DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for the examination.
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 3, 7-9, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over  ROTHMAN(US 20160246510 A1) in view of Motel(US 10176078 B1) and further in view of Callaghan(US 5737523 A).

As to claim 1, ROTHMAN teaches  determining a return address of a caller of a software function within an access control component(  now to FIG. 2, in some embodiments, the computing device 102 establishes an environment 200 during operation. The illustrative environment 200 includes a firmware environment 202 and an operating system 204, para[0025], ln 1-10/The firmware environment 202 includes an NV store access module 206, a number of NV store policies 210, and a number of firmware driver(s)/application(s) 212. The NV store access module 206 is configured to provide controlled access services to the NV store 128, according to the NV store policies 210. As described below, the NV store access module 206 may reserve a portion of the NV store 128, preventing rogue drivers and/or applications from completely filling the NV store 128, para[0026], ln 1-15/ The call may be for access services or for other services related to the NV store 128. The call for services may be made during pre-boot by the firmware environment 202, or may be made at runtime by the operating system 204, drivers, or application software, para[0039], ln 6-20/the computing device 102 may determine the identity of the caller by examining the system stack to determine a return address pointing to the memory location of the caller. For example, the computing device 102 may determine if the caller is a trusted firmware driver or application, the operating system 204, an application or driver of the operating system 204, or other entity based on the calling address, para[0038], ln 12-30), 
the caller comprising a software component seeking access to a protected resource protected by the access control component( now to FIG. 2, in some embodiments, the computing device 102 establishes an environment 200 during operation. The illustrative environment 200 includes a firmware environment 202 and an operating system 204, para[0025], ln 1-10/The firmware environment 202 includes an NV store access module 206, a number of NV store policies 210, and a number of firmware driver(s)/application(s) 212. The NV store access module 206 is configured to provide controlled access services to the NV store 128, according to the NV store policies 210. As described below, the NV store access module 206 may reserve a portion of the NV store 128, preventing rogue drivers and/or applications from completely filling the NV store 128, para[0026], ln 1-15) 
ROTHMAN does not teach determining, from the return address, a filename of the caller. However, Motel teaches determining, from the return address, a filename of the caller(  Retrieve the parameters of the message logging function, by examining the current stack frame, using the symbolic software debugging information from the software image (in a standard format such as ELF and DWARF) to find out the relative addresses of the parameters. Find out the caller of the message logging function, by examining the upper frame in the stack. The knowledge of the calling address (or return address) allows to make the relationship with the context of the message (source file and line), col 13, 63-67/ln  col 14, ln 3-10/ the file name and line number of the caller and these parameters may be present and directly retrieved in the stack, col 14, ln 35-40).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of ROTHMAN with Motel to incorporate the feature of determining, from the return address, a filename of the caller because this enables the legitimacy of an API call to be determined with relatively high accuracy.
ROTHMAN and Motel do not teach allowing, responsive to determining that the filename is included in a set of filenames of components allowed to access the protected resource, the caller to access the protected resource.  However, Callaghan teaches allowing, responsive to determining that the filename is included in a set of filenames of components allowed to access the protected resource, the caller to access the protected resource( the share table file 208 identifies NFS clients by hostnames rather than network source addresses, step 560 is required to enable searching the share table file 208. However, in embodiments where the share table file 208 identifies NFS clients by their network source addresses, step 560 would be unnecessary. In response to step 560, a step 562 receives the hostname associated with the NFS client 12. Then a step 564 searches the share table file 208 to determine the access status of the NFS client 12 for the given file system 30 using the hostname associated with the NFS client 12. As will be appreciated, when an access status is not found for the given file system 30,  As will be appreciated, when an access status is not found for the given file system 30, it merely indicates that the NFS client 12 has a status of no access. Once the access status for the NFS client 12 is determined, a step 566 returns the access status to the kernel 202, col 12, ln 15-60/ a client's access status to a given file system 30 can be either "no access", "ro" for read only access, or "rw" for read and write access, col 2, ln 10-15/ For example, an NFS server 200 may limit access to certain resources during peak use periods, allowing only a select group or a finite number of clients access during such times, col 12, ln 65-67 to col 13, ln 1-10).  
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of ROTHMAN and Motel  with Callaghan to incorporate the feature of allowing, responsive to determining that the filename is included in a set of filenames of components allowed to access the protected resource, the caller to access the protected resource  because this  allows computer systems to share files across a computer network.
As to claim 2, Callaghan teaches preventing, responsive to determining that the filename is not included in the set of filenames of components allowed to access the protected resource, the caller from accessing the protected resource( col 12, ln 45-50/ ln 50-60) for the same reason as to claim 1 above.  
As to claim 3,  ROTHMAN teaches  the allowing is performed responsive to determining that a stored digital signature previously computed for the software component is valid( para[0027], ln 1-40) . 
As to claims 7-9, 16-18,  they are rejected for the same reasons as to claims 1-3. 

Claims 4, 5, 6, 10-12, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over  ROTHMAN(US 20160246510 A1) in view of Motel(US 10176078 B1)  in view of Callaghan(US 5737523 A) and further in view of Tatsubori (US 20060059252 A1).

As to claim 4,  ROTHMAN, Motel and Callaghan  do not teach  storing, responsive to the allowing, a first portion of data in the protected resource, the storing including tagging the first portion of data with a tag corresponding to the caller.  However, Tatsubori teaches storing, responsive to the allowing, a first portion of data in the protected resource, the storing including tagging the first portion of data with a tag corresponding to the caller(execution result is read from a memory area with the appropriate object name and access authority set at step S36 and the object name, the access authority set, and the execution result are together registered in the storage section as a new cache entry at step S38, para[0108], ln 12-35/  begins at step S10 wherein an object call request is received from a user to identify the request object name. Then, the acquired request object name is stored in appropriate memory at step S12. At step S14, a user ID which has been sent in advance or supplied with the object call request is used as a key to look up a user-access authority table to acquire the access authority granted to the user, which is registered in the memory. At step S16, the acquired user's access authority and object name are used to read an entry of the object-access authority list from the memory for comparison. If the result of the comparison made at step S 16 shows that the requested object can be executed under the user's access authority (yes), the process proceeds to step S18. At step S18, the object name is used as a search key to search for a cache entry stored in the storage section 34. If the cache entry is found at step S18 (yes), the access controller is notified at step S20 that the cache entry is found, para[0105] to para[0106], ln 1-30).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of ROTHMAN, Motel and Callaghan with Tatsubori to incorporate the feature of storing, responsive to the allowing, a first portion of data in the protected resource, the storing including tagging the first portion of data with a tag corresponding to the caller   because this provides a high degree of flexibility in access authority changes made by the user and Web service access authority changes made by Web service providers.  
As to claim 5, Tatsubori teaches  determining, responsive to the allowing, that a second portion of data in the protected resource is tagged with a second tag corresponding to the caller; and providing, responsive to the determining, the second portion of data to the caller( para[0018], ln 7-20/ para[0105] to para[0106], ln 1-30) for the same reason as to claim 4 above.
As to claim 6,  Tatsubori teaches determining, responsive to the allowing, that a second portion of data in the protected resource is tagged with a second tag that does not corresponding to the caller; and preventing, responsive to the determining, the second portion of data from being provided to the caller( para[0108], ln 1-15) for the same reason as to claim 4 above. 
As to claims 10-12, 19-20,  they are rejected for the same reasons as to claims 1-6. 
As to claim 13, Tatsubori  the stored program instructions are stored in the at least one of the one or more storage media of a local data processing system, and wherein the stored program instructions are transferred over a network from a remote data processing system( para[0031], ln 1-15/ para[0006], ln 6-20) for the same reason as to claim 1 above.

Claims 14, 15 are rejected under 35 U.S.C. 103 as being unpatentable over  ROTHMAN(US 20160246510 A1) in view of Motel(US 10176078 B1)  in view of Callaghan(US 5737523 A) and further in view of  
Norwood(US 20150033112 A1).  

As to claim 14,  ROTHMAN, Motel and Callaghan do not teach the stored program instructions are stored in the at least one of the one or more storage media of a server data processing system, and wherein the stored program instructions are downloaded over a network to a remote data processing system for use in a computer readable storage device associated with the remote data processing system. However, Norwood teaches  the stored program instructions are stored in the at least one of the one or more storage media of a server data processing system, and wherein the stored program instructions are downloaded over a network to a remote data processing system for use in a computer readable storage device associated with the remote data processing system( he products comprise computer code stored in memory on the system server, such as a remote cloud-based server, and/or accessible by or stored in whole or in part the within the memory of an end user's electronic computing device. The products may further comprise non-transitory computer readable medium containing computer executable instructions to carry out, by the processor, the methods when the instructions are run on an end user's electronic computing device or on a network, and wherein the instructions are downloadable from or stored on a system server. In one embodiment, for example, the computer program product is a mobile application on an end user's computing device (e.g. smartphone), wherein the product comprises non-transitory computer readable storage medium containing software instructions that, when executed by the device's processor, cause the device to perform acts included in one or more of the embodiments disclosed herein, para[0154]).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of ROTHMAN, Motel and Callaghan with Tatsubori  to incorporate the feature of storing, responsive to the allowing, a first portion of data in the protected resource, the storing including tagging the first portion of data with a tag corresponding to the caller   because this provides a high degree of flexibility in access authority changes made by the user and Web service access authority changes made by Web service providers.  
As to claim 15,  Norwood teaches  the computer program product is provided as a service in a cloud environment( para[0254]) for the same reason as to claim 14 above.  
                                                                   Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LeChi  Truong whose telephone number is ( 571) 272-3767.  The examiner can normally be reached on 10-8PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,   SAM SOUGH can be reached on ( 571) 272-6799   . The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR of Public PAIP. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIP system, contact the Electronic Business Center (EBC) at 866-217-9197(toll-free).
/LECHI TRUONG/Primary Examiner, Art Unit 2194