DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

2.	The information disclosure statement (IDS) submitted on 12/17/2021 was filed. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


3.	Claims 21-22, 27-28, and 33-34 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2016/0149950 A1 to Ashley et al(hereafter referenced as Ashley) in view of Patent No.: US 9,160,756 to Pieczul et al(hereafter reference as Pieczul).
Regarding claim 21, Ashley discloses “an apparatus comprising: one or more processors; and a memory coupled to the one or more processors”(computer 10 interconnected to security devices 20 & 30 [Fig.1]), “the one or more processors to: configure, during execution of a user-mode code in a native processor mode”(computer readable program instructions may be provided to a processor of a general-purpose computer, [par.0070]).
Ashley does not explicitly disclose a sandbox state for a first sandbox domain; and invoke a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.”
However, Pieczul in an analogous art discloses “a sandbox state for a first sandbox domain” (302 domain sandboxes see also  Pieczul [Col.6/lines 27-33]) ; and invoke a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.” (a block diagram of a set of components provide a system for automated decomposition of a web page into domain sandboxes Pieczul [Fig.3] see also Pieczul [Col.3/lines 13-16]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s security sandboxing process with Pieczul’s method for decomposing a web application into one or more domain Sandboxes ensures that the contents of each sandbox are protected from attacks. One of ordinary skill in the art would have been motivated to combine because Ashley discloses a sandbox technique within a computer system, Pieczul teaches a security sandboxing process for decomposing a web application into one or more domain Sandboxes, and both are from the same field of endeavor.
Regarding claim 22 in view of claim 21, the references combined disclose “wherein the one or more processors are further to: store a return address in the memory in response to the invocation of the first processor instruction” (Pieczul [FIG. 8] illustrates the page elements that are stored in the sandboxed content data store)  ;“ load an execution state from the memory in response to the invocation of the first processor instruction “(processor unit 204 serves to execute instructions for software that may be loaded into memory 206 Pieczul [Col.4/lines 36-37]); “and jump to an entry point within the first sandbox domain in response to the invocation of the first processor instruction “(instructions may be loaded into memory 206 for execution by processor unit 204. The processes of the different embodiments may be performed by processor unit 204 using computer implemented instructions, which may be located in a memory, such as memory 206 Pieczul [Col.5/lines 7-12]).
Regarding claim 27, Ashley discloses “a method comprising: configuring, by a computing device during execution of a user-mode code in a native processor mode of one or more processors of the computing device” (computer readable program instructions may be provided to a processor of a general-purpose computer, [par.0070]).


Ashley does not explicitly disclose “a sandbox state for a first sandbox domain; and invoking, by the computing device, a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.”
However, Pieczul in an analogous art discloses “a sandbox state for a first sandbox domain” (302 domain sandboxes see also  Pieczul [Col.6/lines 27-33]) ; and invoking, by the computing device, a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.” (a block diagram of a set of components provide a system for automated decomposition of a web page into domain sandboxes Pieczul [Fig.3] see also Pieczul [Col.3/lines 13-16]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s security sandboxing process with Pieczul’s method for decomposing a web application into one or more domain Sandboxes ensures that the contents of each sandbox are protected from attacks. One of ordinary skill in the art would have been motivated to combine because Ashley discloses a sandbox technique within a computer system, Pieczul teaches a security sandboxing process for decomposing a web application into one or more domain Sandboxes, and both are from the same field of endeavor.
Regarding claim 28 in view of claim 27, the references combined disclose “further comprising: storing a return address in a memory of the computing device in response to the invocation of the first processor instruction” (Pieczul [FIG. 8] illustrates the page elements that are stored in the sandboxed content data store) ; “loading an execution state from the memory in response to the invocation of the first processor instruction” (processor unit 204 serves to execute instructions for software that may be loaded into memory 206 Pieczul [Col.4/lines 36-37]); “and jumping to an entry point within the first sandbox domain in response to the invocation of the first processor instruction” (instructions may be loaded into memory 206 for execution by processor unit 204. The processes of the different embodiments may be performed by processor unit 204 using computer implemented instructions, which may be located in a memory, such as memory 206 Pieczul [Col.5/lines 7-12]).
Regarding claim 33, Ashley discloses “at least one computer-readable medium having stored thereon instructions which, when executed, cause a computing device to facilitate operations comprising: configuring, during execution of a user-mode code in a native processor mode of one or more processors of the computing device” (computer 10 interconnected to security devices 20 & 30 [Fig.1] in which computer readable program instructions may be provided to a processor of a general purpose computer, [par.0070]).
Ashley does not explicitly disclose “a sandbox state for a first sandbox domain; and invoking a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.”
However, Pieczul in an analogous art discloses “a sandbox state for a first sandbox domain” (302 domain sandboxes see also  Pieczul [Col.6/lines 27-33]) ; and invoking a first processor instruction to set the sandbox state for the first sandbox domain in response to configuration of the sandbox state.” (a block diagram of a set of components provide a system for automated decomposition of a web page into domain sandboxes Pieczul [Fig.3] see also Pieczul [Col.3/lines 13-16]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s security sandboxing process with Pieczul’s method for decomposing a web application into one or more domain Sandboxes ensures that the contents of each sandbox are protected from attacks. One of ordinary skill in the art would have been motivated to combine because Ashley discloses a sandbox technique within a computer system, Pieczul teaches a security sandboxing process for decomposing a web application into one or more domain Sandboxes, and both are from the same field of endeavor.
Regarding claim 34 in view of claim 33, the references combined disclose “wherein the operations further comprise: storing a return address in a memory of the computing device in response to the invocation of the first processor instruction” (Pieczul [FIG. 8] illustrates the page elements that are stored in the sandboxed content data store)  ; “loading an execution state from the memory in response to the invocation of the first processor instruction” (processor unit 204 serves to execute instructions for software that may be loaded into memory 206 Pieczul [Col.4/lines 36-37]); “and jumping to an entry point within the first sandbox domain in response to the invocation of the first processor instruction” (instructions may be loaded into memory 206 for execution by processor unit 204. The processes of the different embodiments may be performed by processor unit 204 using computer implemented instructions, which may be located in a memory, such as memory 206 Pieczul [Col.5/lines 7-12]). 
4.	Claims 23-26, 29-32, 35-38 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2016/0149950 A1 to Ashley et al(hereafter referenced as Ashley) in view of Patent No.: US 9,160,756, in further view of Patent No.: US 11,055,401 B2 to Zhang et al(hereafter referenced as Zhang).
Regarding claim 23 in view of claim 22, neither Ashley nor Pieczul explicitly disclose “wherein to load the execution state comprises to: load a stack pointer from the memory to a stack pointer register of the one or more processors; and load the entry point from the memory to an instruction pointer register of the one or more processors” 
However, Zhang in an analogous art discloses “wherein to load the execution state comprises to: load a stack pointer from the memory to a stack pointer register of the one or more processors”(set stack pointer Zhang[Fig.3a/item 308]); “and load the entry point from the memory to an instruction pointer register of the one or more processors.”(set entry point Zhang[Fig.3a/item 310]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s dynamic sandbox security system and Pieczul’s method for decomposing a web application into one or more domain Sandboxes with Zhang’s technique for code execution with processor sandbox support in order to provide additional security. One of ordinary skill would have been motivated to combine because Ashley teaches a sandbox security system, Piezul discloses a domain sandbox system which ensures the content of each sandbox is protected , Zhang teaches a code execution process with native domain sandbox support, and all are from the same field of endeavor.

Regarding claim 24 in view of claim 21, the references combined disclose “wherein the one or more processors are further to: execute the code in a sandbox processor mode to exit the first sandbox domain” ; and execute the code included in a native domain of a first virtual address space in a non- privileged, sandbox processor mode”(Pieczul FIG. 3 illustrates the high level components of a system 300 that implements automated processing of a web application 302 into domain sandboxes).
Regarding claim 25 in view of claim 24, the references combined disclose “wherein the one or more processors are further to: generate an exception during execution of the code included in the first sandbox domain in the non-privileged sandbox processor mode” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]) ; “execute a kernel exception handler in a privileged processor mode in response to generation of the exception and  invoke a non-privileged exception handler in the non- privileged, native processor mode in response to execution of the kernel exception handler” (the state control block 224 maybe located in the normal domain 208 or in kernel space  Zhang[Col.5/lines 30-35]) ; “and  read a sandbox status register of the one or more processors in response to execution of the non-privileged exception handler and (11) determine whether the exception originated in the non-privileged (Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]) , sandbox processor mode is in response to reading of the sandbox status register” (Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]).
Regarding claim 26 in view of claim 25, the references combined disclose “wherein the one or more processors are further to invoke, during execution of the non-privileged exception handler in the native processor mode, a second processor instruction to enter the non-privileged sandbox processor mode” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]).
Regarding claim 29 in view of claim 28, neither Ashley nor Pieczul explicitly disclose “wherein loading the execution state comprises: loading a stack pointer from the memory to a stack pointer register of the one or more processors; and loading the entry point from the memory to an instruction pointer register of the one or more processors” 

However, Zhang in an analogous art discloses “wherein loading the execution state comprises : loading a stack pointer from the memory to a stack pointer register of the one or more processors”(set stack pointer Zhang[Fig.3a/item 308]); “and loading the entry point from the memory to an instruction pointer register of the one or more processors.”(set entry point Zhang[Fig.3a/item 310]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s dynamic sandbox security system and Pieczul’s method for decomposing a web application into one or more domain Sandboxes with Zhang’s technique for code execution with processor sandbox support in order to provide additional security. One of ordinary skill would have been motivated to combine because Ashley teaches a sandbox security system, Piezul discloses a domain sandbox system which ensures the content of each sandbox is protected , Zhang teaches a code execution process with native domain sandbox support, and all are from the same field of endeavor.
Regarding claim 30 in view of claim 27, neither Ashley nor Pieczul explicitly disclose “further comprising: executing the code in a sandbox processor mode to exit the first sandbox domain; and executing the code included in a native domain of a first virtual address space in a non- privileged, sandbox processor mode.”
However, Zhang in an analogous art discloses “further comprising: executing the code in a sandbox processor mode to exit the first sandbox domain; and executing the code included in a native domain of a first virtual address space in a non- privileged, sandbox processor mode”(Pieczul FIG. 3 illustrates the high-level components of a system 300 that implements automated processing of a web application 302 into domain sandboxes).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s dynamic sandbox security system and Pieczul’s method for decomposing a web application into one or more domain Sandboxes with Zhang’s technique for code execution with processor sandbox support in order to provide additional security. One of ordinary skill would have been motivated to combine because Ashley teaches a sandbox security system, Piezul discloses a domain sandbox system which ensures the content of each sandbox is protected , Zhang teaches a code execution process with native domain sandbox support, and all are from the same field of endeavor.
Regarding claim 31 in view of claim 30, the references combined disclose “further comprising: generating an exception during execution of the code included in the first sandbox domain in the non-privileged, sandbox processor mode” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]); “executing a kernel exception handler in a privileged processor mode in response to generation of the exception and invoking a non-privileged exception handler in the non- privileged, native processor mode in response to execution of the kernel exception handler” (the state control block 224 maybe located in the normal domain 208 or in kernel space  Zhang[Col.5/lines 30-35]); “and reading a sandbox status register of the one or more processors in response to execution of the non-privileged exception handler and (11) determining whether the exception originated in the non-privileged” (Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]), sandbox processor mode is in response to reading of the sandbox status register” (Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]).
Regarding claim 32 in view of claim 31, the references combined disclose “further comprising invoking, during execution of the non-privileged exception handler in the native processor mode, a second processor instruction to enter the non-privileged sandbox processor mode” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]).



Regarding claim 35 in view of claim 34, neither Ashley nor Pieczul explicitly disclose “wherein loading the execution state comprises: loading a stack pointer from the memory to a stack pointer register of the one or more processors; and loading the entry point from the memory to an instruction pointer register of the one or more processors” 
However, Zhang in an analogous art discloses “wherein to loading the execution state comprises to: loading a stack pointer from the memory to a stack pointer register of the one or more processors”(set stack pointer Zhang[Fig.3a/item 308]); “and loading the entry point from the memory to an instruction pointer register of the one or more processors.”(set entry point Zhang[Fig.3a/item 310]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s dynamic sandbox security system and Pieczul’s method for decomposing a web application into one or more domain Sandboxes with Zhang’s technique for code execution with processor sandbox support in order to provide additional security. One of ordinary skill would have been motivated to combine because Ashley teaches a sandbox security system, Piezul discloses a domain sandbox system which ensures the content of each sandbox is protected , Zhang teaches a code execution process with native domain sandbox support, and all are from the same field of endeavor.
Regarding claim 36 in view of claim 33, neither Ashley nor Pieczul explicitly disclose “wherein the operations further comprise: executing the code in a sandbox processor mode to exit the first sandbox domain; and executing the code included in a native domain of a first virtual address space in a non- privileged, sandbox processor mode.”
However, Zhang in an analogous art discloses “wherein the operations further comprising: executing the code in a sandbox processor mode to exit the first sandbox domain; and executing the code included in a native domain of a first virtual address space in a non- privileged, sandbox processor mode”(Pieczul FIG. 3 illustrates the high-level components of a system 300 that implements automated processing of a web application 302 into domain sandboxes).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Ashley’s dynamic sandbox security system and Pieczul’s method for decomposing a web application into one or more domain Sandboxes with Zhang’s technique for code execution with processor sandbox support in order to provide additional security. One of ordinary skill would have been motivated to combine because Ashley teaches a sandbox security system, Piezul discloses a domain sandbox system which ensures the content of each sandbox is protected , Zhang teaches a code execution process with native domain sandbox support, and all are from the same field of endeavor.
Regarding claim 37 in view of claim 36, the references combined disclose “wherein the operations further comprise: generating an exception during execution of the code included in the first sandbox domain in the non-privileged, sandbox processor mode” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]; “executing a kernel exception handler in a privileged processor mode in response to generation of the exception and (ii) invoking a non-privileged exception handler in the non- privileged, native processor mode in response to execution of the kernel exception handler” (the state control block 224 maybe located in the normal domain 208 or in kernel space  Zhang[Col.5/lines 30-35]); and reading a sandbox status register of the one or more processors in response to execution of the non-privileged exception handler and (11) determining whether the exception originated in the non-privileged(Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]), sandbox processor mode is in response to reading of the sandbox status register” (Fig.4 illustrates native domain exception handler 210 reads the sandbox status MSR Zhang[Col.10/lines 22]). 
Regarding claim 38 in view of claim 37, the references combined disclose “wherein the operations further comprise invoking, during execution of the non-privileged exception handler in the native processor mode, a second processor instruction to enter the non-privileged sandbox processor mode.” (trusted domain manager 206 may execute in a non-privileged operating mode in which the trusted domain manager 206 is further configured to invoke a sandbox allocate instruction while in the native processor mode to add one or more memory pages to a corresponding sandbox domain 202 and may be configured to invoke a sandbox free instruction while in the native processor mode to remove one or more memory pages from a corresponding sandbox domain 202. Zhang[Col.4/lines 41-59]).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/           Examiner, Art Unit 2433                  

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433