DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 06/28/2021. This application claims Foreign Priority to application CN202010599864.5, filed 06/28/2020, wherein claims 1 – 20 are pending and ready for examination.
Specification
The disclosure is objected to because of the following informalities: The instant specification at [0008] discloses language found in claim 1:

[0008] changing preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same; and [0009] rewriting preset bits of a current target address of the current indirect branch instruction to be same as the preset bits of the legal target addresses, so that the program to be protected terminates when the current target address is tampered with. 
The Examiner finds the [0008] disclosure does not provide a basis of comparing since no target address is claimed.  It is only until the [0009] disclosure that a comparison is possible.  The instant claims also reflect this construction.  The specification renders this passage as being indefinite even if [0009] provides the other entity because [0008] stands as a complete limitation separated by semicolon.  Appropriate correction is required.

Claim Objections
Claims 1-4, 8-10, and 15-17 are objected to because of the following informalities:  The claims include the phrase “changing preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same.  Appropriate correction is required.

Drawings
The drawings are objected to because Figure 4 is a method where the same claim construction “changing preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same” is found.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 -4, 7-11, and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Erlingsson; Ulfar et al, US  20080184016 A1 , July 31, 2008 hereafter referred to as Erlingsson in view of Bruening, Derek L. et al,  US 20050010804 A1, January 13, 2005 hereafter referred to as Bruening.

          As to claim 1, Erlingsson teaches a method for control-flow integrity protection - Erlingsson [0034] FIG. 2 is a flow diagram of an example compile-time method for CFI, comprising:
             changing preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same ... – Erlingsson [0034] Each target of an indirect branch is statically annotated with a label embedded within the binary code, at step 220.  Here, the claimed ‘changing’ is taught by Erlingsson as ‘annotated’ whereas the claimed ‘preset bits’ is taught by Erlingsson as ‘label embedded’ which is the address already set in the program binary.  The claimed ‘all legal target addresses’ is taught by Erlingsson as ‘each target’ because every target address is annotated. The claimed ‘current ...  instruction’ is taught by Erlingsson as ‘statically’ since the change is performed when the code is not running whereas the claimed ‘a program’ is taught by Erlingsson as ‘the binary code’); and
           rewriting preset bits of a current target address of the current indirect branch instruction to be same as the preset bits of the legal target addresses – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewriting’ is taught by Erlingsson as ‘binary rewriter’ whereas the claimed ‘to be same’ is taught by Erlingsson as ‘CFI enforcement’ since the function of CFI is to ensure the target address in the code branches to the legal address), so that the program to be protected terminates when the current target address is tampered with - Erlingsson [0035] The processor processes each indirect branch and its destination separately ...A branch is processed, and then at some point, shown with respect to an example in FIG. 3, at step 230, a check is performed to establish whether the destination code contains the expected label. If the correct label is not present, the processor triggers an exception ... triggering an exception may involve invoking an architecture-defined mechanism for hardware faults, or traps.  Here, the claimed ‘program ... terminates’ is suggested by Erlingsson as ‘triggers an exception’ since Figure 3 only other option teaches that the indirect branch is valid.  ERLINGSSON DOES NOT EXPLICTLY TEACH that the program to be protected terminates when the current target address is tampered with HOWEVER IN AN ART THAT IS ANALAGOUS TO THE SAME FIELD OF ENDEAVOR BRUENING TEACHES that the program to be protected terminates when the current target address is tampered with - Bruening [0210] Here the system begins at (414) with a given instruction address. This is the entry for external control transfers. Then it determines if the given instruction address refers to code that might have been tampered with. This is determined by seeing if the code is contained within a page in the ROPL (440). If not, it stops with a Code Origins security policy violation (416). As described above, this ensures that the system only executes code that has been unmodified since loading. Here, the claimed ‘program’ is taught by Bruening as ‘the code’ because external code is okay unless it has been tampered with.  The claimed ‘terminates’ is taught by Bruening as ‘it stops’ which terminates the program based on a security violation.  The claimed ‘current target address’ is taught by Bruening as ‘ROPL’ since the list is a read only list containing the current data as reference.  The claimed ‘tampered’ is taught by Bruening as ‘tampered with’ alluding to whether the code has been modified. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate tamper detection capability provided by Bruening in Erlingsson’ s processing unit 102.  Erlingsson teaches fault exception but not based on a security violation such as tampering.  Bruening tamper detection capability improves Erlingsson control program flow protection and operational security. 

           As to claim 2, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 1, wherein the rewriting preset bits of a current target address of the current indirect branch instruction to be same as the preset bits of the legal target addresses, so that the program to be protected terminates when the current target address is tampered with, specifically comprises:
           rewriting the preset bits of the current target address to be same as a label of the current indirect branch instruction, so that a current indirect branch cannot jump to the legal target addresses when the current target address is tampered with – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewriting’ is taught by Erlingsson as ‘transformations’ since the two processes a and b rewrite bits that are preset.  The claimed ‘preset bits’ here is taught by Erlingsson as ‘branch destination’ which is the preset address label for the branch);
           wherein the label is preset bits of a legal target address of the current indirect branch instruction - Erlingsson [0035] ... If the correct label is present, then the indirect branch is valid, at step 250. In this way, indirect branches cannot target anywhere but the places that contain the correct embedded labels.  Here, the clamed ‘legal target address’ is taught by Erlingsson as ‘correct label’ since the correct label is the intended destination address.  The claimed ‘preset’ in this case is taught by Erlingsson as ‘present’ which makes the bits have already been defined) and the program to be protected terminates - Bruening [0210] Here the system begins at (414) with a given instruction address. This is the entry for external control transfers. Then it determines if the given instruction address refers to code that might have been tampered with. This is determined by seeing if the code is contained within a page in the ROPL (440). If not, it stops with a Code Origins security policy violation (416). Here, the claimed ‘program’ is taught by Bruening as ‘the code’ because external code is okay unless it has been tampered with.  The claimed ‘terminates’ is taught by Bruening as ‘it stops’ which terminates the program based on a security violation.  The rationale to consider Bruening in claim 1 applies here in claim 2.

           As to claim 3, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 2, wherein the rewriting the preset bits of the current target address to be same as a label of the current indirect branch instruction specifically comprises:
           performing an operation of instrumenting code at the current indirect branch instruction - Erlingsson [0025] ... For example, consider how an x86 indirect branch jmp ecx is instrumented using an example software version of CFI, as described with respect to the example software instrumentation shown in FIG. 1.  Here, the claimed ‘performing and operation’ is taught by Erlingsson as ‘software instrumentation’ whereas the claimed ‘instruction’ is taught by Erlingsson as ‘jmp ecx’ since it instruments the operation to the current branch);
          wherein the code is used to rewrite the preset bits of the current target address to be same as the label - Erlingsson [0026] Features of an example software implementation of CFI guards include (1) the labels must not have byte encodings that are part of other program instructions; (2) the CFI guard code cannot contain the label bytes, unless the guard code is considered a valid destination in the CFG 93) the guard code may overwrite other registers and flags (if these registers are live, they have to be properly saved and restored by the guard code. Here, the claimed ‘code’ is taught by Erlingsson as ‘guard code’ whereas the claimed ‘rewrite’ is taught by Erlingsson as ‘overwrite’.  The claimed ‘preset bits’ is taught by Erlingsson as ‘label bytes’).

            As to claim 4, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 2, wherein the changing preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same, specifically comprises:
          performing a null instruction filling operation on all the legal target addresses respectively, so that the preset bits of all the legal target addresses increase until equal to the label of the current indirect branch instruction – Erlingsson [0043] The cfilabel instruction is the destination of the checked branch instructions. cfilabel contains an immediate label value; for the Alpha ISA it is a 16-bit immediate. For other ISAs, such as x86, more bits could be used. The effect of the instruction is to compare the immediate with the contents of the cfi_register, and to reset the cfi_register if its immediate label is equal to the contents of the cfi_register.  Here, the claimed ‘performing a null operation’ is taught by Erlingsson as ‘reset the cfi_register’ because the instruction seeks to compare current and target addresses.  The claimed ‘legal target addresses’ is taught by Erlingsson as ‘checked branch instruction’ since these instructions have been verified.  The claimed ‘bits ... increase’ is taught by Erlingsson as ‘more bits could be used’ which is the bit stuffing to equalize the addresses to the current address.  The claimed ‘until equal’ is taught by Erlingsson as ‘label is equal’.  The claimed ‘current indirect branch instruction’ is taught by Erlingsson as ‘cfilabel instruction’).

              As to claim 7, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 1, wherein before rearranging all legal target addresses of indirect branch instructions in the control flow of the program to be protected  – Erlingsson [0021]  Control-flow integrity means that the execution of a program dynamically follows only certain paths, in accordance with a static policy that comprises a control-flow graph (CFG) of the machine code of the program. CFI can prevent attacks which, by exploiting buffer overflows and other vulnerabilities, attempt to control program behavior. Here, the claimed ‘before rearranging’ is taught by Erlingsson as ‘static policy’ since the rules govern procedures performed on code prior to being ran), the method further comprises:
            performing static analysis on the program to be protected to obtain the control flow of the program to be protected – Erlingsson [0021] ... Statically (i.e., before the program is run), the complete set of legal branch targets is established (i.e., the set of legal CFG edges is fixed, including those for indirect branches such as computed jumps).  Here, the claimed ‘performing analysis’ is taught by Erlingsson as ‘Statically’ as opposed to real time analysis.  The claimed ‘program’ is taught by Erlingsson as ‘the program’ whereas the claimed ‘control flow’ is taught by Erlingsson as ‘CFG’ since the control flow graph depict the program statically).

         As to claim 8, Erlingsson teaches an apparatus for control-flow integrity protection – Erlingsson [0018] Fig. 10), comprising: a memory and a processor, wherein the memory stores a computer program which, when executed by the processor – Erlingsson [0059] ... In its most basic configuration, computing device 100 typically includes at least one processing unit 102 and memory 104.  Here, the claimed ‘a processor’ is taught by Erlingsson as ‘one processing unit 102’ whereas the claimed ‘memory’ is taught by Erlingsson as ‘memory 104’, causes the processor to:
           change preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same ... – [0034] Each target of an indirect branch is statically annotated with a label embedded within the binary code, at step 220.  Here, the claimed ‘change’ is taught by Erlingsson as ‘annotated’ whereas the claimed ‘preset bits’ is taught by Erlingsson as ‘label embedded’ which is the address already set in the program binary.  The claimed ‘all legal target addresses’ is taught by Erlingsson as ‘each target’ because every target address is annotated. The claimed ‘current ...  instruction’ is taught by Erlingsson as ‘statically’ since the change is performed when the code is not running whereas the claimed ‘a program’ is taught by Erlingsson as ‘the binary code’); and
              rewrite preset bits of a current target address of the current indirect branch instruction to be same as the preset bits of the legal target addresses – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewrite’ is taught by Erlingsson as ‘binary rewriter’ whereas the claimed ‘to be same’ is taught by Erlingsson as ‘CFI enforcement’ since the function of CFI is to ensure the target address in the code branches to the legal address), so that the program to be protected terminates when the current target address is tampered with - Erlingsson [0035] The processor processes each indirect branch and its destination separately ...A branch is processed, and then at some point, shown with respect to an example in FIG. 3, at step 230, a check is performed to establish whether the destination code contains the expected label. If the correct label is not present, the processor triggers an exception ... triggering an exception may involve invoking an architecture-defined mechanism for hardware faults, or traps.  Here, the claimed ‘program ... terminates’ is suggested by Erlingsson as ‘triggers an exception’ since Figure 3 only other option teaches that the indirect branch is valid.  ERLINGSSON DOES NOT EXPLICTLY TEACH that the program to be protected terminates when the current target address is tampered with HOWEVER IN AN ART THAT IS ANALAGOUS TO THE SAME FIELD OF ENDEAVOR BRUENING TEACHES that the program to be protected terminates when the current target address is tampered with - Bruening [0210] Here the system begins at (414) with a given instruction address. This is the entry for external control transfers. Then it determines if the given instruction address refers to code that might have been tampered with. This is determined by seeing if the code is contained within a page in the ROPL (440). If not, it stops with a Code Origins security policy violation (416). As described above, this ensures that the system only executes code that has been unmodified since loading. Here, the claimed ‘program’ is taught by Bruening as ‘the code’ because external code is okay unless it has been tampered with.  The claimed ‘terminates’ is taught by Bruening as ‘it stops’ which terminates the program based on a security violation.  The claimed ‘current target address’ is taught by Bruening as ‘ROPL’ since the list is a read only list containing the current data as reference.  The claimed ‘tampered’ is taught by Bruening as ‘tampered with’ alluding to whether the code has been modified. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate tamper detection capability provided by Bruening in Erlingsson’ s processing unit 102.  Erlingsson teaches fault exception but not based on a security violation such as tampering.  Bruening tamper detection capability improves Erlingsson control program flow protection and operational security). 

               As to claim 9, the combination of Erlingsson and Bruening teaches the apparatus according to claim 8, wherein the computer program further causes the processor to:
            rewrite the preset bits of the current target address to be same as a label of the current indirect branch instruction, so that a current indirect branch cannot jump to the legal target addresses when the current target address is tampered with, and the program to be protected terminates – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewriting’ is taught by Erlingsson as ‘transformations’ since the two processes a and b rewrite bits that are preset.  The claimed ‘preset bits’ here is taught by Erlingsson as ‘branch destination’ which is the preset address label for the branch), 
           wherein the label is preset bits of a legal target address of the current indirect branch instruction - Erlingsson [0035] ... If the correct label is present, then the indirect branch is valid, at step 250. In this way, indirect branches cannot target anywhere but the places that contain the correct embedded labels.  Here, the clamed ‘legal target address’ is taught by Erlingsson as ‘correct label’ since the correct label is the intended destination address.  The claimed ‘preset’ in this case is taught by Erlingsson as ‘present’ which makes the bits have already been defined) and the program to be protected terminates - Bruening [0210] Here the system begins at (414) with a given instruction address. This is the entry for external control transfers. Then it determines if the given instruction address refers to code that might have been tampered with. This is determined by seeing if the code is contained within a page in the ROPL (440). If not, it stops with a Code Origins security policy violation (416). As described above, this ensures that the system only executes code that has been unmodified since loading. Here, the claimed ‘program’ is taught by Bruening as ‘the code’ because external code is okay unless it has been tampered with.  The claimed ‘terminates’ is taught by Bruening as ‘it stops’ which terminates the program based on a security violation.  The claimed ‘current target address’ is taught by Bruening as ‘ROPL’ since the list is a read only list containing the current data as reference.  The claimed ‘tampered’ is taught by Bruening as ‘tampered with’ alluding to whether the code has been modified. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate tamper detection capability provided by Bruening in Erlingsson’ s processing unit 102.  Erlingsson teaches fault exception but not based on a security violation such as tampering.  Bruening tamper detection capability improves Erlingsson control program flow protection and operational security). .

         As to claim 10, the combination of Erlingsson and Bruening teaches the apparatus according to claim 9, wherein the computer program further causes the processor to:
        perform an operation of instrumenting code at the current indirect branch instruction - Erlingsson [0025] ... For example, consider how an x86 indirect branch jmp ecx is instrumented using an example software version of CFI, as described with respect to the example software instrumentation shown in FIG. 1.  Here, the claimed ‘performing and operation’ is taught by Erlingsson as ‘software instrumentation’ whereas the claimed ‘instruction’ is taught by Erlingsson as ‘jmp ecx’ since it instruments the operation to the current branch); wherein the code is used to rewrite the preset bits of the current target address to be same as the label - Erlingsson [0026] Features of an example software implementation of CFI guards include (1) the labels must not have byte encodings that are part of other program instructions; (2) the CFI guard code cannot contain the label bytes, unless the guard code is considered a valid destination in the CFG 93) the guard code may overwrite other registers and flags (if these registers are live, they have to be properly saved and restored by the guard code. Here, the claimed ‘code’ is taught by Erlingsson as ‘guard code’ whereas the claimed ‘rewrite’ is taught by Erlingsson as ‘overwrite’.  The claimed ‘preset bits’ is taught by Erlingsson as ‘label bytes’).

             As to claim 11, the combination of Erlingsson and Bruening teaches the apparatus according to claim 9, wherein the computer program further causes the processor to:
          perform a null instruction filling operation on all the legal target addresses respectively, so that the preset bits of all the legal target addresses increase until equal to the label of the current indirect branch instruction – Erlingsson [0043] The cfilabel instruction is the destination of the checked branch instructions. cfilabel contains an immediate label value; for the Alpha ISA it is a 16-bit immediate. For other ISAs, such as x86, more bits could be used. The effect of the instruction is to compare the immediate with the contents of the cfi_register, and to reset the cfi_register if its immediate label is equal to the contents of the cfi_register.  Here, the claimed ‘performing a null operation’ is taught by Erlingsson as ‘reset the cfi_register’ because the instruction seeks to compare current and target addresses.  The claimed ‘legal target addresses’ is taught by Erlingsson as ‘checked branch instruction’ since these instructions have been verified.  The claimed ‘bits ... increase’ is taught by Erlingsson as ‘more bits could be used’ which is the bit stuffing to equalize the addresses to the current address.  The claimed ‘until equal’ is taught by Erlingsson as ‘label is equal’.  The claimed ‘current indirect branch instruction’ is taught by Erlingsson as ‘cfilabel instruction’).

          As to claim 14, the combination of Erlingsson and Bruening teaches the apparatus according to claim 8, wherein the computer program further causes the processor to:
perform static analysis on the program to be protected to obtain the control flow of the program to be protected before rearranging all legal target addresses of indirect branch instructions in the control flow of the program to be protected – Erlingsson [0021] ... Statically (i.e., before the program is run), the complete set of legal branch targets is established (i.e., the set of legal CFG edges is fixed, including those for indirect branches such as computed jumps).  Here, the claimed ‘performing analysis’ is taught by Erlingsson as ‘Statically’ as opposed to real time analysis.  The claimed ‘program’ is taught by Erlingsson as ‘the program’ whereas the claimed ‘control flow’ is taught by Erlingsson as ‘CFG’ since the control flow graph depict the program statically).

             As to claim 15, Erlingsson teaches a ‘non-transitory computer-readable storage medium’ on which a computer program is stored - Erlingsson [0059] ... Memory 104, removable storage 108 and non-removable storage 110 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, wherein the computer program, when executed by a processor, causes the processor to:
          change preset bits of all legal target addresses of a current indirect branch instruction in a control flow of a program to be protected to be same – Erlingsson [0034] Each target of an indirect branch is statically annotated with a label embedded within the binary code, at step 220.  Here, the claimed ‘change’ is taught by Erlingsson as ‘annotated’ whereas the claimed ‘preset bits’ is taught by Erlingsson as ‘label embedded’ which is the address already set in the program binary.  The claimed ‘all legal target addresses’ is taught by Erlingsson as ‘each target’ because every target address is annotated. The claimed ‘current ...  instruction’ is taught by Erlingsson as ‘statically’ since the change is performed when the code is not running whereas the claimed ‘a program’ is taught by Erlingsson as ‘the binary code’); and

rewrite preset bits of a current target address of the current indirect branch instruction to be same as the preset bits of the legal target addresses – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewrite’ is taught by Erlingsson as ‘binary rewriter’ whereas the claimed ‘to be same’ is taught by Erlingsson as ‘CFI enforcement’ since the function of CFI is to ensure the target address in the code branches to the legal address),, so that the program to be protected terminates when the current target address is tampered with - Erlingsson [0035] The processor processes each indirect branch and its destination separately ...A branch is processed, and then at some point, shown with respect to an example in FIG. 3, at step 230, a check is performed to establish whether the destination code contains the expected label. If the correct label is not present, the processor triggers an exception ... triggering an exception may involve invoking an architecture-defined mechanism for hardware faults, or traps.  Here, the claimed ‘program ... terminates’ is suggested by Erlingsson as ‘triggers an exception’ since Figure 3 only other option teaches that the indirect branch is valid.  ERLINGSSON DOES NOT EXPLICTLY TEACH that the program to be protected terminates when the current target address is tampered with HOWEVER IN AN ART THAT IS ANALAGOUS TO THE SAME FIELD OF ENDEAVOR BRUENING TEACHES that the program to be protected terminates when the current target address is tampered with - Bruening [0210] Here the system begins at (414) with a given instruction address. This is the entry for external control transfers. Then it determines if the given instruction address refers to code that might have been tampered with. This is determined by seeing if the code is contained within a page in the ROPL (440). If not, it stops with a Code Origins security policy violation (416). As described above, this ensures that the system only executes code that has been unmodified since loading. Here, the claimed ‘program’ is taught by Bruening as ‘the code’ because external code is okay unless it has been tampered with.  The claimed ‘terminates’ is taught by Bruening as ‘it stops’ which terminates the program based on a security violation.  The claimed ‘current target address’ is taught by Bruening as ‘ROPL’ since the list is a read only list containing the current data as reference.  The claimed ‘tampered’ is taught by Bruening as ‘tampered with’ alluding to whether the code has been modified. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate tamper detection capability provided by Bruening in Erlingsson’ s processing unit 102.  Erlingsson teaches fault exception but not based on a security violation such as tampering.  Bruening tamper detection capability improves Erlingsson control program flow protection and operational security). 

              As to claim 16, the combination of Erlingsson and Bruening teaches the non-transitory computer-readable storage medium according to claim 15, wherein the computer program further causes the processor to:
            rewrite the preset bits of the current target address to be same as a label of the current indirect branch instruction, so that a current indirect branch cannot jump to the legal target addresses when the current target address is tampered with, and the program to be protected terminates – Erlingsson [0024] The software version of CFI enforcement is achieved by subjecting executables to the following two transformations: (a) inserting identifying binary "labels" at each branch destination, and (b) preceding each branch with an inline code fragment which checks that the branch destination contains the correct expected label. These code transformations can be performed either by a binary rewriter or by a compiler.  Here, the claimed ‘rewrite’ is taught by Erlingsson as ‘transformations’ since the two processes a and b rewrite bits that are preset.  The claimed ‘preset bits’ here is taught by Erlingsson as ‘branch destination’ which is the preset address label for the branch), wherein the label is preset bits of a legal target address of the current indirect branch instruction - Erlingsson [0035] ... If the correct label is present, then the indirect branch is valid, at step 250. In this way, indirect branches cannot target anywhere but the places that contain the correct embedded labels.  Here, the clamed ‘legal target address’ is taught by Erlingsson as ‘correct label’ since the correct label is the intended destination address.  The claimed ‘preset’ in this case is taught by Erlingsson as ‘present’ which makes the bits have already been defined).

           As to claim 17, the combination of Erlingsson and Bruening teaches the non-transitory computer-readable storage medium according to claim 16, wherein the computer program further causes the processor to:
          perform an operation of instrumenting code at the current indirect branch instruction- Erlingsson [0025] ... For example, consider how an x86 indirect branch jmp ecx is instrumented using an example software version of CFI, as described with respect to the example software instrumentation shown in FIG. 1.  Here, the claimed ‘performing and operation’ is taught by Erlingsson as ‘software instrumentation’ whereas the claimed ‘instruction’ is taught by Erlingsson as ‘jmp ecx’ since it instruments the operation to the current branch); wherein the code is used to rewrite the preset bits of the current target address to be same as the label - Erlingsson [0026] Features of an example software implementation of CFI guards include (1) the labels must not have byte encodings that are part of other program instructions; (2) the CFI guard code cannot contain the label bytes, unless the guard code is considered a valid destination in the CFG 93) the guard code may overwrite other registers and flags (if these registers are live, they have to be properly saved and restored by the guard code. Here, the claimed ‘code’ is taught by Erlingsson as ‘guard code’ whereas the claimed ‘rewrite’ is taught by Erlingsson as ‘overwrite’.  The claimed ‘preset bits’ is taught by Erlingsson as ‘label bytes’).

             As to claim 18, the combination of Erlingsson and Bruening teaches the non-transitory computer-readable storage medium according to claim 16, wherein the computer program further causes the processor to:
            perform a null instruction filling operation on all the legal target addresses respectively, so that the preset bits of all the legal target addresses increase until equal to the label of the current indirect branch instruction – Erlingsson [0043] The cfilabel instruction is the destination of the checked branch instructions. cfilabel contains an immediate label value; for the Alpha ISA it is a 16-bit immediate. For other ISAs, such as x86, more bits could be used. The effect of the instruction is to compare the immediate with the contents of the cfi_register, and to reset the cfi_register if its immediate label is equal to the contents of the cfi_register.  Here, the claimed ‘performing a null operation’ is taught by Erlingsson as ‘reset the cfi_register’ because the instruction seeks to compare current and target addresses.  The claimed ‘legal target addresses’ is taught by Erlingsson as ‘checked branch instruction’ since these instructions have been verified.  The claimed ‘bits ... increase’ is taught by Erlingsson as ‘more bits could be used’ which is the bit stuffing to equalize the addresses to the current address.  The claimed ‘until equal’ is taught by Erlingsson as ‘label is equal’.  The claimed ‘current indirect branch instruction’ is taught by Erlingsson as ‘cfilabel instruction’).

Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Erlingsson, in view of Bruening, and in further view of Wilkerson; Daniel Shawcross et al, US 20170126738 A1, May 04, 2017, hereafter referred to as Wilkerson.

             As to claim 6, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 1.  THE COMBINATION OF ERLINGSSON AND BRUENING DO NOT TEACH wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR WILKERSON TEACHES wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address – Wilkerson [0112 The Native Client project addresses some of the same software problems as Hard Object does, such as the problem of constraining dynamic control flow transfer. They constrain dynamic control transfer by requiring software to mask off the low bits of the target address of a dynamic control transfer so that the transfer can only target an address that is a multiple of, say, 32. They then ensure that instructions on such locations are executable only if a given location is a legitimate target of a dynamic control transfer.  Here, the claimed ‘legal and current addresses’ is taught by Wilkerson as ‘dynamic control transfer’ since the program constrains the program flow from the current to the target address.  The claimed ‘low bits’ is taught by Wilkerson as ‘the low bits’ which constrain the flow of the program.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the control flow guard capability created by Wilkerson to the combination of Erlingsson and Bruening.  The combination of Erlingsson and Bruening is silent on whether the legal and target addresses are defined by low bits.  Wilkerson uses the low bits as guards or boundaries for control flow.  The combination of Erlingsson and Bruening is silent on use of low bits.  Incorporating low bit designations for address specificity especially for pointers at the register stack would improve overall computer security of the combination of 
Erlingsson and Bruening). 

               As to claim 13, the combination of Erlingsson and Bruening teaches the apparatus according to claim 8. THE COMBINATION OF ERLINGSSON AND BRUENING DO NOT TEACH wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR WILKERSON TEACHES wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address – Wilkerson [0112 The Native Client project addresses some of the same software problems as Hard Object does, such as the problem of constraining dynamic control flow transfer. They constrain dynamic control transfer by requiring software to mask off the low bits of the target address of a dynamic control transfer so that the transfer can only target an address that is a multiple of, say, 32. They then ensure that instructions on such locations are executable only if a given location is a legitimate target of a dynamic control transfer.  Here, the claimed ‘legal and current addresses’ is taught by Wilkerson as ‘dynamic control transfer’ since the program constrains the program flow from the current to the target address.  The claimed ‘low bits’ is taught by Wilkerson as ‘the low bits’ which constrain the flow of the program.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the control flow guard capability created by Wilkerson to the combination of Erlingsson and Bruening.  The combination of Erlingsson and Bruening is silent on whether the legal and target addresses are defined by low bits.  Wilkerson uses the low bits as guards or boundaries for control flow.  The combination of Erlingsson and Bruening is silent on use of low bits.  Incorporating low bit designations for address specificity especially for pointers at the register stack would improve overall computer security of the combination of 
Erlingsson and Bruening).

                As to claim 20, the combination of Erlingsson and Bruening teaches the method for control-flow integrity protection according to claim 15.  THE COMBINATION OF ERLINGSSON AND BRUENING DO NOT TEACH wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address HOWEVER IN AN ANALOGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR WILKERSON TEACHES wherein the preset bits of the legal target addresses are low bytes of the legal target addresses, and the preset bits of the current target address are low bytes of the current target address – Wilkerson [0112 The Native Client project addresses some of the same software problems as Hard Object does, such as the problem of constraining dynamic control flow transfer. They constrain dynamic control transfer by requiring software to mask off the low bits of the target address of a dynamic control transfer so that the transfer can only target an address that is a multiple of, say, 32. They then ensure that instructions on such locations are executable only if a given location is a legitimate target of a dynamic control transfer.  Here, the claimed ‘legal and current addresses’ is taught by Wilkerson as ‘dynamic control transfer’ since the program constrains the program flow from the current to the target address.  The claimed ‘low bits’ is taught by Wilkerson as ‘the low bits’ which constrain the flow of the program.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the control flow guard capability created by Wilkerson to the combination of Erlingsson and Bruening.  The combination of Erlingsson and Bruening is silent on whether the legal and target addresses are defined by low bits.  Wilkerson uses the low bits as guards or boundaries for control flow.  The combination of Erlingsson and Bruening is silent on use of low bits.  Incorporating low bit designations for address specificity especially for pointers at the register stack would improve overall computer security of the combination of 
Erlingsson and Bruening).        

Allowable Subject Matter
Claims 5, 12, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.  The Examiner finds the feature whereby the label of the current indirect branch instruction is preset at random.  Prior art search to include a broad yet reasonable interpretation does not find this feature “within the context” of the prevailing claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249111/1/2022