DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1–13 and 15–20 are pending for examination in the reply filed on 10/28/2022.  Claim 14 is cancelled.


Examiner’s Remarks
3.	Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution.
Although the cited portions of the references are representative of the best teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well.  It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention.

Abbreviations
4.	Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s):
i.	figure / figures:		Fig. / Figs.
ii.	column / columns:		Col. / Cols.
iii.	page / pages:			p. / pp.

References Cited
5.	(A)	Oh, US 2017/0031692 A1.
	(B)	Terasaki, US 2011/0154325 A1.
	(C)	Sudhakar, US 2009/0307689 A1.

	Oh and Terasaki were cited in the previous Office action.


Notice re prior art available under both pre-AIA  and AIA 
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

A.
7.	Claims 1–4, 8–12, and 16–20 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Oh in view of (B) Terasaki and (C) Sudhakar.

See “References Cited” section, above, for full citations of references.

8.	Regarding claim 1, (A) Oh teaches/suggests the invention substantially as claimed, including:
“A method comprising:
	identifying ... a security policy associated with a virtual machine, wherein the security policy specifies one or more validation rules”
(¶ 121: the security policy may be sent and applied to at least one of a plurality of guest operating systems (e.g., the first guest operating system 850 or the second guest operating system 860);
¶ 66: apply the security policy received through the device management module 231 to at least one of the host operating system 230 or the guest operating system 250 based on the security policy);

	“causing ... the security policy to be imported into a guest operating system of the virtual machine ...”
(¶ 66: apply the security policy received through the device management module 231 to at least one of the host operating system 230 or the guest operating system 250 based on the security policy;
¶ 83: apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220); and 

	“responsive to receiving, by the guest operating system, a first request to perform a system call, validating, by the guest operating system, the first request in accordance with the validation rules of the security policy”
(¶ 72: may provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: the guest management module 255 may map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250).


Oh teaches a “virtualization platform” (¶ 57: virtualization platform 237 may operate based on the hypervisor 236, and the guest operating system 250 may be installed thereon) and a type-1 hypervisor (¶ 40: The hypervisor may be installed between the kernel (hardware) and the operating system (Type-1)).

Thus, Oh at least suggests or renders obvious using “a hypervisor on a host machine” to identify the security policy and cause the security policy to be imported, in a type-1 hypervisor configuration.

Additionally, (B) Terasaki also teaches or suggests:
““a hypervisor on a host machine” to perform these functions.
(Fig. 1 and ¶¶ 30–33: hypervisor includes: ... a setting applying unit that ... applies the setting value indicated by the setting item information to the guest OS or application that is the setting target of the setting item;
¶ 101: setting notifying unit 322 performs a notifying operation according to an instruction from the setting information managing unit 333 of the host OS unit 330, to apply the correct value of the setting item ( the value according to the security policy) to the guest OS 341).


It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Terasaki with those of Oh to identify and apply Guest OS’s security policy/setting using a hosted hypervisor. The motivation or advantage to do so is to allow of the implementation of hosted guest/application’s security policy in a type-1 hypervisor/virtualization configuration.

Oh and Terasaki do not teach “causing ... the security policy to be imported into a guest operating system ... via a virtual device.”

	(C) Sudhakar however teaches or suggests “causing ... the security policy to be imported into a guest operating system ... via a virtual device.”
(¶ 4: communication is provided by using a hypervisor to emulate a virtual device that has bidirectional communication capability, starting the VM using the hypervisor, and masking existence of the virtual device from any VM user inside the VM. The VM is capable of receiving hypervisor information from, and transmitting VM information to the hypervisor using various forms of the virtual device bidirectional communication capability;
¶ 19: the hypervisor and the guest OS can communicate, with each reading and writing to the virtual device as desired).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sudhakar with those of Oh and Terasaki to communicate/import information to the guest using a virtual device. The motivation or advantage to do so is to provide for the bidirectional flow of data/information between the hypervisor and guest OS.


9.	Regarding claim 2, Oh and Terasaki teach/suggest:
“responsive to successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy, allowing the system call to proceed”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


10.	Regarding claim 3, Oh and Terasaki teach/suggest:
“wherein the validation rules of the security policy specify one or more of: one or more allowed system calls, one or more allowed files, one or more allowed network addresses, or one or more allowed host devices”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


11.	Regarding claim 4, Oh and Terasaki teach/suggest:
“wherein successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy comprises:
determining, by the guest operating system, that the requested system call corresponds to at least one of the allowed system calls”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).

12.	Regarding claim 8, Oh and Terasaki teach/suggest:
	“responsive to successfully validating, by the guest operating system, the first request to perform the system call, generating, by the guest operating system, a second request to perform the system call”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set); and

	“responsive to receiving, by the hypervisor, the second request to perform the system call, validating, by the hypervisor, the second request in accordance with the validation rules of the security policy”
(Oh, ¶ 83: host management module 235 may directly control the backend device driver 236a of the virtualization platform 237 to apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220).

13.	Regarding claim 9, Oh and Terasaki teach/suggest:
	“responsive to successfully validating, by the hypervisor, the second request, performing, by the hypervisor, the system call”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
¶ 83: host management module 235 may directly control the backend device driver 236a of the virtualization platform 237 to apply the security policy associated with control of an input/output device, a storage device, or other hardware of the electronic device 220;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set); and

14.	Regarding claim 10, Oh and Terasaki teach/suggest:
“responsive to not successfully validating, by the guest operating system, the first request in accordance with the validation rules of the security policy, preventing, by the guest operating system, the system call from proceeding”
(Oh, ¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 73: if a policy in which the operation of the guest operating system 250 is restricted when a designated anti-virus software does not exist is received, the host management module 235 may provide the policy to the guest operating system 250;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
¶ 86: host management module 235 may limit hardware access of the guest operating system 250 such that the guest operating system 250 recognizes a designated device driver is removed or is disabled;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


15.	Regarding claim 11, Oh teaches/suggests:
“wherein preventing the system call from proceeding comprises one or more of: ... generating an error indication”
(¶ 86: host management module 235 may limit hardware access of the guest operating system 250 such that the guest operating system 250 recognizes a designated device driver is removed or is disabled;
¶¶ 105–106: user 290 may try to use the hardware resource 270 by using a first application... first application 281 may notify the user 290 that the hardware resource 270 is unavailable to use).

16.	Regarding claim 12, Oh and Terasaki teach/suggest:
“wherein the guest operating system comprises a guest operating system kernel, the method further comprising: providing, by the hypervisor, the guest operating system kernel to the virtual machine, wherein validating, by the guest operating system, the first request in accordance with the validation rules of the security policy is performed by the guest operating system kernel.”
(Oh, ¶ 58: guest operating system 250 may include a guest kernel 252;
(¶ 72: provide the security policy to the guest operating system 250 to allow the guest operating system 250 to perform the DRM function and the file system encryption;
¶ 77: map the security policy or a portion thereof to appropriate commands CMD or API calls of the guest operating system 250;
Terasaki, ¶ 87: the policy setting information may include the identifier for identifying the item of a security policy to be applied, and information (allowance, prohibition, or the like) about how the item is to be set).


17.	Regarding claims 16–18, they are the corresponding system claim reciting similar limitations of commensurate scope as the method of claims 1–3. Therefore, they are rejected on the same basis as claims 1–3 above, further including the following rationale:

Oh teaches/suggests: “a memory; and a processor communicably coupled to the memory, the processor to” (Fig. 9, processor and memory).

18.	Regarding claims 19–20, they are the corresponding computer program product claims reciting similar limitations of commensurate scope as the method of claims 1–2, respectively. Therefore, they are rejected on the same basis as claims 1–2 above.


Allowable Subject Matter
19.	Claims 5–7, 13, and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Response to Arguments
20.	Applicant’s arguments with respect to the claims have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.

In the Remarks, the Applicant also contends the following:

a.	Claim 1 has been amended herein to recite “via a virtual device,” which prior to the present amendment were recited by dependent claim 14, which is indicated as being allowable if rewritten in independent form. Accordingly, claim 1 is patentable.

The Examiner disagrees:
	
As to (a), the amended claim 1 does not incorporate every feature of the cancelled claim 14 and thus differs in scope from 14. Hence, claim 1 is rejected based on the references used in the current rejection.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN C WU whose telephone number is (571)270-5906.  The examiner can normally be reached on Monday through Friday, 8:30 A.M. to 5:00 P.M..

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571)272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BENJAMIN C WU/Primary Examiner, Art Unit 2195                                                                                                                                                                                                        
November 28, 2022