DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Office Action is in response to RCE filed on 10/31/2022, wherein claims 1-20 are pending, claims 1, 6, and 16 are amended.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 6-7, 10-11, 15-16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Potlapally et al. (US PGPUB 2015/0007175), in view of Aithal et al. (US PAT 10298577).

As for claim 6, Potlapally teaches a method, comprising:
performing, at one or more computing devices (Fig. 1 and paragraph 19):
identifying a first virtualization host for launching a compute instance [virtual machine] containing an isolated run-time environment of a client of a virtualized computing service (paragraph 30, “…the provisioning service 303 can select the host computing device 304…”);
causing one or more records generated by a security module of the first virtualization host to be transmitted to a first resource verifier (paragraph 31, “…it is provided to a network manager 312…”), wherein the one or more records include a first record which indicates that a first phase of a multi-phase establishment process for establishing the isolated run-time environment has been completed by a virtualization management component of the first virtualization host (paragraph 30, “before launching the virtual machine, the process is suspended and a cryptographic measurement is obtained…”  Thus, while the prior art does not explicitly state it indicates that a first phase of a multi-phase establishment of an isolated runtime environment has been completed, the measured data is created and send for verification before launching the virtual machine, and the process is suspended and waiting subject to verification.  Thus, it would be obvious to a person of ordinary skill in the art before the effective filing date of the application to have recognized that the sending of the measured data, is an indication of the instantiation process reaching the specific point of the instantiation process because doing so allows improved granular checking for assurance of security of the secure environment.  Roth, paragraph 3.); and
in response to obtaining a host approval indicator from the first resource verifier, causing the multi-phase establishment process for establishing the isolated run-time environment to be completed at the first virtualization host (paragraph 46, “…if the cryptographic measurement matches…the virtual machine is launched…”).

While Potlapally recognizes that virtual machines can include an isolated environments and not compromised (paragraph 2, “…isolated instances (i.e., virtual machines)…obtain cryptographic assurance that the resources have not been tampered with by malicious users or otherwise compromised…”).  However in the interest of compact prosecution, examiner note Potlapally does not explicitly teach a subset of a first portion of memory, included in a set of resources of the first virtualization host, is allocated for exclusive use by the isolated run-time environment; and the subset is inaccessible from programs running in the compute instance but outside the isolated run-time environment.
However, Aithal teaches a known method of secure access on hardware virtualization platform including a subset of a first portion of memory, included in a set of resources of the virtualization host, is allocated for exclusive use by the isolated run-time environment (col. 5 line 67-col 6, line 2, “a number of processes running in containers.  The processes are hosted within a virtual machine…” and col. 3 lines 34-35, “…a virtual machine instance which in turn, hosts the containers…”  and col. 2, lines 34-50, “…processes maybe isolated from each other by placing the processes in different memory spaces…in different containers…containers allows a process and its resources to be isolated and bound together using a namespace…” teaches each container within a VM has a subset of a first portion of memory included in the set of resources on the host, is allocated for exclusive use by the isolated runtime environment of the container), and the subset is inaccessible from programs running outside the isolated run-time environment [containers in the VM but outside the said container] (col. 2, lines 34-50, “…processes maybe isolated from each other by placing the processes in different memory spaces…in different containers…containers allows a process and its resources to be isolated and bound together using a namespace…”  Here, to have a container’s resources be isolated is understood as inaccessible from programs running outside of the container (i.e., other containers, or other virtualized operating environments)  Moreover, different memory spaces also is understood as a form of making the subset inaccessible to other processes/programs outside of the container memory space.). This known technique is applicable to the system of Potlapally as they both share characteristics and capabilities, namely, they are directed to isolation of virtual computing environments and utilization of security related processes to establish the isolation of the virtual computing environment.
	One of ordinary skill in the art before the effective filing date of the application would have recognized that applying the known technique of Aithal would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Aithal to the teachings of Potlapally would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such VM isolation features into similar systems.  Further, applying a subset of memory allocated for exclusive use by an isolated runtime environment where the memory is inaccessible to objects outside the isolated runtime environment to Potlapally with VMs having isolated runtime environments accordingly, would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow improved process isolation in a virtualized environment (Aithal, col. 2, lines 35-39)).

As for claim 16, it is the product claim of claim 6 above.  Thus, it is rejected under the same rationales.

As for claim 7, Potlapally also teaches: 
obtaining, at the virtualized computing service via one or more programmatic interfaces, a network address of the first resource verifier, wherein said one or more records are transmitted to the network address (paragraph 31, “...once the cryptographic measurement 309 is obtained, it is provided to a network manager 312…”  While the prior art does not explicitly state the virtualized computing service obtains a network address of the first resource verifier, the prior art teaches the virtualized computing service sends the measurements to a network manager 312, which is external to the host computing device over a network.  The prior art further teaches the network can be implemented using commercially available protocols known to use network addresses to communicate with other entities on the network (paragraph 0052 and 56-0058).  Thus, it would be obvious to a person of ordinary skill in the art before the effective filing date of the application to recognize the TMP that measured and sending the data to the network manager has to have obtained the network address of the network manager because doing so allows fundamental communication and sending of data from one entity to another on a network).

As for claim 10, Potlapally also teaches transmitting, from the virtualized computing service to at least the first resource verifier, prior to implementation of the first phase at the first virtualization host, an example record which indicates that the first phase has been completed (paragraph 28, “the request may specify a particular configuration …has corresponding known and approved measurement values associated therewith…”  Thus, the approved measurement values are clearly known when the request is received, thus obviously prior to implementation of the first phase at the first virtualization host).

As for claim 11, Potlapally also teaches verifying, at the virtualized computing service prior to causing the multi-phase establishment of the isolated run-time environment to be completed, that the host approval indicator is from a pre-registered resource verifier which is included in a set of trusted resource verifiers (paragraph 69, “…the verifier 602 maybe a trusted user (e.g., trusted automated process)…” in view of paragraph 72, “if the credentials are verified…the user maybe considered a trusted user 708…”  Thus, the trusted user/trusted automated process is a form of pre-registered resource verifier because the credential needs to be verified first.).

As for claim 15, Potlapally teaches wherein the security module comprises a trusted platform module (TPM) (paragraph 15, “…cryptographic measurements maybe obtained using a trusted platform module (TPM)…”).

As for claim 19, Potlapally also teaches in response to determining, after the isolated run-time environment has been established, that a triggering condition for initiating an additional host verification operation associated with the isolated run-time environment has been met, cause another host approval indicator to be obtained from a resource verifier (paragraph 48.  “…may…update or patch the various resources…such updates…require new cryptographic measurements to be generated for those resources…generates the new cryptographic measurements…the trusted third party may then attest the new cryptographic measurements…”  update and patch are the triggering conditions for initiating an additional verification operation).

Claim 8, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Potlapally and Aithal, in view of Roth et al. (US PGPUB 2016/0134623).

As for claim 8, Potlapally also teaches wherein the virtualized computing service comprises a set of resources at one or more data centers of a provider network (paragraph 33, “…a service provider …can maintain one or more resource centers 523 (e.g., data centers…).
While Potlapally teaches verification by a Network Manager separate from the provisioning Service 303 and Host Computing Device 304, each component of the environment can be executed on its own physical hardware, and it is not disclosed in the Specification what constitute “premise external to the provider network” (i.e., a different server, across a LAN, across a WAN, unspecified physical distance, etc.).  Thus, the network manager can reasonably be understood as premise external to the provider network.  Nevertheless, in the interest of compact prosecution, Examiner note Potlapally and Aithal does not explicitly state the network manager’s relative location.
However, Roth teaches the resource verifier comprises a program running at a premise external to the provider network (paragraph 57, “…verifications of the integrity of the secure execution environment may performed by…the computing resource service provider, a third party…”  Thus, it is clear when provided by the third party, it is separate and distinct from the service provider that is understood as the provider network).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate Roth’s teaching of the resource verifier running at a premise external to the provider network to Potlapally and Aithal teaching of a resource verifier separate and distinct from the provisioning service and the provider host computing devices because they are directed to the same cryptographic measurement based secure execution environment verification by the same assignee, Amazon, and because doing so improves the assurances of the security of data and applications operating within a computing resource provider (Roth, Paragraph 3).

As for claim 20, it contains similar limitations as claim 8 above.  Thus, it is rejected under the same rationales.

As for claim 13, Roth also teaches transmitting, in response to a programmatic request, a representation of a reference implementation of a resource verifier (paragraph 25.  all functionalities related to the secure execution environment can be provided to the customer in the form of library, interface, web service or other access methodology.  Library and web services are understood as a form of representation of a reference implementation.  The functionality includes verification.  See paragraph 23)


Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Potlapally and Aithal, in view of Richards et al. (US PGPUB 2015/0128240).

As for claim 9, Potlapally teaches in the virtualized computing service connected to a plurality of alternative resource verifiers including the first resource verifier and a second resource verifier (Fig. 2 and 3 and paragraphs 28 and 31).
Potlapally and Aithal do not explicitly teach obtaining a sequence in which individual ones are to be contacted in the event that a response from one or more of the alternative resource verifiers is not received within a time interval.
However, Richards teaches a known method of obtaining an indication of a sequence in which a sequence in which individual ones of the alternative resource verifiers are to be contacted by the virtualized computing service in the event that a response from one or more of the alternative resource verifiers to a transmission of a record is not received within a time interval (paragraph 77 in view of paragraph 82, “…pre-selection criteria…certain authenticators are contacted (with the rest as backup)…methodology for selecting and ordering authenticators. And “…the authenticator…only have a certain period of time in which to provide the authenticator’s response…”).  This known technique is applicable to the system of Potlapally and Aithal as they both share characteristics and capabilities, namely, they are directed to security focused authentication utilizing TPM.
One of ordinary skill in the art before the effective filing date of the application would have recognized that applying the known technique of Richards would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Richards to the teachings of Potlapally and Aithal would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such TPM based authentication features into similar systems.  Further, applying a sequence in which individual ones of the alternative resource verifiers are to be contacted in the event of a time out from waiting on response from one or more resource verifiers to Potlapally and Aithal with multiple cryptographic measurement verifiers related to the virtualized computing service accordingly, would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow improved reliability of the authentication results (Richards, paragraph 77).

Claims 12, 14, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Potlapally and Aithal, in view of Ferguson et al. (US PGPUB 2016/0357988).

As for claim 12, while Potlapally teaches migration of VM instance in an automated manner (paragraph 25, “...allows for instances to be dynamically moved…”), Potlapally and Aithal does not explicitly teach obtaining a resource verifier an approval indicator for the second virtualization host before migrating the VM.
However, Ferguson teaches a method of obtaining, at the virtualized computing service from a resource verifier prior to migrating the isolated run-time environment to a second virtualization host, an approval indicator for the second virtualization host (paragraphs 84-85 in view of paragraph 105-106.  A Key request by the migration target is performed before actual migration of VM (paragraphs 84-85).  Request for key includes verification of attestation certificate (paragraphs 105-106).  Thus, the approval indicator for attestation verification happens prior to migrating the VM).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate Ferguson’s teaching of obtaining an approval indicator for the second virtualization host before migration of VM to Potlapally and Aithal’s teaching of VM migration in a host attestation based secure execution environment because they are directed to cryptographic measurement/host attestation based secure execution environment verification and because doing so improves automation of the workflow to secure virtualized workloads on trusted computing base (Ferguson, paragraph 7).

As for claim 14, Ferguson also teaches prior to completion of the multi-phase establishment, causing one or more artifacts to be decrypted at the first virtualization host using at least a portion of the approval indicator, wherein the one or more artifacts include a machine image (paragraph 38.  Key for decrypting vTPM is distributed as part of state of the host satisfy the policy).

As for claim 17, Ferguson also teaches configuration settings of the isolated run-time environment do not permit input/output (I/O) operations to or from persistent storage (Abstract, and paragraph 233.  lower trust level renders it inaccessible to the component of the VM launched with higher trust level.  I/O port is taught to have associated trust level initially disclosed in Abstract.)

Claims 18 are rejected under 35 U.S.C. 103 as being unpatentable over Potlapally and Aithal, in view of Hoole et al. (US PGPUB 2007/0239987).

As for claim 18, while Potlapally teaches controlling access between the isolated run-time environment and other entities, Potlapally and Aithal does not explicitly teach a configuration settings of the isolated run0time environment do not permit network communication to external end points.
However, Hoole teaches a known method of isolated runtime environment including wherein configuration settings of the isolated run-time environment do not permit network communications between the isolated run-time environment and endpoints external to the isolated execution environment (paragraph 5, restricting undesired communications to those systems from other systems, including external end points, See. Fig. 2 and claim 6). This known technique is applicable to the system of Potlapally and Aithal as they both share characteristics and capabilities, namely, they are directed to security focused VM based application isolation in run-time environments implementations.
One of ordinary skill in the art before the effective filing date of the application would have recognized that applying the known technique of Hoole would have yielded predictable results and resulted in an improved system.  It would have been recognized that applying the technique of Hoole to the teachings of Potlapally and Aithal would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such run-time environment management features into systems.  Further, applying restricting communications from others to Potlapally and Aithal secure execution environment that restricts access accordingly, would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow improved capability to prevent any unauthorized communications between VMs which improve the system security and reliability (Hoole, paragraph 6).

Allowable Subject Matter
Claims 1-5 are allowed.

Response to Arguments
Applicant’s arguments with respect to claim(s) 6-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN X LU whose telephone number is (571)270-1233.  The examiner can normally be reached on M-F 10am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 5712723759.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KEVIN X LU/
Examiner, Art Unit 2199

/LEWIS A BULLOCK  JR/Supervisory Patent Examiner, Art Unit 2199