Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to an amendment filed 3/15/22.
Claims 1-2 and 4-20 are pending.

Response to Arguments
Applicant's arguments filed 8/29/22 have been fully considered but they are not persuasive.

First none of the cited references, alone or in combination, teach or suggest "creating a set of flow definitions from the control flow graph to specify a plurality of propagation rules." The cited paragraph [0082] of Kim makes it clear that Kim's system "reads the assembly code structured for each user function in units of instructions, and determines a correspondence to a variable type inferable assembly instruction (OPCODE) pattern or an instruction pattern that calls a variable type inferable standard library function ... with reference to the instruction pattern DB 224 [or] the standard library function pattern DB 226." (Emphasis added.). Referencing a DB 224 or a standard library function pattern to find a variable type in an OPCODE is not the same as "specify a plurality of propagation rules" [that are used to execute a backward type propagation of the control flow graph to determine a first type of the first function from a subsequent use of the first function as an argument passed. (pg. 8, last par.)

As discussed in more detail below, the limitation in question does not clearly define an intended scope of the claim and lacks support in the specification and thus a detailed examination of the limitation is not possible. Regardless, it is noted that, e.g., Kim’s “standard library function patterns” provide the ability to infer types and thus appear to correspond to the recited “propagation rules”. While applicant’s “propagation rules” may (or may not) be generated differently than Kim’s “standard library function patterns” the claim does not adequately recite such details. Accordingly, at least in view of the current claim language, this argument is unpersuasive.

Second, none of the cited references, alone or in combination, teach or suggest "executing a backward type propagation of the control flow graph, based on the plurality of propagation rules to determine a first type of the first function from a subsequent use of the first function as an argument passed to a library function." Kim does not perform backward propagation to determine a first type of the first function from a subsequent use of the first function as an argument passed to a library function. Rather, Kim "infer[s] the type of the variable based on at least one of an instruction using the variable as an operand and a standard library function using the variable as a parameter;" (see, e.g., FIG. 2, paragraphs [0043] and [0044], and claim 4), where "inferring the type of the variable comprises: determining a plurality of variable type candidates based on a plurality of instructions associated with the variable; and determining the type of the variable based on the plurality of variable type candidates" (see, e.g., FIG. 2, paragraphs [0043] and [0044], and claim 5). (2nd full par. on pg. 9)

Kim discloses inferring a type of a variable of a function based on its subsequent use as a parameter of a standard library function (e.g. “infer[s] the type of the variable based on … a standard library function using the variable as a parameter”, par. [0105] “determines each variable type … for each user function”). Adams discloses inferring at least a first type of a function (e.g. par. [0031] “signatures inferred from their use”). Accordingly, as indicated in the rejection, it would have been obvious to infer a function type based on its subsequent use in a standard library function.

Third, none of the cited references, alone or in combination, teach or suggest "backward propagating the first type, to determine a first portion of the signature of the first function, from the subsequent use of the first function as an argument passed to the library function." As explained above, Kim does not "determine a first portion of the signature of the first function, from the subsequent use of the first function as an argument passed to the library function." Likewise, Adams infers signatures from their use, with no mention subsequent use of the first function as an argument passed to the library function. (Cited paragraph [0026]). There is no teaching or suggestion in Adams about backward propagating the first type, to determine a first type of the first function from a subsequent use of the first function as an argument passed to a library function. (1st full par. on pg. 10)

The examiner respectfully disagrees. As discussed above Kim discloses determining a type of a function’s variable based on a subsequent use as an argument passed to the library function. However, Kim does not explicitly disclose determining a “signature” of that function based on its subsequent use. However, as discussed in more detail below, Adams discloses inferring a functions “signature” from its subsequent use (see e.g. par. [0031] “signatures inferred from their use”). Accordingly, it would have been obvious to determine a functions signature based on its subsequent use for the reasons discussed below in the rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-2 and 4-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 recites: “creating a set of flow definitions from [a] control flow graph to specify a plurality of propagation rules”. The only reference to flow definitions is found at par. [0031] of the specification which reads in relevant part:
… To perform the flow-sensitive points-to analysis, a set of flow definitions is created (before the analysis begins); these flow definitions specify propagation rules, usable by an automated analysis tool, that describe dataflow and pointer constraints for each machine code instruction. For example, "mov rax, rbx" on an x86_64 processor describes a propagation from the points-to set that rbx points to, to the points-to set that rax points to, and the flow definition for this instruction may capture this points-to propagation characteristic of the instruction. As another example, the flow definition for the instruction "mov rax, qword [rbx]" may specify that the points-to set of each value that rbx points to flows to the rax register. The result of the flow-sensitive points-to analysis is a points-to set for each register and memory location referenced in the program.

This passage makes no reference to a control flow graph, much less creating a flow definition from one. Instead this appears to disclose generating the “flow definition” from an “instruction” (e.g. “mov rax rbx”) and doing so “before the analysis begins”. 
Claim 1 further recites “generating a control flow graph … using the set of flow definitions”. As noted above, the specification does not disclose any use of “flow definitions” involving a “control flow graph”, and thus does not disclose generating a control flow graph using flow definitions. Further, at par. [0028] the applicant appears to disclose that the control flow graph is generated by a disassembler rather than a flow definition (i.e. “The output of the disassembler may include a control flow graph).
Claim 1 further recites “a subsequent use of the first function as an argument passed to a library function”. The specification does not appear to disclose passing a “function” as an argument to a “library function”. The closest disclosure appears to be found at e.g. par. [0033] of the specification which describes inferring a type of a “variable” passed as an argument to a library function but not a function per se. 
Accordingly, the specification does not contain disclosure sufficient to establish possession at the time of filing. 
Claims 2 and 4-17 depend from claim 1 and are rejected accordingly.
Claim 18 recites language similar to that of claim 1 and is thus similarly rejected.
Claims 19-20 depend from claim 18 and are rejected accordingly.

Claims 1-2 and 4-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 
Claim 1 recites: “creating a set of flow definitions from [a] control flow graph to specify a plurality of propagation rules”. As indicated above the specification does not appear to include any disclosure of generating flow definitions “from [a] control flow graph” instead apparently deriving them based on an instruction prior to performing the analysis. Further, it is not immediately clear that those of ordinary skill in the art would have been able to derive flow definitions from a control flow graph. In other words, based on par. [0031] it appears that the “flow definitions” are derived based on prior knowledge of the functionality associated with various instructions and not a flow of control through a program. 
Claim 1 further recites “generating a control flow graph … using the set of flow definitions”. As noted above, the specification does not disclose any use of “flow definitions” involving a “control flow graph”, and thus does not disclose generating a control flow graph using flow definitions. More specifically, the “flow definitions” are disclosed as “specify[ing] propagation rules” which define how/if a type of one variable can be inferred based on its use in a particular instruction. Those of ordinary skill in the art would not understand how such information could be used to generate a control flow graph (which describes flow through an entire program).
Accordingly, the specification does not contain sufficient disclosure to enable those of skill in the art to make and or use the invention as claimed. 
Claims 2 and 4-17 depend from claim 1 and are rejected accordingly.
Claim 18 recites language similar to that of claim 1 and is thus similarly rejected.
Claims 19-20 depend from claim 18 and are rejected accordingly.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-2, and 4-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 1 recites: 
… creating a set of flow definitions from the control flow graph to specify a plurality of propagation rules;
generating a control flow graph including one or more basic blocks connected by edges, using the set of flow definitions; …

Initially it is noted that the first recitation of “the control flow graph” lacks antecedent basis, and the second (“a control flow graph”) makes it unclear how many control flow graphs are claimed (e.g. here is “a” CFG intended to describe “the” CFG or another). But more importantly, it is not clear what is intended by using “flow definitions” created from “the control flow graph” to “generat[e] a control flow graph”. More specifically, as disclosed in par. [0031] of the specification the flow definitions only define type propagation and thus would not be suitable to generate control flow graph. Further the circular nature of these limitations (i.e. creating flow definitions from the CFG and then generating the CFG from the flow definitions) makes it even less clear what is being claimed. 
Claims 2 and 4-17 depend from claim 1 and are rejected accordingly.
Claim 18 recites language similar to that of claim 1 and is thus similarly rejected.
Claims 19-20 depend from claim 18 and are rejected accordingly.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2021/0132924 to Kim et al. (Kim) in view of US 2009/0031291 to Adams (Adams).

Claims 1 and 18: Kim discloses a method, performed by one or more processors, for function summarization in an object code to determine malicious portions or vulnerabilities in the object code (par. [0038] “to remove vulnerabilities”), the method comprising: 
disassembling the object code by a disassembler software tool (par. [0041] “assembly code … calculated by disassembling the target binary 10”);
identifying, from the object code, a basic function having a known signature called by a first function from the object code, the first function to be summarized having a signature (par. [0082] “for each user function … that calls a variable type inferable standard library function”, note that all functions have a signature); 
creating a set of flow definitions from the control flow graph to specify a plurality of propagation rules (e.g. par. [0082] “the instruction pattern DB 224 … the standard library function pattern DB 226”);
executing a backward type propagation of disassembled code, based on the plurality of propagation rules to determine a first type of the first function from a subsequent use of the first function as an argument passed to a library function, the first type being a type of an argument of the basic function or a type of a return value of the basic function (par. [0083] “a variable type known to have the parameter of the standard library function may be inferred as a type of a variable corresponding to the variable estimation pattern”, par. [0097] “a parameter type pattern of the standard library function”, par. [0105] “determines each variable type … for each user function”); 
backward propagating the first type, to determine a first portion of the first function, from the subsequent use of the first function as an argument passed to the library function (par. [0105] “determines each variable type … for each user function”);
determining a summary of the first function, based on the portion of the signature of the first function (par. [0105] “determines each variable type … for each user function”); and
executing a static analysis on the summary of the first function to determine malicious portions or vulnerabilities in the object code (par. [0038] “to remove vulnerabilities … information on the types and sizes of the variables may be used in … generating various types of patch code”).

Kim does not explicitly teach:
disassembling the object code; and
generating a control flow graph including one or more basic blocks connected by edges, using the set of flow definitions;

li teaches: 
dissembling object code (par. [0043] “a disassembler”); and
generating a control flow graph including one or more basic block connected by edges (par. [0043] “A node of a control flow graph may represent a block of instructions and an edge of a control flow graph may represent control flow between blocks of instructions. A control flow graph may be produced using a disassembler”).

It would have been obvious at the time of filing to disassemble the object code to generate a control flow graph (Li par. [0043] “A control flow graph may be produced using a disassembler”, Kim par. [0041] “disassembling the target binary 10”). Those of ordinary skill in the art would have been motivated to do so as a known means of representing object code for analysis which would have produced only the expected results. 

Kim and Li do not explicitly teach determining a first portion of the signature of the first function.

Adams teaches determining a first portion of a signature of a function (par. [0031] “performing type inference … signatures inferred from their use”, also see e.g. par. [0088]-[0090]).

It would have been obvious at the time of filing to determine a first portion of the signature of the first function (Adams par. [0031] “performing type inference … signatures inferred from their use”, Kim par. [0082] “for each user function”). Those of ordinary skill in the art would have been motivated to do so as a known means of type inference which would have produced only the expected results. 

Claims 2 and 19: Kim and Adams teach claims 1 and 18, wherein the propagating of the first type comprises propagating the first type based on object code (Kim par. [0010] “identifying a type of a variable within a binary”).

Claim 4: Kim and Adams teach claim 1, comprising determining the entire signature of the first function, the determining of the entire signature of the first function comprising the propagating of the first type, to determine the first portion of the signature of the first function (Adams par. [0032] “performing type inference … signatures inferred from their use”).

Claims 5 and 20: Kim and Adams teach the method of claims 4 and 19, further comprising determining, based on the entire signature of the first function, a summary of the first function (Adams par. [0032] “determining from the characteristics of the use of undeclared names, what kind of names they are (method, class, interface, property, etc.)”), 
wherein the determining of the summary comprises looking up the entire signature in a summarization database (e.g. Kim par. [0097] “the standard library function pattern DB 226”).

Claim 6: Kim and Adams teach the method of claim 1, wherein the basic function is a library function (Kim par. [0083] “standard library function”).

Claim 7: Kim and Adams teach the method of claim 1, wherein the first type is a type of an argument of the basic function (Kim par. [0083] “the parameter of the standard library function”).

Claim 8: Kim and Adams teach the method of claim 7, further comprising: 
determining a second type, the second type being a type of a return variable of the basic function (Kim par. [0098] “a type of a return value of a function”); and 
propagating the second type, to determine a second portion of the signature of the first function (Kim par. [0105] “determines each variable type … for each user function”).

Claim 9: Kim and Adams teach the method of claim 8, wherein: 
the propagating of the first type comprises propagating the first type backward (Kim par. [0098] “The type of data used as the … parameter … may be inferred”), and 
the first portion of the signature comprises a type of an argument of the first function (Kim par. [0098] “The type of data used as the return value … may be inferred”).

Claim 10: Kim and Adams teach the method of claim 8, wherein: 
the propagating of the second type comprises propagating the second type forward (Kim par. [0098] “The type of data used as the return value … may be inferred”), and
the second portion of the signature comprises a type of a return value of the first function (Kim par. [0105] “determines each variable type … for each user function”, Adams par. [0031] “signatures inferred from their use”).

Claim 11: Kim and Adams teach the method of claim 10, wherein: 
the propagating of the first type further comprises propagating the first type forward (Kim par. [0098] “The type of data used as the return value … may be inferred”), and 
the first portion of the signature further comprises a type of a return value of the first function (Kim par. [0105] “determines each variable type … for each user function”, Adams par. [0031] “signatures inferred from their use”).

Claim 12: Kim and Adams teach the method of claim 11, wherein: 
the propagating of the second type further comprises propagating the first type backward (Kim par. [0098] “The type of data used as the … parameter … may be inferred”), and 
the second portion of the signature further comprises a type of an argument of the first function (Kim par. [0105] “determines each variable type … for each user function”, Adams par. [0031] “signatures inferred from their use”).

Claim 13: Kim and Adams teach the method of claim 11, wherein the combination of the first portion of the signature and the second portion of the signature is the entire signature (Kim par. [0105] “determines each variable type … for each user function”, note that what constitutes the signature would depend on the structure of the code, and it would have been obvious to those of ordinary skill in the art that at least in some cases the signature would be formed from the first and second portions).

Claim 14: Kim and Adams teach the method of claim 1, wherein the first portion of the signature is the entire signature (Kim par. [0105] “determines each variable type … for each user function”, note that what constitutes the signature would depend on the structure of the code, and it would have been obvious to those of ordinary skill in the art that at least in some cases the signature would be formed from the first portion).

Claim 15: Kim and Adams teach the method of claim 1, further comprising: 
identifying the first function as a function called by a second function (Kim par. [0107] “determines whether each instruction corresponds to a variable type inferable instruction or function, and generates the variable type inference information 16 therefrom”; par. [0103] “Each information inferred may be stored as the variable type inference information 16”, this describes types inferred for the first function used to infer further types, at least obviously, including calls in a second function); 
determining a second type, the second type being a type of an argument of the first function or a type of a return value of the first function (Kim par. [0083] “a variable type known to have the parameter of the standard library function may be inferred as a type of a variable corresponding to the variable estimation pattern”, par. [0098] “a type of a return value of a function, the number and type of parameters”); and 
propagating the second type, to determine a first portion of the signature of the second function (Kim par. [0105] “determines each variable type … for each user function”).

Claim 16: Kim and Adams teach the method of claim 15, further comprising determining, based on the portion of the signature of the second function, a summary of the second function (Adams par. [0031] “performing type inference … signatures inferred from their use”).

Claim 17: Kim and Adams teach the method of claim 15, comprising determining the entire signature of the second function, the determining of the entire signature of the second function comprising the propagating of the second type, to determine the first portion of the signature of the second function (Kim par. [0105] “determines each variable type … for each user function”, Adams par. [0031] “performing type inference … signatures inferred from their use”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JASON D MITCHELL/Primary Examiner, Art Unit 2199