DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application filed on 09/24/2020. Claims 1-20 are examined.

Specification
The disclosure is objected to because of the following informalities: Applicant correct paragraph [0036] to read “FIG. 2 includes” but failed to correct the language regarding FIG. 2 thought out the rest of the application.  
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-10, 16-21 is/are rejected under 35 U.S.C. 102(a)(1) as being Anticipated by Bear (U.S. 20190004972).

Regarding claim 1:
	Bear discloses: A method comprising ([0016] In the following description, methods, configurations, and related apparatuses are disclosed for the detection and mitigation of side-channel analysis (SCA) attacks that attempt to locate privileged pages in system memory): generating ([0080] generate phantom page table entries) for a code block of a process executing on a controller-based device one or more code block copies ([0036] Phantom Pages; [0053] Phantom pages 670 having the same pattern of page attributes as 680, due to being mapped to Traps 675 in physical memory whose attributes are identical to the valid kernel pages 680) defined in a virtual address space ([0036] Kernel virtual memory pages (e.g., space 420)) of the controller-based device ([0073] The machine (e.g., computer system) 1000), wherein the code block of the process is stored in a particular segment of a physical address space of the controller-based device ([0049] respective pages (pages 635) in the physical memory 610), with the code block configured to separately map to each of the one or more of the code block copies in the virtual address space ([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines); and processing at least a portion of one of the one or more code block copies ([0060] The flowchart 700 continues with operations that detect access to one or more trap pages (operation 740, detecting the attempted access from event 735)) defined in the virtual address space when the corresponding code block of the process is to be processed ([0036] Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0037] “Trap Pages” refers to physical memory page addresses (which may or may not have a corresponding physical memory into which some portion (e.g., all or almost all) of the “Phantom pages”) otherwise unused and unmapped Kernel virtual memory space pages—are mapped).
	
Regarding claim 2, 
	Bear discloses: The method of claim 1, wherein generating the one or more code block copies comprises 
Bear further discloses: generating for the code block of the process executing on a controller-based device a plurality of code variants defined in the virtual address space of the controller-based device ([0054] Some of these time variations stem from different properties of the accessed physical memory. For example, besides the well-known Executable (X), Not executable (NX), Read Only (R), or Read Write (RW) properties, memory addresses in ×86 architecture may be assigned (through Memory Type Range Registers (MTRRs), Page Attribute Tables (PATS) and similar arrangements) any one of six (6) memory types: Uncacheable=UC, Write-Combining=WC, Write-Through=WT, Write-Protect=WP, Write-Back=W and Reserved. [0055] With a “Kernel Misleading” technique, multiple Phantom Pages may be assigned different properties and types, in such a way the time response pattern obtained by an attacker hitting on these Phantom Pages will be similar (or identical, with the constraints of process noise etc.) to the attacker's reference patterns, thus creating “Phantom Kernels”. Since the number of the Phantoms Kernels may be large, the probability of the attacker using a Phantom location to construct his gadgets may be large, and thus the probability of foiling an attack is expected to be high), wherein the code block is configured to separately map to each of the plurality of the code variants in the virtual address space (([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines); and wherein processing ([0080] detect access to the trap page, accessed via the phantom page table entries, to trigger a response to a potential attack) the at least the portion of one of the one or more code block copies comprises selecting for execution one of the plurality of code variants when the corresponding code block of the process is to be processed (([0036] Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0037] “Trap Pages” refers to physical memory page addresses (which may or may not have a corresponding physical memory into which some portion (e.g., all or almost all) of the “Phantom pages”) otherwise unused and unmapped Kernel virtual memory space pages—are mapped)).

Regrading claim 3, 
Bear discloses: The method of claim 2, wherein selecting for execution one of the plurality of code variants comprises: 
Bear further discloses: randomly selecting for execution the one of the plurality of code variants ([0069] The loading and deployment of memory pages into memory may be performed with use of KASLR management functionality 942, such as used to randomize locations of kernel pages in the virtual memory address space); [0063] The generation and placement may include the insertion of one or multiple trap pages into physical memory, and the insertion of phantom page table entries in a page table map that maps to one or multiple of the trap pages in physical memory; [0053] FIG. 6B illustrates a side-channel analysis (SCA)-detectable Kernel pattern 685 and an example technique for creation of a large number of duplicate pages in a kernel virtual address space 650, with minimal expenditure of actual physical memory 660, as part of a “Kernel Misleading” implementation. Prior to Kernel Misleading implementation, system administrators look—manually or automatically for a number of such patterns likely to be used by attackers for precise location of Kernel gadgets, shown in the example as 680. As shown, Phantom pages 670 having the same pattern of page attributes as 680, due to being mapped to Traps 675 in physical memory whose attributes are identical to the valid kernel pages 680).

Regarding claim 4, 
Bear discloses: The method of claim 3, further comprising: 
Bear further discloses: updating a program counter of the controller-based device according to the randomly selected one of the plurality of code variants ([0060] The flowchart 700 continues with operations that detect access to one or more trap pages (operation 740, detecting the attempted access from event 735), and optionally detecting repeated access to the same or different trap pages (operation 750)).

Regarding claim 5, 
Bear discloses: The method of claim 4, wherein updating the program counter of the controller-based device comprises: 
Bear further discloses: determining a base virtual address corresponding to the code block of the process stored in the particular segment of a physical address space; determining a phantom index identifying the randomly selected one of the plurality of code variants; and computing a program counter value for the program counter according to the determined base virtual address corresponding to the code block stored in the particular segment of the physical address space and based on the determined phantom index ([0028] Privileged software is commonly implemented in a dedicated portion of the available virtual space customarily, 1 GB in 32-bit systems, several terabytes in 64-bit systems, in a “Kernel” region. Thus, privileged software sets up itself and stores the actual code and data in random virtual addresses, somewhere within this Kernel Region. As an illustration of this separated region, FIG. 4 depicts an example virtual memory partitioning into a Kernel virtual address space 420 and a User virtual address space 410, and associated mapping of pages from these spaces to physical memory 430) in the alternative ([0023] In the example technique 300, on context switching, the CPU loads hardware register CR3 with the base address of the first table (Page Map Level 4—PML4), and the nine (9) bits of the virtual address serve as an index into the table to produce the base address of the next level (Page Directory Pointer—PDP)).

Regarding claim 6, 
Bear discloses: The method of claim 2, wherein generating the plurality of code variants comprises: 
Bear further discloses: determining for each code variant a respective shift value representing a relative shift of the location of the program instructions in the respective code variant compared to original locations of the original instructions of the code block; and defining the plurality of code variants in the virtual address space, with the first instruction of each variant located in the virtual address space at a corresponding virtual address space location computed according to a respective virtual address space offset, and the respective determined shift value ([0023] In the example technique 300, on context switching, the CPU loads hardware register CR3 with the base address of the first table (Page Map Level 4—PML4), and the nine (9) bits of the virtual address serve as an index into the table to produce the base address of the next level (Page Directory Pointer—PDP). The process repeats with the next level, Page Directory (PD), and the next level, the Page Table (PT). Thus, each level table is 4K bytes (512 (2.sup.9) lines, each 8 bytes long) and the complete “page walk” specifies a 4 KB page in physical memory. The final, byte-level addressing within the 4 KB page is achieved through a twelve-bit offset).

Regarding claim 7, 
Bear discloses: The method of claim 6, further comprising processing the selected one of the plurality of variants, including: 
Bear further discloses: computing a return address for the one of the plurality of code variants in the virtual address space ([0022] FIG. 3 illustrates an example technique 300 for translation from a virtual memory address to a physical memory address via page tables. The current-design ×86 PMH (e.g., PIM 130) performs a “Page Walk”, building up the address of a page in physical memory by traversing Page Tables (e.g., as many as four or five tables and levels) located in Kernel memory space. [0023] In the example technique 300, on context switching, the CPU loads hardware register CR3 with the base address of the first table (Page Map Level 4—PML4), and the nine (9) bits of the virtual address serve as an index into the table to produce the base address of the next level (Page Directory Pointer—PDP). The process repeats with the next level, Page Directory (PD), and the next level, the Page Table (PT). Thus, each level table is 4K bytes (512 (2.sup.9) lines, each 8 bytes long) and the complete “page walk” specifies a 4 KB page in physical memory. The final, byte-level addressing within the 4 KB page is achieved through a twelve-bit offset. (It will be noted that this and other examples in the present application are provided in terms of 4 KB pages and four-level paging. Other page sizes and paging levels, depending on paging mode, are possible and usable with the techniques discussed herein)); storing one value derived from the return address in a software-implemented return address stack; and storing another value derived from the return address ([0018] In general, every time a piece of information—instructions, data, address resolution—is obtained, it is stored in an appropriate cache or a buffer) in a hardware-based structure that is immutable to external writes ([0093] In Example 14, the subject matter of Examples 11-13 includes, wherein attributes of the phantom page are established to indicate an executable, not executable, read-only, read-write, uncacheable, write-combining, write-through, write-protect, write-back, or reserved status of a mapped page).

Regarding claim 8, 
Bear discloses: The method of claim 7, 
Bear further discloses: wherein the return address comprises a lower address portion including the respective shift value, 6, and an upper address portion including a phantom index identifying the randomly selected one of the plurality of code variants; wherein storing the one value derived from the return address comprises storing the lower address portion of the return address in the software-implemented return address stack ([0040] Additionally, ×86 architecture typically includes a number of “Range Registers”. Each of these registers may include a pair of registers—“Base” and “Mask”—that specify certain property of a range of physical addresses defined by a logical operation between the register pair, and a combination of hardware and software facility (e.g., microcode) that performs certain actions whenever an address within that range is accessed); and wherein storing the other value derived from the return address comprises storing the upper address portion of the return address in a hardware-based secret domain stack (SDS) structure that is immutable to external writes ([0093] In Example 14, the subject matter of Examples 11-13 includes, wherein attributes of the phantom page are established to indicate an executable, not executable, read-only, read-write, uncacheable, write-combining, write-through, write-protect, write-back, or reserved status of a mapped page).
	
Regarding claim 9, 
Bear discloses: The method of claim 2, wherein generating the plurality of code variants comprises: 
Bear further discloses: including for each variant from the plurality of code variants one or more padding instructions at corresponding one or more virtual address space locations ([0061] For example, measures may be implemented within the computing system to alert and stop the potential SCA attack (operation 770). In still further examples, various features may be implemented to prevent further access of kernel memory pages); [0060] Attempted accesses to the trap pages—especially repeated ones—could indicate an attack, and trigger an appropriate response to detect or prevent unauthorized actions within the computing system.

Regarding claim 10,
Bear discloses: The method of claim 9, wherein including for the each variant the one or more padding instructions at the corresponding one or more virtual address space locations comprises: 
Bear further discloses: adding to the each variant of the plurality of code variants a TRAP instruction at a respective pre-determined one or more relative locations from the start of the each variant of the plurality of variants, wherein the TRAP instruction is configured, when executed, to trigger a security exception event ([0036] Phantom Pages. As discussed in the following paragraphs, “Phantom Pages” refers to page addresses in a large number of “unused”, and otherwise unmapped, Kernel virtual memory pages (e.g., space 420). They are rendered “Phantoms” through the process, described below, of mapping a large number of such pages from virtual memory to a small number—one or more—physical memory page address, referred below as “Trap pages”. In an example, a technique for detecting the use of SCA attacks is provided by a combination of two facilities: Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”).

Regarding claim 16,
Bear discloses: A computer system comprising: one or more memory devices ([0073] The machine (e.g., computer system) 1000) to implement a physical address space ([0049] respective pages (pages 635) in the physical memory 610) for the computing system; and a controller configured to generate ([0080] generate phantom page table entries) for a code block of a process executing on the computing system one or more code block copies defined in a virtual address space of the computing system ([0036] Phantom Pages; [0053] Phantom pages 670 having the same pattern of page attributes as 680, due to being mapped to Traps 675 in physical memory whose attributes are identical to the valid kernel pages 680), wherein the code block of the process is stored in a particular segment of the physical address space of the computing system ([0049] respective pages (pages 635) in the physical memory 610), with the code block configured to separately map to each of the one or more of the code block copies in the virtual address space ([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines); and process at least a portion of one of the one or more code block copies ([0060] The flowchart 700 continues with operations that detect access to one or more trap pages (operation 740, detecting the attempted access from event 735)) defined in the virtual address space when the corresponding code block of the process is to be processed ([0036] Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0037] “Trap Pages” refers to physical memory page addresses (which may or may not have a corresponding physical memory into which some portion (e.g., all or almost all) of the “Phantom pages”) otherwise unused and unmapped Kernel virtual memory space pages—are mapped).

Regarding claim 17, 
Bear discloses: The computing system of claim 16, 
Bear further discloses: wherein the controller configured to generate ([0080] generate phantom page table entries) the one or more code block copies is configured to generate for the code block of the process executing on the computing system a plurality of code variants defined in the virtual address space of the computing system ([0054] Some of these time variations stem from different properties of the accessed physical memory. For example, besides the well-known Executable (X), Not executable (NX), Read Only (R), or Read Write (RW) properties, memory addresses in ×86 architecture may be assigned (through Memory Type Range Registers (MTRRs), Page Attribute Tables (PATS) and similar arrangements) any one of six (6) memory types: Uncacheable=UC, Write-Combining=WC, Write-Through=WT, Write-Protect=WP, Write-Back=W and Reserved. [0055] With a “Kernel Misleading” technique, multiple Phantom Pages may be assigned different properties and types, in such a way the time response pattern obtained by an attacker hitting on these Phantom Pages will be similar (or identical, with the constraints of process noise etc.) to the attacker's reference patterns, thus creating “Phantom Kernels”. Since the number of the Phantoms Kernels may be large, the probability of the attacker using a Phantom location to construct his gadgets may be large, and thus the probability of foiling an attack is expected to be high), and to separately map to each of the plurality of the code variants in the virtual address space (([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines); wherein the computing system further comprises a selector circuit to select for execution one of the plurality of code variants when the corresponding code block of the process is to be processed (([0036] Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0037] “Trap Pages” refers to physical memory page addresses (which may or may not have a corresponding physical memory into which some portion (e.g., all or almost all) of the “Phantom pages”) otherwise unused and unmapped Kernel virtual memory space pages—are mapped)).

Regarding claim 18,
Bear discloses: The computing system of claim 17, wherein the selector circuit configured to select for execution one of the plurality of code variants is configured 
Bear further discloses: to randomly select for execution the one of the plurality of code variants ([0069] The loading and deployment of memory pages into memory may be performed with use of KASLR management functionality 942, such as used to randomize locations of kernel pages in the virtual memory address space); [0063] The generation and placement may include the insertion of one or multiple trap pages into physical memory, and the insertion of phantom page table entries in a page table map that maps to one or multiple of the trap pages in physical memory; [0053] FIG. 6B illustrates a side-channel analysis (SCA)-detectable Kernel pattern 685 and an example technique for creation of a large number of duplicate pages in a kernel virtual address space 650, with minimal expenditure of actual physical memory 660, as part of a “Kernel Misleading” implementation. Prior to Kernel Misleading implementation, system administrators look—manually or automatically for a number of such patterns likely to be used by attackers for precise location of Kernel gadgets, shown in the example as 680. As shown, Phantom pages 670 having the same pattern of page attributes as 680, due to being mapped to Traps 675 in physical memory whose attributes are identical to the valid kernel pages 680).

Regarding claim 19,
Bear discloses: The computing system of claim 18, further comprising a program counter, the controller is further configured to: 
Bear further discloses: update the program counter according to the randomly selected one of the plurality of code variants ([0060] The flowchart 700 continues with operations that detect access to one or more trap pages (operation 740, detecting the attempted access from event 735), and optionally detecting repeated access to the same or different trap pages (operation 750)). 

Regarding claim 20,
Bear discloses: The computing system of claim 17, wherein the controller configured to generate the plurality of code variants is configured to:
Bear further discloses: include for each variant from the plurality of code variants one or more padding instructions at corresponding one or more virtual address space locations ([0061] For example, measures may be implemented within the computing system to alert and stop the potential SCA attack (operation 770). In still further examples, various features may be implemented to prevent further access of kernel memory pages); [0060] Attempted accesses to the trap pages—especially repeated ones—could indicate an attack, and trigger an appropriate response to detect or prevent unauthorized actions within the computing system).

Regarding claim 21,
Bear discloses: Bear discloses: Non-transitory computer readable media comprising computer instructions executable on a processor-based device to generate ([0080] generate phantom page table entries) for a code block of a process executing on a processor-based device one or more code block copies defined in a virtual address space of the processor-based device ([0036] Phantom Pages; [0053] Phantom pages 670 having the same pattern of page attributes as 680, due to being mapped to Traps 675 in physical memory whose attributes are identical to the valid kernel pages 680), wherein the code block of the process is stored in a particular segment of the physical address space of the processor-based device ([0049] respective pages (pages 635) in the physical memory 610), with the code block configured to separately map to each of the one or more of the code block copies in the virtual address space ([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines); and process at least a portion of one of the one or more code block copies ([0060] The flowchart 700 continues with operations that detect access to one or more trap pages (operation 740, detecting the attempted access from event 735)) defined in the virtual address space when the corresponding code block of the process is to be processed ([0036] Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0037] “Trap Pages” refers to physical memory page addresses (which may or may not have a corresponding physical memory into which some portion (e.g., all or almost all) of the “Phantom pages”) otherwise unused and unmapped Kernel virtual memory space pages—are mapped).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bear (U.S. 20190004972), in view of Muttik (U.S. 20180211046).

Regarding claim 11, 
Bear discloses: The method of claim 9, wherein including for the each variant the one or more instructions at the corresponding one or more virtual address space locations comprises: 
Bear further discloses: adding to the each variant of the plurality of code variants at a respective pre-determined one or more relative locations from the start of the each variant of the plurality of code variants in the virtual address space ([0036] Phantom Pages. As discussed in the following paragraphs, “Phantom Pages” refers to page addresses in a large number of “unused”, and otherwise unmapped, Kernel virtual memory pages (e.g., space 420). They are rendered “Phantoms” through the process, described below, of mapping a large number of such pages from virtual memory to a small number—one or more—physical memory page address, referred below as “Trap pages”. In an example, a technique for detecting the use of SCA attacks is provided by a combination of two facilities: Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”; [0060] Attempted accesses to the trap pages—especially repeated ones—could indicate an attack, and trigger an appropriate response to detect or prevent unauthorized actions within the computing system.

Bear does not disclose: a no-operation (NOP) instruction. However, in the same field of endeavor Muttik teaches: a no-operation (NOP) instruction ([0053] In at least one embodiment, when an ENDBRANCH instruction is removed, it may be replaced by a no-operation (NOP) instruction or something similar).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Muttik in the attack mitigation method of Bear by using a no-operation instruction. This would have been obvious because the person having ordinary skill in the art would have been motivated to replace an ENDBRANCH instruction with a NOP instruction (0053). A person of ordinary skill could have reasonably used a NOP instruction in Bear because a person of ordinary skill would have reasonably concluded the removal of the ENDBRANCH instruction can enable an exception to be generated so that the code flow can be observed based on the exception and that it may be replaced by a NOP instruction (0053).

Claim 12-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bear (U.S. 20190004972), in view of Durham (U.S. 20200210070) and in further view of Muttik (U.S. 20180211046).

Regarding claim 12, 
Bear in view of Muttik discloses: The method of claim 11, 
Bear further discloses: wherein the plurality of code variants includes at least two code variants, and wherein the first of the at least two code variants includes a first of the at least two code variants, and wherein a second of the at least two code variants includes second of the at least two code variants ([0036] Phantom Pages. As discussed in the following paragraphs, “Phantom Pages” refers to page addresses in a large number of “unused”, and otherwise unmapped, Kernel virtual memory pages (e.g., space 420). They are rendered “Phantoms” through the process, described below, of mapping a large number of such pages from virtual memory to a small number—one or more—physical memory page address, referred below as “Trap pages”. In an example, a technique for detecting the use of SCA attacks is provided by a combination of two facilities: Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”).
Muttik teaches: a no-operation (NOP) instruction ([0053] In at least one embodiment, when an ENDBRANCH instruction is removed, it may be replaced by a no-operation (NOP) instruction or something similar).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 11.
The combined teaching of Bear and Muttik does not disclose, however, Durham discloses first instruction at the beginning of the; a second instruction at the end of the ([0062] And note that data may be aligned/shifted either to the beginning or end of the cacheline depending on whether one wishes to catch an underflow read or an overflow read error).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Durham in the attack mitigation method of Bear by storing instructions before/after the beginning/end of a address location. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to detect out-of-bounds read/write (0062). A person of ordinary skill could have reasonably shifted data to the beginning or end in Bear because a person of ordinary skill would have reasonably concluded that data may be aligned/shifted either to the beginning or end of the cacheline depending on whether one wishes to catch an underflow read or an overflow read error (0062, Durham).

Regarding claim 13,
Bear in view of Muttik discloses: The method of claim 11, further comprising: 
Bear further discloses: storing the instruction in the physical address space locations for the corresponding code block at least at one of 
However, in the same field of endeavor Durham discloses: storing the instruction in the physical address space locations for the corresponding code block at least at one of ([0036] Phantom Pages. As discussed in the following paragraphs, “Phantom Pages” refers to page addresses in a large number of “unused”, and otherwise unmapped, Kernel virtual memory pages (e.g., space 420). They are rendered “Phantoms” through the process, described below, of mapping a large number of such pages from virtual memory to a small number—one or more—physical memory page address, referred below as “Trap pages”. In an example, a technique for detecting the use of SCA attacks is provided by a combination of two facilities: Phantom pages mapped into Trap Pages and “Trap Entry detectors”. The combined use of Trap pages and Trap Entry detectors is referred to as a “Trap+Trigger”): 
Muttik teaches: a no-operation (NOP) instruction ([0053] In at least one embodiment, when an ENDBRANCH instruction is removed, it may be replaced by a no-operation (NOP) instruction or something similar).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 11.
The combined teaching of Bear and Muttik does not disclose, however, Durham discloses: immediately before a physical starting address location of the code block, or immediately following a physical end address location of the code block ([0062] And note that data may be aligned/shifted either to the beginning or end of the cacheline depending on whether one wishes to catch an underflow read or an overflow read error).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Durham in the attack mitigation method of Bear by storing instructions before/after the beginning/end of a address location. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to detect out-of-bounds read/write (0062). A person of ordinary skill could have reasonably shifted data to the beginning or end in Bear because a person of ordinary skill would have reasonably concluded that data may be aligned/shifted either to the beginning or end of the cacheline depending on whether one wishes to catch an underflow read or an overflow read error (0062, Durham).

Claim 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bear (U.S. 20190004972), in view of Durham (U.S. 20200210070).

Regarding claim 14,
Bear discloses: The method of claim 2, wherein selecting one of the plurality of code variants comprises: 
Bear further discloses: accessing the code block from the physical address space based on a portion of a virtual address for one of the plurality of code of variants, the portion being indicative of the physical address space location, with portions of the virtual address, indicating the virtual address space locations for the one of the plurality of code variants ([0033] “Phantom Pages” mapped to the kernel region of each user process' virtual memory; [0034] Such computers employ “mapping” schemes that create for each active process a correspondence between that process' virtual memory, and portion of the (typically) much smaller physical memory actually present in the machines,
Bear does not disclose: being masked.
However, in the same field of endeavor Durham discloses: being masked ([0048] The virtual address 130 for the new data 128 may include the encryption tag 146 to provide security for the new data 128. The pointer security circuitry 126 may be configured to define where within the virtual address 130 the encryption tag 146 resides or is defined. For example, the pointer security circuitry 126 may define the encryption tag 146 as the three most significant bits in the virtual address 130. The encryption tag 146 may be defined as, for example, bits 59-62 (i.e., four bits) of bits 0-63 of the virtual address 130, assuming, as an example, that the length of the virtual address 130 is 64 bits. The encryption tag 146 may be a representation of a key ID 152 that is used to look up the encryption key 154 within a key table 156, by the encryption circuitry 122. The encryption tag 146 may also or alternatively be identified using other techniques, e.g., may be defined within one or more bits in the physical address 134. It may be copied or translated from the virtual address and into the physical address such that the key ID may be communicated to the memory encryption circuitry. Embodiments may provide for use of the key ID to contribute to defenses against speculative side channel analysis because if a wrong memory encryption tag is used the data will not be revealed (it will be decrypted into random bits), so speculation based on this random data does not reveal any secrets to the adversary on side-channel analysis; [0065] Returning to FIG. 1A, the processor 112 may be configured to encrypt and decrypt virtual/linear addresses (e.g., virtual address 130), any portion thereof, any other addresses (direct or indirect), and/or any portions thereof, also or instead of encrypting and decrypting new data 128, cached data 132, and/or stored data 138, using encryption circuitry 122 for example.).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Durham in the attack mitigation method of Bear by masking information. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to protect against attacks (0035). A person of ordinary skill could have reasonably masked data as in Bear because a person of ordinary skill would have reasonably concluded to limit the effectiveness of adversarial efforts to infer information about secret data by attempting to use it speculatively, as a memory address or otherwise and/or to access memory locations outside of boundaries defined for validity, security, or other purposes (0035).

Regarding claim 15, 
Bear discloses: The method of claim 1, wherein processing at least a portion of one of the one or more code block copies comprises: 
Durhan discloses: encrypting one or more pointers resulting from indirect program execution branching decisions; and decrypting the one or more pointers in response to a call operation requiring content of the one or more pointers ([0065] Returning to FIG. 1A, the processor 112 may be configured to encrypt and decrypt virtual/linear addresses (e.g., virtual address 130), any portion thereof, any other addresses (direct or indirect), and/or any portions thereof, also or instead of encrypting and decrypting new data 128, cached data 132, and/or stored data 138, using encryption circuitry 122 for example; [0070] In an embodiment, secure memory access circuitry 600 includes address decoding circuitry 662, which may be invoked to verify the encoded metadata on memory read and write operations that utilize processor instructions such as MOV, where a general purpose register is used as a memory address to read a value from memory or to write a value to memory (e.g., load/store), as well as on other operations that involve the “use” of memory (such as control transfer instructions, e.g. CALL/JMP etc.) and/or any instruction that can take a memory operand. The indirect (e.g. encoded virtual/linear) memory address used for the memory access is first decoded and/or decrypted by the processor to get the correct virtual/linear memory address).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have had a similar motivation to combine as the motivation in claim 14.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
	Control-Flow Security by William Patrick Arthur, 2016, Teaches mapping physical pages to virtual addresses in order to protect against code-reuse attacks
Semeria 8/13/2019 (US 11144631), Teaches mapping separate regions of virtual memory to processes to protect against side channel attacks.
Dehon 12/12/1016 (US 10936713), Teaches mapping physical pages to virtual addresses in order to protect against code-reuse attacks.
Werner 1/23/2017 (US 20170213039), Teaches mapping physical pages to virtual addresses in order to protect against code-reuse attacks.

Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436