DETAILED ACTION
1.	Claims 1-14 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Double Patenting
4.1.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp

4.2. 	Claims 1-14 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-13, 17-18 of US Patent No. 11010477.
Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-13 are anticipated by claims 1-13, 17-18 of the US Patent No. 11010477.

Instant application No. 
Claims: 1-13
US Patent No. 11010477
Claims: 1-13, 17-18
1. A hardware monitor arranged to detect illegal firmware instructions in a firmware binary image based on a hardware design for an electronic device configured to execute the firmware binary image, detect illegal firmware instructions in the firmware binary image, and stop execution of the firmware binary image upon detection of an illegal firmware instruction, the hardware monitor comprising: monitor and detection logic configured to: 

detect that an instantiation of the hardware design has stopped execution of the firmware; and detect that the instantiation of the hardware design implements a decode of an illegal firmware instruction; and 
assertion evaluation logic configured to determine whether the firmware binary image comprises an illegal firmware instruction by evaluating one or more formal assertions that assert a formal property that states that if a stop of firmware execution has been detected, that decode of an illegal firmware instruction has, or has not, been detected.







2. The hardware monitor of claim 1, wherein the monitor and detection logic comprises one or more decode illegal instruction registers and decode illegal instruction detection logic configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction based on one or more control and/or data signals of the hardware design, and in response to detecting the instantiation of the hardware design has decoded an illegal firmware instruction, set at least one of the one or more decode illegal instruction registers.
3. The hardware monitor of claim 2, wherein the one or more decode illegal instruction registers comprise one decode illegal instruction register corresponding to each of a plurality of illegal firmware instructions, and the decode illegal instruction detection logic is configured to, in response to detecting that the instantiation of the hardware design has decoded one of the plurality of illegal firmware instructions, setting the corresponding decode illegal instruction register.
4. The hardware monitor of claim 2, wherein the decode illegal instruction detection logic is configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction by comparing an opcode of the decoded instruction to an opcode of the illegal firmware instruction.
5. The hardware monitor of claim 1, wherein the monitor and detection logic comprises one or more firmware execution registers and firmware execution detection logic configured to detect that the instantiation of the hardware design has stopped execution of the firmware based on one or more control and/or data signals of the hardware design, and in response to detecting that the instantiation of the hardware design has stopped execution of the firmware to set one or more of the one or more firmware execution registers.

6. The hardware monitor of claim 5, wherein the firmware execution detection logic is configured to detect that the instantiation of the hardware design has stopped execution of the firmware when the instantiation of the hardware design is in a particular state.
7. The hardware monitor of claim 6, wherein the particular state is an IDLE state.
8. The hardware monitor of claim 1, wherein the one or more formal assertions comprises at least one seen assertion that asserts a formal property that states that if a stop of firmware execution has been detected that decode of an illegal firmware instruction has been detected, and at least one not seen assertion that asserts a formal property that states that if a stop of firmware execution has been detected that decode of an illegal firmware instruction has not been detected.
9. The hardware monitor of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more recovery assertions that state that if decode of an illegal firmware instruction has been detected that the instantiation of the hardware design goes into a particular state.
10. The hardware monitor of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more mutually exclusive assertions that state that if decode of a particular illegal firmware instruction of a plurality of illegal firmware instructions has been detected that decode of any other of the plurality of illegal firmware instructions is not detected.
11. The hardware monitor of claim 1, wherein the assertion evaluation logic is configured to, in response to determining that at least one of the one or more formal assertions is evaluated to be false, output a signal indicating that the at least one assertion was evaluated to be false.
12. The hardware monitor of claim 1, wherein when the hardware design is processed in an integrated circuit manufacturing system, the hardware design configures the integrated circuit manufacturing system to manufacture the electronic device.
13. The hardware monitor of claim 1, wherein the hardware monitor is embodied in an integrated circuit definition dataset, which when processed in an integrated circuit manufacturing system, configures the integrated circuit manufacturing system to manufacture the hardware monitor.

Claims 1, 
1. A method of detecting illegal firmware instructions in a firmware binary image, the method comprising: (a) receiving the firmware binary image; (b) receiving a hardware design for an electronic device configured to execute the firmware binary image, detect illegal firmware instructions in the firmware binary image, and stop execution of the firmware binary image upon detection of an illegal firmware instruction; (c) loading the firmware binary image into the hardware design; (d) receiving a hardware monitor comprising: monitor and detection logic configured to:
detect that an instantiation of the hardware design has stopped execution of the firmware binary image; and detect that the instantiation of the hardware design implements a decode of an illegal firmware instruction; and 
assertion evaluation logic configured to determine whether the firmware binary image comprises an illegal firmware instruction by evaluating one or more formal assertions that assert a formal property that states that if a stop of firmware binary image execution has been detected, that decode of an illegal firmware instruction has, or has not, been detected; 
(e) binding the hardware monitor to the hardware design loaded with the firmware binary image; (f) formally verifying, using a formal verification tool, the one or more formal assertions are true for the hardware design loaded with the firmware binary image; and (g) outputting one or more signals indicating whether or not each of the one or more formal assertions was successfully verified to identify whether the firmware binary image comprises an illegal firmware instruction.
2. The method of claim 1, wherein the monitor and detection logic comprises one or more decode illegal instruction registers and decode illegal instruction detection logic configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction based on one or more control and/or data signals of the hardware design, and in response to detecting the instantiation of the hardware design has decoded an illegal firmware instruction, set at least one of the one or more decode illegal instruction registers.
3. The method of claim 2, wherein the one or more decode illegal instruction registers comprise one decode illegal instruction register corresponding to each of a plurality of illegal firmware instructions, and the decode illegal instruction detection logic is configured to, in response to detecting that the instantiation of the hardware design has decoded one of the plurality of illegal firmware instructions, setting the corresponding decode illegal instruction register.
4. The method of claim 2, wherein the decode illegal instruction detection logic is configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction by comparing an opcode of the decoded instruction to an opcode of the illegal firmware instruction.
5. The method of claim 1, wherein the monitor and detection logic comprises one or more firmware execution registers and firmware execution detection logic configured to detect that the instantiation of the hardware design has stopped execution of the firmware binary image based on one or more control and/or data signals of the hardware design, and in response to detecting that the instantiation of the hardware design has stopped execution of the firmware binary image to set one or more of the one or more firmware execution registers.
6. The method of claim 5, wherein the firmware execution detection logic is configured to detect that the instantiation of the hardware design has stopped execution of the firmware binary image when the instantiation of the hardware design is in a particular state.
7. The method of claim 6, wherein the particular state is an IDLE state.
8. The method of claim 1, wherein the one or more formal assertions comprises at least one seen assertion that asserts a formal property that states that if a stop of firmware binary image execution has been detected that decode of an illegal firmware instruction has been detected, and at least one not seen assertion that asserts a formal property that states that if a stop of firmware binary image execution has been detected that decode of an illegal firmware instruction has not been detected.
9. The method of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more recovery assertions that state that if decode of an illegal firmware instruction has been detected that the instantiation of the hardware design goes into a particular state.
10. The method of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more mutually exclusive assertions that state that if decode of a particular illegal firmware instruction of a plurality of illegal firmware instructions has been detected that decode of any other of the plurality of illegal firmware instructions is not detected.
11. The method of claim 1, wherein the assertion evaluation logic is configured to, in response to determining that at least one of the one or more formal assertions is evaluated to be false, output a signal indicating that the at least one assertion was evaluated to be false.
12. The method of claim 1, wherein when the hardware design is processed in an integrated circuit manufacturing system, the hardware design configures the integrated circuit manufacturing system to manufacture the electronic device.
13. The method of claim 1, wherein the hardware monitor is embodied in an integrated circuit definition dataset, which when processed in an integrated circuit manufacturing system, configures the integrated circuit manufacturing system to manufacture the hardware monitor.

Claims 17-18



This is a nonstatutory obviousness-type double patenting rejection 

Claim Rejections - 35 USC § 103
5.1.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.




5.2.	Claims 1-14 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 9317636 issue to Petras et al (“Petras”) in view of US Patent Application No. 20110029961 to Muth et al (“Muth”) and further in view of “Malicious Firmware Detection with Hardware Performance Counters” by Wang et al., (“Wang”) (IDS).
 	As per claim 1, Petras discloses a hardware monitor arranged to detect (illegal) firmware instructions in a firmware binary image based on a hardware design for an electronic device configured to execute the firmware binary image, detect (illegal) firmware instructions in the firmware binary image, and stop execution of the firmware binary image upon detection of an illegal firmware instruction, the hardware monitor comprising: 
monitor and detection logic configured to: detect that an instantiation of the hardware design has stopped execution of the firmware; and detect that the instantiation of the hardware design implements a decode of an (illegal) firmware instruction (5:1-5, 2:25-30).
Petras does not explicitly disclose however in the same field of endeavor, Muth discloses assertion evaluation logic configured to determine whether the firmware binary image comprises an (illegal) firmware instruction by evaluating one or more formal assertions that assert a formal property that states that if a stop of firmware execution has been detected, that decode of an (illegal) firmware instruction has, or has not, been detected ([0099]-[0100]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Petras with the teaching of Muth by including the feature of evaluating one or more formal assertions, in order for Petras’s system to blocking an illegal instruction. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction (Muth, [0011]).
Petras does not explicitly disclose however in the same field of endeavor, Wang discloses Illegal/malicious firmware (page 161, left col.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Petras with the teaching of Wang by including the feature of malicious firmware, in order for Petras’s system to preventing exploitation of firmware vulnerabilities. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.

As per claim 2, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the monitor and detection logic comprises one or more decode illegal instruction registers and decode illegal instruction detection logic configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction based on one or more control and/or data signals of the hardware design, and in response to detecting the instantiation of the hardware design has decoded an illegal firmware instruction, set at least one of the one or more decode illegal instruction registers Wang discloses Illegal/malicious firmware (Wang, page 161, left col.). The motivation regarding the obviousness of claim 1 is also applied to claim 2. 
 
As per claim 3, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 2, wherein the one or more decode illegal instruction registers comprise one decode illegal instruction register corresponding to each of a plurality of illegal firmware instructions, and the decode illegal instruction detection logic is configured to, in response to detecting that the instantiation of the hardware design has decoded one of the plurality of illegal firmware instructions, setting the corresponding decode illegal instruction register . (Wang, page 162, right col.). The motivation regarding the obviousness of claim 1 is also applied to claim 3. 
As per claim 4, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 2, wherein the decode illegal instruction detection logic is configured to detect that the instantiation of the hardware design has decoded an illegal firmware instruction by comparing an opcode of the decoded instruction to an opcode of the illegal firmware instruction. (Wang, page 163, lest col.). The motivation regarding the obviousness of claim 1 is also applied to claim 4. 
As per claim 5, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the monitor and detection logic comprises one or more firmware execution registers and firmware execution detection logic configured to detect that the instantiation of the hardware design has stopped execution of the firmware based on one or more control and/or data signals of the hardware design, and in response to detecting that the instantiation of the hardware design has stopped execution of the firmware to set one or more of the one or more firmware execution registers (Petras, 7:1-15).
As per claim 6, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 5, wherein the firmware execution detection logic is configured to detect that the instantiation of the hardware design has stopped execution of the firmware when the instantiation of the hardware design is in a particular state (Petras, 7:1-20). 
As per claim 7, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 6, wherein the particular state is an IDLE state (Petras, 7:1-15). 
As per claim 8, the combination of Petras, Muth, and Wang the hardware monitor of claim 1, wherein the one or more formal assertions comprises at least one seen assertion that asserts a formal property that states that if a stop of firmware execution has been detected that decode of an illegal firmware instruction has been detected, and at least one not seen assertion that asserts a formal property that states that if a stop of firmware execution has been detected that decode of an illegal firmware instruction has not been detected. (Muth, [0099]-[0100] )The motivation regarding the obviousness of claim 1 is also applied to claim 8.
As per claim 9, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more recovery assertions that state that if decode of an illegal firmware instruction has been detected that the instantiation of the hardware design goes into a particular state (Wang, section 4.1.2). The motivation regarding the obviousness of claim 1 is also applied to claim 9.
As per claim 10, the combination of Petras, Muth, and Wang discloses the hardware monitor of claim 1, wherein the assertion evaluation logic is further configured to determine whether the instantiation of the hardware design responds as expected to an illegal firmware instruction in the firmware binary image by evaluating one or more mutually exclusive assertions that state that if decode of a particular illegal firmware instruction of a plurality of illegal firmware instructions has been detected that decode of any other of the plurality of illegal firmware instructions is not detected (Muth, [0099]-[0100] )The motivation regarding the obviousness of claim 1 is also applied to claim 10.
As per claim 11, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the assertion evaluation logic is configured to, in response to determining that at least one of the one or more formal assertions is evaluated to be false, output a signal indicating that the at least one assertion was evaluated to be false (Wang, section 5.3). The motivation regarding the obviousness of claim 1 is also applied to claim 11.
As per claim 12, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein when the hardware design is processed in an integrated circuit manufacturing system, the hardware design configures the integrated circuit manufacturing system to manufacture the electronic device (Petras, 4:25-30). 
As per claim 13, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the hardware monitor is embodied in an integrated circuit definition dataset, which when processed in an integrated circuit manufacturing system, configures the integrated circuit manufacturing system to manufacture the hardware monitor (Petras, 4:25-30).
 	As per claim 14, the combination of Petras, Muth and Wang discloses the hardware monitor of claim 1, wherein the hardware monitor is embodied in hardware on an integrated circuit. (Petras, 2:15-20).
        
 6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892). 

	a).	 US Patent Application No. 20160171213 to Furukawa et al., discloses an apparatus stores first instructions including a call instruction and second instructions including a return instruction. When executing the second instructions called by the call instruction from the first instructions, the apparatus determines whether an instruction at a return address for return to the first instructions caused by the return instruction of the second instructions includes identification information. The apparatus continues processing of the first instructions when the instruction at the return address includes the identification information, and stops execution of the first instructions when the instruction at the return address does not include the identification information.

b).	 US Patent Application No. 20110213986 to Kanee et al., discloses a discloses an firmware verification section verifies whether a firmware for controlling the activating of contents has been falsified or not, prior to the activating of the contents; a decoding key setting section sets a key to the firmware; the key is used to decode an encrypted activation program for activating the contents, when the firmware has not been falsified; and an activation program decoding section decodes the encrypted activation program by using the firmware with the key set to the firmware.

Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195.  The examiner can normally be reached on 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497