DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification

The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Allowable Subject Matter


Claims 4 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim 5 is objected due to depending from claim 4. 
Claim Rejections - 35 USC § 103



The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 12 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000) and Overby (US 2015/0089218).
Regarding claim 1, Girkar teaches the database system comprising: a transaction logger configured to write transaction log entries to a transaction log, each of the transaction log entries comprising  a transaction processed by the database system and counter value (figure 1, 111 – Log Writer & Col 5, lines 47-57, Col 6, lines 1-8: the primary database 110 creates a redo record that describes the change and invokes a log writer process 111. In response, the log writer process 111 synchronizes the transaction based on the number of outstanding transactions and the predetermined threshold value set by the database operator); a first secure counter configured to, the counter value comprising a representation of the number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database (figure 2, 203-211 & Col 4, lines 2-7: If the counter is greater than the predetermined bound, then the log writer process blocks a commit of the transaction until the counter is less than the predetermined bound. On the other hand, if the counter is less than the predetermined bound, then the log writer process increments the counter and acknowledges the commit of the transaction); and a restoration module configured to restore the database system based, at least in part, on transaction log entries retrieved from the transaction log and a current value of the first secure counter (figure 1, 139 managed recovery process & Col 2, lines 50-65: Meanwhile, a primary archiver process 615 in the background inspects the primary redo logs 613 and saves the redo records in primary archive logs 617 for use in non-disaster recovery procedures. The log writer process 611 also transmits the redo records and transaction commits to the standby database 530) a second secure counter configured to maintain a representation of the number of transaction log entries which have been truncated by the log truncation module, wherein the restoration module is further configured to restore the database system based on counter values of the first secure counter and the second secure counter(Figure 2 and 3, 203, 303).
	Girkar does not explicitly teach a database system configured such that at least part of the database system is configured to be executed within a trusted execution environment, and stored outside of the trusted execution environment.
	Maheshwari teaches a database system configured such that at least part of the database system is configured to be executed within a trusted execution environment (Figure 1, 102-104, and paragraph 0024 - As shown in FIG. 1, the systems and methods of the present invention are operable to secure an untrusted storage medium 106 by leveraging a trusted processing environment 102 and a small amount of trusted storage 104) and stored outside of the trusted execution environment (Figure 3B, 310 – untrusted storage).
	Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar to include a database system configured such that at least part of the database system is configured to be executed within a trusted execution environment, and stored outside of the trusted execution environment as taught by Maheshwari. It would be advantageous to make the combination so prevent unauthorized of tampering of the system and to keep the integrity of the stored data as taught by Maheshwari (paragraph 0005).
	Overby teaches generate the counter value stored outside of the trusted execution environment (Figure 2, 230 and 262, shows the trusted execution environment is separated from the counter 262).
	Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari to include generate the counter value stored outside of the trusted execution environment as taught by Overby. It would be advantageous to allow access to sensitive data while protecting the sensitive data from malicious use as taught by Overby (paragraph 0042).
Claim 12 is rejected using similar rationale seen in the rejection of claim 1 due to reciting similar limitation but directed towards a method.
Regarding claim 18, Girkar teaches computer-implemented method for restoring a database system, , the method comprising: receiving one or more transaction log entries retrieved from a transaction log stored, each of the one or more transaction log entries representing a transaction processed by the database system (figure 1, 111 – Log Writer & Col 5, lines 47-57, Col 6, lines 1-8: the primary database 110 creates a redo record that describes the change and invokes a log writer process 111. In response, the log writer process 111 synchronizes the transaction based on the number of outstanding transactions and the predetermined threshold value set by the database operator); and receiving a current value of a first secure count maintained by the database system, the first secure count representing the number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database (figure 2, 203-211 & Col 4, lines 2-7: If the counter is greater than the predetermined bound, then the log writer process blocks a commit of the transaction until the counter is less than the predetermined bound. On the other hand, if the counter is less than the predetermined bound, then the log writer process increments the counter and acknowledges the commit of the transaction); verifying the integrity of the transaction log based, at least in part, on the current value of the first secure count by determining that a correct number of transaction log entries has been received (Figure 2, 203 and Figure 3, 303); and in response to verifying the integrity of the received transaction log entries, restoring the database using the received transaction log entries and the current value of the first secure count (figure 1, 139 managed recovery process & Col 2, lines 50-65: Meanwhile, a primary archiver process 615 in the background inspects the primary redo logs 613 and saves the redo records in primary archive logs 617 for use in non-disaster recovery procedures. The log writer process 611 also transmits the redo records and transaction commits to the standby database 530), restoring the database system based, at least in part, on the transaction log entry of the transaction log and counter values of the first secure counter and the second secure counter (Figure 2 and 3, 203, 303).
	Maheshwari teaches a database system configured such that at least part of the database system is configured to be executed within a trusted execution environment (Figure 1, 102-104, and paragraph 0024 - As shown in FIG. 1, the systems and methods of the present invention are operable to secure an untrusted storage medium 106 by leveraging a trusted processing environment 102 and a small amount of trusted storage 104) and stored outside of the trusted execution environment (Figure 3B, 310 – untrusted storage). 
	Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar to include a database system configured such that at least part of the database system is configured to be executed within a trusted execution environment, and stored outside of the trusted execution environment as taught by Maheshwari. It would be advantageous to make the combination so prevent unauthorized of tampering of the system and to keep the integrity of the stored data as taught by Maheshwari (paragraph 0005).
Overby teaches the counter value stored outside of the trusted execution environment (Figure 2, 230 and 262, shows the trusted execution environment is separated from the counter 262).
	Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari to include the counter value stored outside of the trusted execution environment as taught by Overby. It would be advantageous to allow access to sensitive data while protecting the sensitive data from malicious use as taught by Overby (paragraph 0042).

Claim 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000) and Overby (US 2015/0089218) as applied to claim 1 above, and further in view of Koseki et al (US 6,732,124) and Volk et al (US 2015/0052108).
Regarding claim 2, Girkar in view of Maheshwari and Overby does not explicitly teach a log truncation module configured to truncate the transaction log by generating a snapshot representing the state of the database system at a particular point in time and truncating all transaction log entries for transactions occurring before that point in time; 
Koeseki teaches truncating all transaction log entries for transactions occurring before that point in time (Col 31 & 32, lines 60-67 and 1-9: The arguments may include such information as: the name of a file to be manipulated, how much the file should be truncated, what data should be appended to the file, and the like. That is, the operation log information shows what actions were intended by the transaction. In the event of an abnormal shutdown, the log replayer program would use this information to redo an unfinished transaction by directly manipulating the file system); and a second secure counter configured to maintain a representation of the number of transaction log entries which have been truncated by the log truncation module(Col 38, lines 54-60,The logging system resets the big-transaction-in-progress flag to indicate that no big transaction is under way, and increments the concurrent transaction counter) restore the database system based on a current value of the second secure counter (Col 38, lines 54-60,The logging system resets the big-transaction-in-progress flag to indicate that no big transaction is under way, and increments the concurrent transaction counter).
Volk teaches generating a snapshot representing the state of the database system at a particular point in time (figure 2, 201-205 – request creation of snapshot), wherein the restoration module is further configured to restore the database system based additionally on a latest snapshot of the database system (figure 2 and figure 11, 1102 – perform update of snapshot and/or data warehouse).
 Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include a log truncation module configured to truncate the transaction log by generating a snapshot representing the state of the database system at a particular point in time and truncating all transaction log entries for transactions occurring before that point in time; and a second secure counter configured to maintain a representation of the number of transaction log entries which have been truncated by the log truncation module, wherein the restoration module is further configured to restore the database system based additionally on a latest snapshot of the database system and a current value of the second secure counter as taught by Koeseki and Volk. It would be advantageous to make the combination to create a reference point in time that contains valid transactions so when the system has an error, it has a proper reference point to restore from as taught in the cited sections.


Claims 3, 13, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000), Overby (US 2015/0089218), Koseki et al (US 6,732,124) and Volk et al (US 2015/0052108) as applied to claim 2 above, and further in view of Haderele (US 5,581,750).
Regarding claim 3, Girkar in view of Maheshwari, Koeseki, and Volk teaches the restoration module is further configured to restore the database system based additionally on a latest snapshot as seen in the rejection of claim 2. 
Girkar in view of Maheshwari, Overby, Koeseki, and Volk does not teach a third secure counter configured to maintain a representation of the number of transaction log entries which have been written to the transaction log, wherein: each transaction log entry written to the transaction log by the transaction logger comprises a respective indication of the value of the third secure counter at the time that the transaction log entry was written; and the restoration module is further configured to restore the database system based on the respective values of the third secure counter indicated by each of the transaction log entries.
Haderele teaches a third secure counter configured to maintain a representation of the number of transaction log entries which have been written to the transaction log, wherein: each transaction log entry written to the transaction log by the transaction logger comprises a respective indication of the value of the third secure counter at the time that the transaction log entry was written (Figure 3, 60-76, DB1 Write-Claim counter); and the restoration module is further configured to restore the database system based on the respective values of the third secure counter indicated by each of the transaction log entries (Figure 7 126-134,and col 10-11, lines 55-65 and lines 1-8, A database close log record is written to indicate that the database is no longer in update mode 134 (for DBMS system restart use). Also, the database is indicated to be in R/O mode 136 (i.e., database checkpoint records will no longer be written for this database)).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari, Overby, Koeseki and Volk, to include a third secure counter configured to maintain a representation of the number of transaction log entries which have been written to the transaction log, wherein: each transaction log entry written to the transaction log by the transaction logger comprises a respective indication of the value of the third secure counter at the time that the transaction log entry was written; and the restoration module is further configured to restore the database system based on the respective values of the third secure counter indicated by each of the transaction log entries as taught by Haderele. It would be advantageous to make the combination to number the transactions so the system can easily organize the transactions as taught in the cited sections.
Claim 13 is rejected using similar rationale seen in the rejection of claim 3 due to reciting similar limitation but directed towards a method.
Regarding claim 19, Girkar in view of Maheshwari, Overby, Koeseki, and Volk teaches the restoration module is further configured to restore the database system based additionally on a latest snapshot as seen in the rejection of claim 2 and verifying the integrity of the transaction log entries further comprises determining that the values of the third secure count indicated in each of the received transaction log entries forms a complete sequence (Koeseki, col 17, lines 46-59 - A third distinctive feature of the present invention is that the logging system has a large counter to produce a long series of sequence numbers which are given to every log record at the end of a transaction); and restoring the database using the received transaction log entries comprises ignoring any transaction log entries which include an indication of the third secure count which is greater than the current value of the first secure counter and/or less than the current value of the second secure counter (Girkar – Figure 2 and 3, 203, 303)
Haderele teaches a third secure counter configured to maintain a representation of the number of transaction log entries which have been written to the transaction log, wherein: each transaction log entry written to the transaction log by the transaction logger comprises a respective indication of the value of the third secure counter at the time that the transaction log entry was written (Figure 3, 60-76, DB1 Write-Claim counter); and the restoration module is further configured to restore the database system based on the respective values of the third secure counter indicated by each of the transaction log entries (Figure 7 126-134,and col 10-11, lines 55-65 and lines 1-8, A database close log record is written to indicate that the database is no longer in update mode 134 (for DBMS system restart use). Also, the database is indicated to be in R/O mode 136 (i.e., database checkpoint records will no longer be written for this database)).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari, Overby, Koeseki and Volk, to include a third secure counter configured to maintain a representation of the number of transaction log entries which have been written to the transaction log, wherein: each transaction log entry written to the transaction log by the transaction logger comprises a respective indication of the value of the third secure counter at the time that the transaction log entry was written; and the restoration module is further configured to restore the database system based on the respective values of the third secure counter indicated by each of the transaction log entries as taught by Haderele. It would be advantageous to make the combination to number the transactions so the system can easily organize the transactions as taught in the cited sections.
Claims 8 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000) and Overby (US 2015/0089218) as applied to claim 1 above, and further in view of Arnautov et al (NPL Document U) and Baumann et al (NPL Document V).
Regarding claim 8, Girkar in view of Maheshwari and Overby does not explicitly teach a plurality of transaction processing threads, wherein each of the transaction log entries written to the transaction log comprise a respective indication of the transaction processing thread which processed the transactions represented by that transaction log entry, wherein each of the separate transaction processing threads is associated with a separate respective first, second and third secure counter and the restoration module is further configured to restore the database system based additionally on the indication of the transaction processing thread in each transaction log entry and the respective first, second and third secure counters for each transaction processing thread.
	Arnautov teaches a plurality of transaction processing threads, wherein each of the transaction log entries written to the transaction log comprise a respective indication of the transaction processing thread which processed the transactions represented by that transaction log entry (page 691, 2.3 Intel SGX, threading and page 693, 3.1 Architecture, “when an application thread issues a system call, SCONE checks if there is another application thread that it can wake and execute until the result of the system call is available”).
Baumann teaches wherein each of the separate transaction processing threads is associated with a separate respective first, second and third secure counter and the restoration module is further configured to restore the database system based additionally on the indication of the transaction processing thread in each transaction log entry and the respective first, second and third secure counters for each transaction processing thread (page 8:10 4.3 Shield Services – ”These operate as virtual CPUs supporting an arbitrary number of application threads inside the enclave. Besides multiplexing application threads across the virtual CPUs, the shield’s scheduler implements primitives for events, mutexes, and semaphores).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include a plurality of transaction processing threads, wherein each of the transaction log entries written to the transaction log comprise a respective indication of the transaction processing thread which processed the transactions represented by that transaction log entry, wherein each of the separate transaction processing threads is associated with a separate respective first, second and third secure counter and the restoration module is further configured to restore the database system based additionally on the indication of the transaction processing thread in each transaction log entry and the respective first, second and third secure counters for each transaction processing thread as taught by Arnautov and Baumann. It would be advantageous to make the combination so threads are used efficiently and not many thread transitions take place as taught in the cited sections.
Claim 14 is rejected using similar rationale seen in the rejection of 8 due to reciting similar limitations but directed to a method.

Claim 9 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000) and Overby (US 2015/0089218) as applied to claim 1 above, and further in view of Jacquin et al (US 2017/0302454).
Regarding claim 9, Girkar in view of Maheshwari and Overby does not explicitly teach wherein the database system is configured to encrypt each of the transaction log entries using a securely stored encryption key.
Jacquin teaches wherein the database system is configured to encrypt each of the transaction log entries using a securely stored encryption key (Figure 3, 310-320 and paragraph 0031 - electronic circuit in the memory fabric may obtain a transaction integrity key (TIK) and a transaction encryption key (TEK)).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include wherein the database system is configured to encrypt each of the transaction log entries using a securely stored encryption key as taught by Jacquin. It would be advantageous to make the combination to prevent unauthorized of tampering of the system and to keep the integrity of the stored data as taught in the cited sections.
	Claim 17 is rejected using similar rationale seen in the rejection of 9 due to reciting similar limitations but directed to a method.

Claims 6-7, 10-11, and 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Girkar et al (US 7,464,113) in view of Maheshwari et al (US 2012/0266000) and Overby (US 2015/0089218) as applied to claim 1 above, and further in view of Chhabra et al (US 2014/0157404).
Regarding claim 6, Girkar in view of Maheshwari and Overby does not teach wherein the first secure counter is a monotonic counter.
Chhabra teaches wherein the first secure counter is a monotonic counter. (Figure 2, 294 – virtual monotonic counter).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include wherein the secure counters are monotonic counters as taught by Chhabra. It would be advantageous to make the combination to protect the security of information as taught by Chhabra (paragraph 0014).
Regarding claim 7, Girkar in view of Maheshwari and Overby does not teach wherein the first secure counter is a monotonic counter.
Chhabra teaches wherein the first secure counter is a non-monotonic counter. (Figure 2, 294 – virtual monotonic counter).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include wherein the secure counters are non-monotonic counters as taught by Chhabra. It would be advantageous to make the combination to protect the security of information as taught by Chhabra (paragraph 0014).
Claim 15-16 are rejected using similar rationale seen in the rejection of claim 6-7 due to reciting similar limitations but directed to a method.
Regarding claim 10, Girkar in view of Maheshwari and Overby does not teach wherein the secure counters are monotonic counters.
Chhabra teaches wherein the secure counters are monotonic counters (Figure 2, 294 – virtual monotonic counter).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include wherein the secure counters are monotonic counters as taught by Chhabra. It would be advantageous to make the combination to protect the security of information as taught by Chhabra (paragraph 0014).
Regarding claim 11, Girkar in view of Maheshwari and Overby does not teach wherein the monotonic counters are provided by a distributed monotonic counter service, the distributed monotonic counter service comprising two or more replicated instances, the two or more replicated instances being distributed across more than one fault domain, wherein the distributed monotonic counter service is configured to determine a current value of each secure count using a consensus protocol between two or more or all of the replicated instances.
Chhabra teaches wherein the monotonic counters are provided by a distributed monotonic counter service, the distributed monotonic counter service comprising two or more replicated instances, the two or more replicated instances being distributed across more than one fault domain (Figure 2, and paragraph 0029 - In FIG. 2, service application 261 is shown in service secure enclave 260 and user application 271 is shown in user secure enclave 270), wherein the distributed monotonic counter service is configured to determine a current value of each secure count using a consensus protocol between two or more or all of the replicated instances (Figure 3 310-360 and paragraph 0042 - In box 354, virtual count field 283 may be initialized, e.g., to a predetermined initialization value, to the current count value of hardware monotonic counter 154, or to any other value. In box 356, the value of virtual count field 283 may be sent to user application 271 to initialize user count field 293 in user secure memory space 272).
Accordingly it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Girkar in view of Maheshwari and Overby to include wherein the monotonic counters are provided by a distributed monotonic counter service, the distributed monotonic counter service comprising two or more replicated instances, the two or more replicated instances being distributed across more than one fault domain, wherein the distributed monotonic counter service is configured to determine a current value of each secure count using a consensus protocol between two or more or all of the replicated instances as taught by Chhabra. It would be advantageous to make the combination to protect the security of information as taught by Chhabra (paragraph 0014).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMUEL SHARPLESS whose telephone number is (571)272-1521. The examiner can normally be reached M-F 7:30 AM- 3:30 PM (ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MARK FEATHERSTONE can be reached on (571)270-3750. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.C.S./Examiner, Art Unit 2166                                                                                                                                                                                                        
/MARK D FEATHERSTONE/Supervisory Patent Examiner, Art Unit 2166