhanced Linux.RTM. (SELinux) and the Simplified Mandatory Access Control Kernel or SMACK. Discretionary Access Controls or DAC is similar to a MAC because subjects are requesting access to objects in order to perform specific operations. However, in a DAC environment users can change or modify the policy. 
[0037] Also shown in the bottom portion of the diagram FIG. 5 in use an application App A generates packets that are to be sent to a network interface. The firewall 515 inspects the packets and looks to match them against the rules it ahs to determine what action to perform on them. In this example App A has an extended attribute or security label set for itself of security.SMACK64EXEC equal to com.security.appa. In this example, a packet is allowed out of the system by the firewall 515 if it was generated by a process having the extended attribute security label that matches the security label in module 525. This means when App A is executing it is running as the subject with the label com.security.apps. Based on the previous labeling, a rule can be added to the firewall system, iptables in this case, that can include the traditional restrictions like ip address, port number, mac address, etc; but can also include the new security label matching module that will provide another matching parameter to the rule before it can be considered a full match for a packet. Thus, any packet that is created by a process with a SMACK64EXEC label, in this example, equal to com.samsung.appa will have an action performed on it. 

[0047] FIG. 8 illustrates an exemplary computing device 800 including a MAC aware firewall. The MAC aware firewall 815 is part of the Operating System layer. The computing device also includes a Kernel layer 840 and least one processor 850 and memory 860. While the firewall 815 may be installed on a computing device it will be understood that more generally firewall 815 may also be stored as computer program code on a non-transitory computer readable medium which when executed on a processor implemented the MAC aware firewall. The various aspects, features, embodiments or implementations of the invention described above can be used alone or in various combinations.

1.A computing device include a processor and a memory, comprising: a firewall, the firewall having a firewall rule set extended to include Mandatory Access Control (MAC) attributes; the firewall configured to examine the MAC attributes of a process running within the protection of the firewall that is generating or receiving packets and performing rule checking for the process based at least in part by comparing the MAC attributes of the process to the MAC attributes in the firewall rule set; wherein the firewall obtains MAC attribute information for the process based on local information not included within the contents of individual packets.
3. The computing device of claim 1, wherein the firewall obtains MAC attributes for a process directly or indirectly from the process via a network layer.
4. The computing device of claim 1, wherein the MAC attributes include at least one of a label and a path attribute of a process.
5. The computing device of claim 1, wherein the MAC attributes include security labels for SELinux or SMACK.




    PNG
    media_image1.png
    614
    901
    media_image1.png
    Greyscale





    PNG
    media_image2.png
    422
    918
    media_image2.png
    Greyscale



The prior art of record is silent on explicitly stating MAC security policy comprising access rights defined as access relations between software component security labels assigned to software component types and hardware component interface security labels assigned to hardware component interface types, wherein the hardware component interfaces of the network device include at least one internal network interface to an internal control network and at least one external network interface to an external network, wherein a first security label is assigned to the at least one internal network interface, a second security label is assigned to the at least one external network interface, and the first security label and the second security label are different.  
Clark suggests 
a method for providing restricted access to (reads on using mandatory access control comparing the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card, see Clark para 0009 and 0022) hardware component interfaces (reads on the network interface, see Clark para 0022, 0027, 0060 and 0117) of a network device (see Clark Figure 2 blocks 10, 20 and 30) by one or more software components (reads on a combination of user process #1 and user process #2, see Clark Figure 2 blocks 11 and 12 and para 0009) of the network device (see Clark Figure 2 blocks 10, 20 and 30), wherein an access to (reads on software process having a network endpoint attribute consist of the compartment label associated with the process, where processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or the data transfer is aborted, see Clark para 0009, 0040 and 0060) a hardware component interface (reads on a network interface which is assigned a mandatory access control label, see Clark para 0022) requested by (reads on software process having a network endpoint attribute consist of the compartment label associated with the process, where processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or the data transfer is aborted, see Clark para 0009, 0040, 0060 and claim 1) a software component (reads on a combination of user process #1 and user process #2, see Clark Figure 2 blocks 11 and 12 and para 0009) is permitted on the basis of (reads on software process having a network endpoint attribute consist of the compartment label associated with the process, where processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or the data transfer is aborted, see Clark para 0009, 0040, 0060 and claim 1) a MAC security policy comprising access rights defined as access relations between software component security labels and hardware component interface security labels (reads on the attribute map table includes MAC sensitivity label information about each network endpoint associated with a process and each network interface where a satisfactory label comparison allows the process to access the network interface card, see Clark para 0022, 0027, claim 1 and claim 2) wherein the hardware component interfaces of (reads on a network interface 47A/47B/47C/47D which is assigned a mandatory access control label, see Clark para 0022, 0030, 0031 and Figure 1 blocks 47a-d) the network device include at least one internal network interface to an internal control network (reads on the computing device uses a network interface card to connect to any communication network such as a LAN or WAN, see Clark para 0030 – 0031 and Figure 1) and at least one external network interface to an external network (reads on the computing device uses a network interface card to connect to any communication network such as a LAN or WAN, see Clark para 0030 – 0031 and Figure 1), wherein a first security label is assigned to the at least one internal network interface (reads on MAC sensitivity label information assigned to each network interface where a satisfactory label comparison allows the process to access the network interface card, see Clark para 0022, 0027, claim 1 and claim 2), a second security label is assigned to the at least one external network interface (reads on MAC sensitivity label information assigned to each network interface where a satisfactory label comparison allows the process to access the network interface card, see Clark para 0022, 0027, claim 1 and claim 2), and the first security label and the second security label are different (The Examiner construes this to be a necessary if not obvious limitation of the prior art’s teaching of each network interface being assigned its own label, see Clark par 0022. The Examiner asserts each having its own label at least obviates the need for distinct labels to be different if for no other reason they are distinct).  

[0009] The invention provides a system and method for implementing a streams based network access control for a computer. The invention may be conceptualized as a streams based network access control system that includes a software process operating on a computer and having a network endpoint attribute. The software process is configured to communicate a packet through a streams-based network protocol stack to a network interface card that includes an interface attribute. A session filter module and a network filter module are in communication with the network protocol stack. A table of network attributes, associated with the session filter module and network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card. 

[0022] Each network interface is assigned a mandatory access control (MAC) label. Processes which send and receive data on the network interface must reside in the same MAC compartment as that of the network interface or must possess sufficient privilege to override the network security policy decisions.

[0027] The attribute map table includes information about each network endpoint associated with a process, and each network interface. For each network endpoint, this information includes, but is not limited to, the protocol, the local port and address assigned to it, the address and port of the endpoints peer if a session is established, session flags for each endpoint and the security attributes for each endpoint. The session flags include, but are not limited to, a connected flag, a bound flag and an indicator flag. The indicator flag signifies if the session is a client, server or listen type. The endpoint security attributes include, but are not limited to, a sensitivity label, a netmultilevelserver privilege, an allownetaccess privilege, netrawaccess privilege, netsetid privilege, netprivsession privilege and a netprivador privilege. For each network interface, this information includes, but is not limited to, the interface name, the sensitivity label associated with the interface, and the hostile/nonhostile disposition flag of the interface.

[0030] Turning now to the drawings, FIG. 1 is a block diagram illustrating a network environment 2 in which a computing device 10, 20 and 30 includes the streams based access control system 100 of the present invention. Network environment 2 includes a plurality of interconnected computing devices 10, 20 and 30, connected by a plurality of networks. As shown in FIG. 1, computing device 10 and computing device 20 are interconnected via network 8. Network 8 may be any communication network, such as a local area network (LAN) or a wide area network (WAN).

[0031] Computing device 10 and computing device 30 are interconnected via network 9, which may also be either a LAN or a WAN. Each computing device can be directly connected to at least one network. The computing device 10 uses a network interface card (NIC) 47A to connect to network 9 and an NIC 47B to connect to network 8. Similarly, the computing device 20 is connected to network 8 using a network interface card NIC 47C and the computing device 30 is connected to network 9 via a NIC 47D.

[0040] The session filter module (SFM) 110 is responsible for assigning and maintaining attributes on network endpoints, as well as controlling access between endpoints during local-to-local communication. The attributes associated with a network endpoint consist of the compartment label associated with the process, as well as a representation of relevant privileges in effect, when the endpoint is created. When packets are sent between local endpoints, the receiving endpoint compares its attributes with its peer endpoint's attributes. A satisfactory attribute comparison allows the data to be delivered, whereas a failed comparison causes the data transfer to be aborted.

[0060] The network filter module (NLM) 170 is responsible for controlling access to the network interface(s) 47. The network interfaces 47 are labeled with a set of attributes when the interface is brought on-line. When data is sent or received on the network interface(s) 47, the attributes of the interface are compared with the attributes of the endpoint receiving or sending the data. If the attributes specify that the communication is not allowed, the data is either dropped or an error is returned.

[0114] The system and method for a streams based network access control system 100 can be implemented in hardware, software, firmware, or a combination thereof. In the preferred embodiment(s), the invention is implemented in software or firmware that is stored in a memory and that is executed by a suitable instruction execution system. If implemented in hardware, as in an alternative embodiment, the invention can be implemented with any or a combination of the following technologies, which are all well known in the art: a discrete logic circuit(s) having logic gates for implementing logic functions upon data signals, an application specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array(s) (PGA), a field programmable gate array (FPGA), etc.

[0115] The streams based network access control system 100, which comprises an ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. In the context of this document, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[0117] It will be apparent to those skilled in the art that many modifications and variations may be made to the preferred embodiments of the present invention, as set forth above, without departing substantially from the principles of the present invention. For example, although illustrated using only two processes, the streams based network access control system of the invention is capable of supporting many additional application programs and their corresponding processes, such as, for example but not limited to, a file transfer process, a mail server process, etc. Furthermore, it is contemplated that an application program may have more than one process running simultaneously. Further still, although illustrated using only two network interface cards, the network filter system of the invention is capable of supporting many additional network interface cards. All such modifications and variations are intended to be included herein within the scope of the present invention, as defined in the claims that follow.

1. A streams based network access control system, comprising: a software process operating on a computer, said software process including a network endpoint attribute and configured to communicate a packet through a streams based network protocol stack to a network interface card, said network interface card including an interface attribute; a session filter module communicating with said network protocol stack; a network filter module communicating with said network protocol stack; and a table of network attributes associated with said session filter module and said network filter module, wherein said session filter module and network filter module compare said network endpoint attribute with said interface attribute in said table of network attributes to determine whether said software process can access said network interface card.

2. The system of claim 1, wherein said table of network attributes further comprises: at least one network endpoint attribute; and at least one interface attribute.

3. The system of claim 1, wherein each of said at least one network endpoint attribute and said at least one interface attribute further comprise: a compartment label; and at least one privilege value.



    PNG
    media_image3.png
    620
    846
    media_image3.png
    Greyscale



Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify MAC policy teachings of the prior art of record by integrating the MAC policy network interface label teachings of Clark to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the network interface teachings of Clark which include the network interface having a compartment label that must be matched to the requesting process for the process to have access to the network interface for network interface of the primary reference. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. The motivation to combine the references applies to all claims under this heading.
Zhang suggests 
MAC security policy comprising (reads on allowing a particular type of subject to have a set of access permissions with respect with one or more other types of objects, see Zhang para 0085) access rights defined as access relations between (reads on a set of access permissions with respect with one or more other types of objects, see Zhang para 0085) software component security labels (reads on subjects/processes associated with labels of the form user:role:type, see Zhang para 0085) assigned to software component types (reads on subjects/processes associated with labels of the form user:role:type, see Zhang para 0085) and hardware component interface security labels (reads on objects associated with labels of the form user:role:type, see Zhang para 0085) assigned to hardware component interface types (reads on a particular object being associated with a label of the form user:role:type).
[0084] As noted above, the trusted access monitoring manager 302a (shown in FIG. 3A) can serve as a reference monitor in accordance with one embodiment of the invention. To further elaborate, FIG. 4 depicts a reference monitoring architecture compatible with the techniques of the invention as will be known to those skilled in the art. Those skilled in the art will readily appreciate that various access control or reference monitoring techniques can be utilized in accordance with the invention as no specific assumptions need to be made regarding the architecture of the access control or reference monitoring utilized to make or use the invention. Secure operating system (e.g., SELinux Operating System) can offer additional advantages. In particular, the invention is especially well suited for SELinux Operating System because of the Mandatory Access Control (MAC) mechanism that it can provide. As such, the reference monitoring mechanisms of SELinux Operating System is described in greater detail below.
[0085] SELinux can associate "labels" of the form "user:role:type" to all "subjects" (e.g., processes) and "objects" (e.g., files, directories, programs, sockets). This "labeling" can be referred to as a "security context". Within the security context, the "type" attribute can represent the type of an "subject" and/or an "object" (e.g., sshd_t and syslogd_t, as generally known in the art). Instead of directly associating a user with a type, SELinux can associate a user with a "role" and a "role" with a set of types. The "role" can effectively simplify the management of various users supported by the SELinux Operating System. This means that access control in SELinux can be primarily enforced via a "Type-Enforcement" policy model, as is generally known in the art. A typical policy rule in SELinux can, for example, allow a particular type of subject to have a set of access permissions (or permissions) with respect with one or more other types of objects. By way of example, access permissions can be defined according to: object classes (e.g., file: {read, write}, append, lock, and netif: {tcp send,tcp recv}). As a simple example, the following rules can define two types: "qtmail_t and qtaddressbook_t" within a mobile device (e.g., a cell phone):


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify MAC policy teachings of the prior art of record by integrating the MAC policy teachings of Zhang to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the art would have recognized that applying the known label and type technique of Zhang would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the label and type technique of Zhang to the label teachings of Blaich would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such type and labeling features into similar systems. Further, applying the specific type identification to Blaich, would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow a variety of additional ways to specify access permissions. The motivation to combine the references applies to all claims under this heading.
Per claim 2, the prior art of record further suggests wherein the restricted access to a requested hardware component interface (HWCI) by a requesting software component (SWC) permitted by said MAC mechanism provides a non-reactive unidirectional dataflow (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017. The Examiner asserts based on the exemplary read, write, or execute teaching of the prior art, any known in the art access operation would be obvious because it is within the realm of conventional computer science in order to meet the needs of the business).  
Per claim 3, the prior art of record further suggests wherein the access relations indicate access types of access to the hardware component interfaces (HWCI) by the software components (SWC) permitted according to the access rights of the MAC security policy (MAC-SP) (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017).  
Per claim 4, the prior art of record further suggests wherein the access types of the access relations comprise a read only, RO, access type, a write only, WO, access type, a read and write, RW, access type, a client mode access type, and a server mode access type (reads on the security policy determines which subjects have access to what objects in order to perform an operation such as the exemplary read, write, or execute, see Blaich para 0017. The Examiner asserts based on the exemplary read, write, or execute teaching of the prior art, any known in the art access operation would be obvious because it is within the realm of conventional computer science in order to meet the needs of the business).  
Per claim 5, the prior art of record further suggests wherein the software components (SWC) comprise applications including control applications, real-time control applications, safety applications, device status applications, configuration applications and data validation applications (The Examiner construes this to be an obvious limitation of the prior art’s  combination of the Application/App/process/subjects of Blaich para 0017, 0037 and claim 1, see Clark Figure 2 blocks 11 and 12 and para 0009 and Zhang para 0085. The Examiner asserts the claims specific recitations of applications are reasonably scoped as the prior art’s disclosure of Application/App/process/subjects because one of ordinary skill in the art would consider them all applications that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).  
Per claim 6, the prior art of record further suggests wherein the hardware component interfaces (HWCI) comprise 10 interfaces, network interfaces, memory interfaces and configuration interfaces (The Examiner construes this to be an obvious limitation of the prior art’s combination of the network interfaces/objects of Blaich Figure 2, Figure 4 and Figure 5, see Clark para 0009, 0022 and Zhang para 0085. The Examiner asserts the claims specific recitations of interfaces are reasonably scoped as the prior art’s disclosure of network interfaces/objects because one of ordinary skill in the art would consider them all network interfaces/objects that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).   
Per claim 7, the prior art of record further suggests wherein the hardware component interface (HWCI) types comprise a configuration type, a device intern type, a control network type, a real-time control type, a safety control type, and an open network type (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of objects associated with labels of the form user:role:type, see Zhang para 0085, because the prior art explicitly teaches types and Applicant’s disclosure of the various types without defining those various types appears to be nothing more than exemplary known in the art recitations of known in the art types. The Examiner asserts one of ordinary skill in the art would consider them all object types that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).  
Per claim 8, the prior art of record further suggests wherein the software component, SWC, types comprise a control network domain, an open network domain, a domain intern domain, a control domain, a real-time control domain, a safety control domain, an external communication domain and a device intern cross domain (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of subjects/processes associated with labels of the form user:role:type, see Zhang para 0085, because the prior art explicitly teaches types/domains and Applicant’s disclosure of the various types/domains without defining those various domains appears to be nothing more than exemplary known in the art recitations of known in the art domains. The Examiner asserts one of ordinary skill in the art would consider them all object domains that were known in the art and within the realm of conventional computer science to implement any and all of them in order to meet the needs of the business).  
Per claim 9, the prior art of record further suggests wherein the MAC security policy (MAC-SP) is stored in a file system of said network device (1) loaded during booting of the network device's operating system (OS) (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Per claim 10, the prior art of record further suggests wherein the MAC security policy (MAC-SP) is compiled into the operating system kernel (OSK) of the device's (1) operating system (OS) (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Per claim 11, the prior art of record further suggests wherein the operating system (OS) comprises a non-real time operating system or a real time operating system (see Blaich Figure 8, para 0017, para 0047 and Zhang para 0084).  
Claim 12 is analyzed with respect to claim 1. The prior art of record further suggests kernel (OSK) implemented in a processor of said network device (see Blaich para 0047).  
Per claim 13, the prior art of record further suggests wherein the hardware component interfaces (HWCI) of said network device comprise IO interfaces, network interfaces, memory interfaces and/or configuration interfaces (see Blaich Figure 8, Clark Figure 1 block 10 and Figure 2).  
Per claim 15, the prior art of record further suggests wherein the network device (1) comprises a programmable logic controller, PLC, an IoT gateway or a control device (reads on can be implemented in any combination of hardware and software, see Clark para 0114).  


Claims 16 – 17 are rejected under 35 U.S.C. 103 as being unpatentable over Blaich in view of Clark in view of Zhang in view of Hall (US Pub. No. 20100088739 A1).

Per claim 17, the prior art of record teaches the method of claim 1. The prior art of record does not explicitly state no software component is allowed access to both the first security label and the second security label.
Hall suggests 
no software component is allowed access to both the first security label and the second security label (reads on a method of hardware based access control where all processing contexts are labeled and the mandatory access control is performed by hardware mechanisms that avoid possible security holes that may be present in software because it is implemented completely within the hardware rather than relying on software, see Hall para 0006, 0034 – 0035 and 0064 – 0065).

[0006] In one illustrative embodiment, a method, in a data processing system, is provided for performing hardware based access control. The method comprises associating, in hardware of the data processing system, an instruction access policy label with an instruction to be processed by a processor of the data processing system. The method further comprises associating, in hardware of the data processing system, an operand access policy label with data in the data processing system. Moreover, the method comprises passing the instruction access policy label along with the instruction through one or more hardware functional units of the processor and passing the operand access policy label along with the data through the one or more hardware functional units of the processor. In addition, the method comprises utilizing one or more hardware implemented policy engines associated with the one or more hardware functional units of the processor to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.

[0007] In another illustrative embodiment, a processor is provided that comprises one or more hardware functional units and one or more hardware implemented policy engines associated with the one or more hardware functional units. An instruction access policy label is associated, in hardware of the processor, with an instruction to be processed by the processor. An operand access policy label is associated, in hardware of the processor, with data processed by the processor. The instruction access policy label is passed along with the instruction through the one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. The one or more hardware implemented policy engines operate to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.

[0034] The illustrative embodiments provide hardware implemented mandatory access control functions and a corresponding security architecture that is less dependent on the correctness of the software. With the mechanisms of the illustrative embodiments, a computer processing architecture, such as may be used in the system of FIG. 1, is modified to include an extended mandatory access control matrix mechanism. Moreover, all data within the computer processing architecture is labeled with a small integer label, e.g., a label of 8 bits for each 64 bit data word (although these sizes may vary for different processor types used in the computer processing architecture). Similarly, all processing contexts are labeled. The extended mandatory access control matrix is stored in memory and provides the access control policy for controlling access to the labeled data as it moves through the computer processing architecture.

[0035] For each instruction, and for each set of context and input operand labels, the mandatory access control matrix contains access control and transition rules. The access control rules imply the read, write and execute permissions. Entries in the mandatory access control matrix may further include an extended rule which specifies output operand labels as well as transition rules for the operation which may include instructions to trap or to alter the label of the context, such as in support of low watermark integrity protection models.

[0064] Thus, the illustrative embodiments provide hardware mechanisms for performing access control. These hardware mechanisms avoid the possible security holes that may be present in traditional software based access control mechanisms. Thus, a more secure system is provided by implementing the access control completely within the hardware rather than relying on software once data/instructions are loaded into registers.

[0065] As noted above, it should be appreciated that the illustrative embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In one exemplary embodiment, the mechanisms of the illustrative embodiments are implemented in software or program code, which includes but is not limited to firmware, resident software, microcode, etc.


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify mandatory access control teachings of the prior art of record by integrating the mandatory access control teachings of Hall to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the art to include in the mandatory access control system of the prior art of record the ability to implement that mandatory access control via a hardware only embodiment as taught by Hall since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, one of ordinary skill in the art would have recognized the results of the combination were predictable. The motivation to combine the references applies to all claims under this heading.

Claim 16 is analyzed with respect to claim 17.




Conclusion
A new ground(s) of rejection is presented due to Applicant’s amendment.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).


                                                                                                                                                                                            
/BRIAN F SHAW/Primary Examiner, Art Unit 2496