Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This final office action is responsive to the RCE filed on 09/22/2022.
Claims 1-20 are pending.

Response to Amendment

Applicant has amended independent claims 1, 14, 15 and dependent claims 5, 8, 13 to include new/old limitations in a form not previously presented necessitating new search and considerations.  


Information Disclosure Statement

The information disclosure statement filed 07/10/2020 fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed.  It has been placed in the application file, but the information referred to therein has not been considered. Following cited document is either missing a copy in the file wrapper or entry has incorrect dates:
A46: International Preliminary Report on Patentability dated August 8, 2019 from application no. PCT/US2018/015494 
A47: International Search Report on Written Opinion dated May 16, 2018 from application no. PCT/US2018/015494 

Drawings

The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description: 

-- client VMs 214 -- in [0045].

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-20 are rejected under 35 U.S.C. 112 (b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or joint inventor regards as the invention.

The following claim language is not clearly understood:

Claim 1 line 1 recites “method for creating …” without ever reciting the step of creating the VWP and therefore rejected as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  

Claim 1 lines 7-8 recites “extracting…from a definition of the VWP”. It is unclear if definition of the VWP is part of the method or is being received by the method (i.e. is external to the method e.g. stored in storage or received by a client or part of SKH).

Claim 1 lines 8 recites “VWP definition defines boot of the VWP”. It is unclear if the definition defines the method/instruction of booting/ deploying / starting /resetting the VWP or associated policies (i.e. policy of encryption and booting).

Claim 6 recites “the net guard and disk guard created the client VM” while claim 5 recites net guard used for network encryption and  disk guard used for disk encryption. It is unclear if the net guard and disk guard creates the client VM or the hypervisor creates the client VM using the net guard and disk guard.

Claims 14 and 15 recites elements of claim 1 and have similar deficiency as claim 1. Therefore, they are rejected for the same rational. Remaining dependent claims are also rejected due to their dependency on the rejected independent claims.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Foley et al. (US 2009/0204964 A1, hereafter Foley)  in view of DAM et al. (US 2018/0189479 A1, hereafter DAM).

Both Foley and DAM were cited in the last office action.

As per claim 1, Foley teaches the invention substantially as claimed including a method for creating a multi-domain Virtual Work Package (VWP) ([0088] multiple independent security domains in the forms of VM fig. 6 VM, Crypto Services), comprising: 

verifying, by a trust agent, integrity of a VWP for one of Multiple Single Level Security (MSLS) domains based on a signature of the VWP ([0088] multiple independent security domains in the forms of VM fig. 6 VM, Crypto Services [0304] integrity measurement and attestation capabilities, assured, mobile internet end-point MIEP, good state, isolated environment, using VMs, individually attestable [0096] VM, cryptographically identify the software they run and securely and reliably attest their state [0235] MIEP VM, signature, Trusted Server), 
wherein the VWP comprises at least one client Virtual Machine (VM) and at least one encryption driver (fig,. 6 VM, Crypto Services, vTPM driver fig. 7 VM, TPM driver), and 
wherein the MSLS domains are implemented using Multiple Independent Levels of Safety and Security (MILS) ([0088] multiple independent security domains in the forms of VM); 
extracting, by the trust agent, configurations of the VWP from a VWP definition of the VWP, wherein the VWP definition defines encryption and boot of the VWP ([0101] VM, unit, securely provision on any given VM [0153] MIEP VM, create trusting environment, MIEP agents, run, mutual authentication and attestation [0157] specification, capabilities, spawned, server, VMs, MIEP generated policies [0158] policies on the MIEP VM ); 

validating, by the trust agent, that the configurations of the VWP is compatible with a work slot of a Secure Kernel Hypervisor (SKH) ([0153] MIEP, server, agents, run, mutual authentication and attestation [0156] fig 15 trusted virtual machine manager [0101] VM, unit, securely provision on any given VM [0153] MIEP VM, create trusting environment, MIEP agents, run, mutual authentication and attestation [0157] specification, capabilities, spawned, server, VMs, MIEP generated policies [0158] policies on the MIEP VM); and 

in response to validating that the configurations of the VWP is compatible ([0153] MIEP, server, agents, run, mutual authentication and attestation [0156] fig 15 trusted virtual machine manager), resetting, by the trust agent, the VWP ([0318] trusted boot process, MIEP, reliable erasure, autonomous basis, data wipe [0319] data wipe, MIEP, policies [0153] MIEP agent).

Foley doesn’t specifically teach validating VWP is compatible with a work slot of secure kernel hypervisor (SKH) and in response to the validating, resetting the work slot.

DAM, however, teaches validating VWP is compatible with a work slot of secure kernel hypervisor (SKH) ([0003] security kernel, hypervisor [0017] security condition verification, security domains, first/second functional modules, belongs to set of authorized information exchange) and in response to the validating ([0020] security condition is satisfied fig 4A 160a-yes-170a-other possible execution-no 190a), resetting the work slot (fig. 4a acquire initial state 120a [0093] initial state, initiate, dedicated hardware components).
It would have been obvious to one of ordinary skills in the art before the effective filing date of the invention was made to combine the teachings of Foley with the teachings of DAM of secure kernel hypervisor and security condition verification of different functional module of different zone and acquiring initial state after verification  to improve efficiency and allow validating VWP is compatible with a work slot of secure kernel hypervisor (SKH) and in response to the validating, resetting the work slot to the method of Foley as in the instant invention.

	
As per claim 2, Foley teaches wherein verifying the integrity of the VWP comprises verifying a signature of the VWP via a trusted computing module (TPM) ([0235] MIEP VM, signature, Trusted Server [0276] [0096] VM, cryptographically identify the software they run and securely and reliably attest their state).  

As per claim 3, Foley teaches receiving, by the trust agent, a VWP identifier that identifies the VWP from a Cloud Orchestration System (COS) ([0096] VM, identify, attest state to remote parties); and 
receiving, by the trust agent, an encrypted VWP definition (fig. 8 MIEP-cloud-agent-web services).  

As per claim 4, Foley teaches wherein extracting the configurations of the VWP comprises: 
receiving, by the trust agent, a master key from a trusted computing module (TPM) (fig. 17 trusted agent, virtual service, trusted VM  [0201] encrypted search keys); and 
decrypting, by the trust agent, the encrypted VWP definition of the VWP using the master key ([0251] sever, decrypt, on behalf of thin client ), wherein the configurations comprising one or more of a network domain key, a disk encryption key, boot instructions, or boot definitions ([0199] boot sequence).  

As per claim 5, DAM teaches wherein resetting the VWP and the work slot comprises triggering resetting and clearing of data held by a net guard, a disk guard used for network encryption for the at least one client VM, and the at least one client VM (fig 4A 190a acquire initial state 120 [0093] initiate the dedicated hardware) .  

As per claim 6, DAM teaches -17-4834-3058-7842.1Atty. Dkt. No. 107283-0234the SKH comprises one or more emulated disks having the net guard, the disk guard, and the client VM ([0003] separation kernel ); and 
the net guard and the disk guard created the client VM ([0008] different types of VM).  

As per claim 7,  DAM teaches wherein resetting the VWP and the work slot comprises initialization of resources associated with the SKH ([0003] security kernel, hypervisor [0017] security condition verification, security domains, first/second functional modules, belongs to set of authorized information exchange [0020] security condition is satisfied fig 4A other possible execution-no 190a acquire initial state 120 0093] initial state, initiate, dedicated hardware components). 
 
As per claim 8, Foley teaches sending initialization messages, wherein sending initialization after resetting VWP and the work slot, messages comprises one or more of:
sending a network domain key to a net guard of the SKH; 
sending a disk encryption key to a disk guard of the SKH ([0279] sending, secure channel, encrypted with PCA_PUB); and 
sending one or more of boot instructions or boot definitions to a client Virtual Machine (VM) of the SKH ([0135] HMD actually booted from the MTM).  

As per claim 9, DAM teaches wherein the net guard sends an emulated Network Interface Card (NIC) to the client VM ([0008] provide virtualized network services to the virtual machines).  

As per claim 10, DAM teaches wherein the SKH comprises a separation kernel and a hypervisor ([0003] hypervisor, separation kernel).  

As per claim 11, DAM teaches wherein the separation kernel is a kernel that has no API, no interrupts, and no input/output ports ([0080] separation kernel design).  

As per claim 12, DAM teaches wherein the separation kernel is configured at installation without capabilities to change installed configurations after installation ([0080] separation kernel design [0148] powering on the real system, initialization of the memory and kernel binary code).  

As per claim 13, Foley teaches wherein the hypervisor configures to host the MSLS domains by virtualizing hardware to execute a plurality of different operating systems or applications (fig 6 trusted hypervisor [0089] provide flexibility of multiple operating system [0090] multiple independent domain), wherein each of the plurality of different operating systems or applications corresponds to one of the MSLS domains (fig. 6 VM1, guest OS-2, VM2, guest OS-1 [0090] provide multiple independent security domains in the form of VMs).  
DAM teaches remaining claim elements of virtualizing hardware of a single multi-tenant cloud ([0008] several virtual machine in cloud server architecture).

Claim 14 recites non-transitory computer-readable media comprising computer-readable instructions, such that, when executed, causes a processor to implement limitations similar to claim 1. Therefore, it is rejected for the same rational.

Claim 15 recites a system for creating a multi-domain trust agent Virtual Work Package (VWP), comprising: one or more processors and one or more memories, configured to implement limitations similar to claim 1. Therefore, it is rejected for the same rational.
 
Claim 16 recites the system of claim 15, to perform limitations similar to claim 6. Therefore, it is rejected for the same rational.
Claim 17 recites the system of claim 16, to perform limitations similar to claim 6. Therefore, it is rejected for the same rational.
Claim 18 recites the system of claim 17, wherein the trust agent is further configured to perform limitations similar to claim 8. Therefore, it is rejected for the same rational.
Claim 19 recites the system of claim 17, to perform limitations similar to claim 5. Therefore, it is rejected for the same rational.
Claim 20 recites the system of claim 16, to perform limitations similar to claim 9. Therefore, it is rejected for the same rational.


Response to Arguments
The previous objections to drawings have been withdrawn. However, some new objections have been made.
The previous claim interpretations have been withdrawn.
The previous objections under 35 USC §112 have been withdrawn. However, some of the previous 35 U.S.C. §112(b) objections have been maintained and new objections are made in reference to the amended claims.
The previous 35 U.S.C. §101 objections to the specification have been withdrawn
Applicant's arguments filed on 09/22/2022 have been fully considered but they are not persuasive. In Applicant’s response filed on 09/22/2022, Applicant argues the following:

Foley does not disclose or suggest how integrity measurement is applied. 
Foley fails to disclose or suggest verifying a VWP that includes "at least one client Virtual Machine (VM) and at least one encryption driver," much less verifying a VWP based on a signature of such a VWP.
None of paragraphs [0153] and [0156] relate to hypervisor or SKH, or the VWP (which includes at least one client Virtual Machine (VM) and at least one encryption driver as noted above) much less "validating ... that the configurations of the VWP is compatible with a work slot of a Secure Kernel Hypervisor (SKH)."
However, as noted above, paragraph [0153] merely discloses that "applications running in MIEP VMs can 'spawn' VMs on the Server to create trusted hosting environments in which MIEP Agents can run," and that paragraph [0156] discloses "VMs can attest to their state when challenged by an application running in an MIEP VM that has spawned a corresponding Server VM," Foley has not been shown to disclose or suggest that "validating that the configurations of the VWP is compatible with the work slot" can be used as a trigger for a response, not to mention that VMs and VWP are different as noted above.
Given that Foley does not disclose that VWP "comprises at least one client Virtual Machine (VM) and at least one encryption driver" as recited by claim 1, Foley would have much less disclosed or suggested resetting the VWP.
Indeed, paragraph [0318] of Foley discloses that "the MIEP is capable of reliable erasure of lost data on an autonomous basis, i.e. the data wipe does not require connection to the internet for the wipe to be initiated and logged by the IT department," and paragraph [0319] of Foley discloses "The data wipe can be initiated on the MIEP based on policies, such as requiring that the MIEP 'phone home' on a periodic basis, and if that is not achieved, initiate the data wipe of sensitive data." The trigger for these data wipes are unrelated to "validating that the configurations of the VWP is compatible with the work slot." Therefore, claim 1 is patentably distinguished from the references of record (alone or in combination).

Examiner has thoroughly considered Applicant’s arguments, but respectfully, find them unpersuasive for at least the following reasons:
With respect to point a: Argument is moot in view newly cited portion of the cited prior art.
With respect to point b: Argument is moot in view newly cited portion of the cited prior art.
With respect to point c: Examiner respectfully disagree. Foley in paragraph [0153] teaches applications running in MIEP VMs can "spawn" VMs on the Server to create trusted hosting environments in which MIEP Agents can run. This spawning process preferably includes mutual authentication and attestation. As such the spawned VM includes crypto services and TPM drivers ([0153], which is same as VM including encryption driver. Foley also teaches Spawning VM to created trusted hosting environment and spawning process preferably includes mutual authentication and attestation ([0153]) i.e. the process of creating VM includes the validation process and in fact this also includes determination of compatibility since any spawned VM has to be attested/authenticated before/upon spawning. Foley also teaches trusted virtual manager (fig. 15 TVMM [0106]) for creating VM by virtualization i.e. spawned VMs are running on the VMM  or Hypervisor. Foley doesn’t specifically teach SKH. DAM, however, teaches remaining argued claim elements.

With respect to point d.) Foley teaches mutual authentication and attestation, which implicitly indicates computability because incompatible VM may not be able to spawned due to failing either authentication and/or attestation. Dam however, clearly teaches security kernel ([0003]) and verification and validation of security domains relating to functional modules ([0017]). DAM also teaches initialization of dedicated hardware component upon satisfying certain conditions (fig. 4A 120a [0093]). Therefore, combination does teach the argued claim elements.
With respect to point e.) Same response as with respect to point a-d above.
With respect to point f.) Same response as with respect to point a-d above.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Chang; John Y. et al. (US 20140337750 A1) teach dynamically grouping monitored resources in a cloud environment to collections representing a composite application.
Kamiyama et al. (US 20130117745 A1) teach virtual computer system, control method for virtual computer system, control program for virtual computer system, and integrated circuit
Mansell; David Hennah et al. (US 20090222816 A1) teach data processing apparatus and method for controlling access to secure memory by virtual machines executing on processing circuitry.
Mooring; Edward T. (us 20170200005 a1) teach  systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting, and/or other features.
Potlapally; Nachiketh Rao et al. (US 10389709 B2) teach securing client-specified credentials at cryptographically attested resources.
Schunter; Matthias et al.(US 20080235793 A1) teach INTEGRITY PROTECTION IN DATA PROCESSING SYSTEMS

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU ZAR GHAFFARI whose telephone number is (571)270-3799. The examiner can normally be reached Monday-Thursday 9:00 - 17:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai AN can be reached on 571-272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ABU ZAR GHAFFARI
Primary Examiner
Art Unit 2195



/ABU ZAR GHAFFARI/Primary Examiner, Art Unit 2195