DETAILED ACTION
This action is in response to new application filed 2/14/2022 titled “LABELED SECURITY FOR CONTROL FLOW INSIDE EXECUTABLE PROGRAM CODE” which is a continuation of 15/671464 now patent 11,250,123. Claims 1-20 were received for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/14/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,250,123. Although the claims at issue are not identical, they are not patentably distinct from each other because each and every element of the above independent claims 1, 12 and 18 of the present application is broader and therefore anticipated by the corresponding independent claims 1, 12 and 18 of U.S. Patent No. 11,250,123.
17/671,464 claim 1
11,250,123 claim 1
A method comprising:
A method comprising: 

loading each of a plurality of sections of an executable program code into a respective page of memory of a plurality of pages of memory; 
configuring one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code; 

configuring one or more permissions for a first page of the memory including a first section of the executable program code to enable execution of the first section of the executable program code loaded into the first page, the first section associated with a first label; 
configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code; 

configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code loaded into the second page, the second section associated with a second label; 
identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections; and 
identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections; 

determining, using the first label and the second label and the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and 
changing, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code.
responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the second page to enable execution of the second section of the executable program code.


17/671,464 claim 12
11,250,123 claim 12
A non-transitory computer-readable medium comprising instructions that, when executed by a processing device, cause the processing device to:
A method comprising: 

loading each of a plurality of sections of an executable program code into a respective page of memory of a plurality of pages of memory;
configure one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code; 
configuring one or more permissions for a first page of the memory including a first section of the executable program code to enable execution of the first section of the executable program code loaded into the first page, the first section associated with a first label;
configure one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code; 
configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code loaded into the second page, the second section associated with a second label;
identify one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections; and 
identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections;

determining, using the first label and the second label and the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and
change, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code.
responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the second page to enable execution of the second section of the executable program code.


17/671,464 claim 18
11,250,123 claim 1
A system comprising:
a memory device storing instructions; and a processing device coupled to the memory device, wherein the processing device executes the instructions to: 

A method comprising: 

loading each of a plurality of sections of an executable program code into a respective page of memory of a plurality of pages of memory;
configure one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code; 

configuring one or more permissions for a first page of the memory including a first section of the executable program code to enable execution of the first section of the executable program code loaded into the first page, the first section associated with a first label;
configure one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code; 

configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code loaded into the second page, the second section associated with a second label;
identify one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections; and 

identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections;

determining, using the first label and the second label and the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and
change, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code.
responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the second page to enable execution of the second section of the executable program code.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 6, 8, 12-14 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Satish et al (US 8,645,923) in view of Monaban et al (US 2015/0294114).
With respect to claim 1 Satish teaches a method comprising:
configuring one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable); 
configuring one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected); 
identifying a control flow graph, wherein the control flow graph indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (Satish column 3 lines 40-62 i.e. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action….Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected. The code page 103 from which the control flow jumped is to be set back to non-executable and column 1 lines 30-33 i.e. A control flow graph (CFG) is a graphical representation of all possible execution paths for a program. Each node in the graph represents a piece of code with one or more jump targets, and one or more jumps); and 
changing the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections.
Monahan teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

	

With respect to claim 2 Satish teaches the method of claim 1, further comprising: 
loading each of the plurality of sections of the executable program code into a respective page of a plurality of pages of the memory, wherein the first section of the executable program code is loaded into the first page, and wherein the second section of the executable program code is loaded into the second page (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable. The exact implementation mechanics for setting code pages 103 of a program 101 to be non-executable can vary between operating systems and hardware platforms. Typically, the value of a specific bit determines whether a given code page 103 is executable or not. Note that in some embodiments, the page management component 105 sets the code pages 103 to be non-executable when the program 101 is loaded).

With respect to claim 3 Satish teaches the method of claim 1, further comprising: 
identifying using a control flow graph, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another; or identifying, using the one or more annotations, the one or more sections of the plurality of sections of the executable program code that are not allowed to transition to one another (see Satish column 3 lines 1-20 i.e. A graphing component 107 builds a CFG 109 for the program 101. In the scenario of a program 101 comprising a single thread 111 of execution, a single CFG 109 that maps the execution flow of that thread 111 is created. Contemporary programs 101 tend to be multi-threaded, and in these cases the graphing component 107 constructs CFG 109 structure to track the execution flow of the multiple threads 111 of the program 101. For example, a CFG 109 can represent the possible control flow for the multi-threaded program 101 as a whole. Each thread 111 can be associated with each node of the CFG 109 in which that thread could be expected to execute according to the legal control flow, with directed edges capturing the control flow on a per thread 111 basis. Individual threads 111 can be uniquely identified, for example under Windows by their Win32StartAddresses. Thus, a CFG 109 representing the flow control of the program 101 on a per thread 111 basis can be created. Note that the this "master" CFG 109 can be thought of as a union of the set of CFGs 109 for each of the individual threads 111 of the program 101).
Satish does not teach identifying, using the one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another.
Monahan teaches identifying, using the one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 6 Satish teaches the method of claim 1, wherein changing the one or more permissions of the second page to enable execution of the second section of the executable program code comprises: determining, using the control flow graph, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, changing the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teach determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code.
Monahan teaches determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 8 Satish teaches the method of claim 1, further comprising, responsive to a determination that a transition from the first section to the second section is not allowed, terminating execution of the executable program code (see Satish column 3 lines 34-52 i.e. whenever the flow of control jumps from one code page 103 to another, an exception 115 is thrown. In response to these exceptions 115, the exception handler 117 refers to the CFG 109 to determine if the jump is part of the legal flow of control for the program. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action. What specific action to take in response to determining that the program 101 is attempting to perform a malicious action is a variable design parameter. Typically, under such circumstances, the exception handler 117 does not allow the unexpected jump to execute. Options for additional steps to take include but are not limited to terminating the program 101, modifying the program 101, generating an alert message to a user, sending a message to a central security server, activating an anti-malware application, etc.).

With respect to claim 12 Satish teaches a non-transitory computer-readable medium comprising instructions that, when executed by a processing device, cause the processing device to:
configure one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable); 
configure one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected); 
identify a control flow graph, wherein the a control flow graph indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (Satish column 3 lines 40-62 i.e. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action….Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected. The code page 103 from which the control flow jumped is to be set back to non-executable and column 1 lines 30-33 i.e. A control flow graph (CFG) is a graphical representation of all possible execution paths for a program. Each node in the graph represents a piece of code with one or more jump targets, and one or more jumps); and 
change, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections.
Monahan teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 13 Satish teaches the non-transitory computer-readable medium of claim 12, further comprising instructions that, when executed by the processing device, cause the processing device to: load each of the plurality of sections of the executable program code into a respective page of a plurality of pages of the memory, wherein the first section of the executable program code is loaded into the first page, and wherein the second section of the executable program code is loaded into the second page (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable. The exact implementation mechanics for setting code pages 103 of a program 101 to be non-executable can vary between operating systems and hardware platforms. Typically, the value of a specific bit determines whether a given code page 103 is executable or not. Note that in some embodiments, the page management component 105 sets the code pages 103 to be non-executable when the program 101 is loaded).

With respect to claim 14 Satish teaches the non-transitory computer-readable medium of claim 12, further comprising instructions that, when executed by the processing device, cause the processing device to: identify, using the control flow graph one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another; or identify, using the one or more annotations, the one or more sections of the plurality of sections of the executable program code that are not allowed to transition to one another (see Satish column 3 lines 1-20 i.e. A graphing component 107 builds a CFG 109 for the program 101. In the scenario of a program 101 comprising a single thread 111 of execution, a single CFG 109 that maps the execution flow of that thread 111 is created. Contemporary programs 101 tend to be multi-threaded, and in these cases the graphing component 107 constructs CFG 109 structure to track the execution flow of the multiple threads 111 of the program 101. For example, a CFG 109 can represent the possible control flow for the multi-threaded program 101 as a whole. Each thread 111 can be associated with each node of the CFG 109 in which that thread could be expected to execute according to the legal control flow, with directed edges capturing the control flow on a per thread 111 basis. Individual threads 111 can be uniquely identified, for example under Windows by their Win32StartAddresses. Thus, a CFG 109 representing the flow control of the program 101 on a per thread 111 basis can be created. Note that the this "master" CFG 109 can be thought of as a union of the set of CFGs 109 for each of the individual threads 111 of the program 101).
Satish does not teach identify, using the one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another.
Monahan teaches identify, using the one or more annotations in the executable program code, one or more sections of the plurality of sections of the executable program code that are allowed to transition to one another (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 17 Satish teaches the non-transitory computer-readable medium of claim 12, further comprising instructions that, when executed by the processing device, cause the processing device to: determine, using the control flow graph, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, change the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teach determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code.
Monahan teaches determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 18 Satish teaches a system comprising:
a memory device storing instructions; and 
a processing device coupled to the memory device, wherein the processing device executes the instructions to: 
configure one or more permissions for a first page of memory including a first section of a plurality of sections of an executable program code to enable execution of the first section of the executable program code (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable); 
configure one or more permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected); 
identify a control flow graph, wherein the a control flow graph indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (Satish column 3 lines 40-62 i.e. If not, the exception handler 117 determines that the program 101 is attempting to perform a malicious action (e.g., because it has been corrupted by a return oriented shellcode) and takes appropriate action….Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected. The code page 103 from which the control flow jumped is to be set back to non-executable and column 1 lines 30-33 i.e. A control flow graph (CFG) is a graphical representation of all possible execution paths for a program. Each node in the graph represents a piece of code with one or more jump targets, and one or more jumps); and 
change, in view of the one or more annotations, the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections.
Monahan teaches identifying one or more annotations in the executable program code, wherein the one or more annotations indicate one or more allowed transitions and one or more disallowed transitions between the plurality of sections (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

With respect to claim 19 Satish teaches the system of claim 18, wherein the processing device is further to:load each of the plurality of sections of the executable program code into a respective page of a plurality of pages of the memory, wherein the first section of the executable program code is loaded into the first page, and wherein the second section of the executable program code is loaded into the second page (see Satish column 1 lines 46-65 i.e. In contrast, according to embodiments of the present invention, a page management component 105 explicitly sets all code pages 103 of the program 101 other than the page 103 containing entry point as non-executable. The exact implementation mechanics for setting code pages 103 of a program 101 to be non-executable can vary between operating systems and hardware platforms. Typically, the value of a specific bit determines whether a given code page 103 is executable or not. Note that in some embodiments, the page management component 105 sets the code pages 103 to be non-executable when the program 101 is loaded).

With respect to claim 20 Satish teaches the system of claim 18, wherein to change the one or more permissions of the second page to enable execution of the second section of the executable program code, the processing device is further to: determine, using the control flow graph, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code; and responsive to a determination that the transition from the first section to the second section is allowed during execution of the executable program code, change the one or more permissions of the second page to enable execution of the second section of the executable program code (see Satish column 3 lines 53-62 i.e. Where the attempted jump is expected according to the CFG 109, the exception handler 117 determines that the program 101 is not attempting to perform a malicious action. Under these circumstances, the exception handler 117 sets the target code page 103 to be executable, and returns control to the program 101. The jump then executes successfully, and the control flow of the program 101 proceeds as expected).
Satish does not teach determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code.
Monahan teaches determining, using the one or more annotations, whether a transition from the first section with enabled execution to the second section with disabled execution is allowed during execution of the executable program code (see Monahan paragraph 0029 i.e. In some implementations, flow analysis module 130 includes additional annotations (or information) within annotated intermediate representation 113. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block, and/or include additional information related to instruction blocks and Monahan paragraph 0047).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Monahan to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks. Such annotations can identify the ends of instruction blocks, identify lengths of instruction blocks, describe of instruction blocks, identify instructions blocks defined by subroutines, identify jump targets to which instruction blocks jump (i.e., the jump target or potential jump targets of a jump instruction at which an instruction block ends), identify the instruction blocks (or jump instructions) that jump to a jump target within an instruction block (see Monahan paragraph 0028-0029). Therefore one would have been motivated to have used the flow analysis module of Monahan to generate the control flow graph and add annotations in the code to as a way to include additional information related to instruction blocks.

Claims 4, 5, 11, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Monaban et al (US 2015/0294114) in view of Krten et al (US 2015/0113640).
With respect to claim 4 Satish teaches the method of claim 1, but does not disclose further comprising: associating a plurality of labels to the plurality of sections of the executable program code, wherein the first section is associated with a first label of the plurality of labels and the second section is associated with a second label of the plurality of labels; and maintaining a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations.
Krten teaches further comprising: associating a plurality of labels to the plurality of sections of the executable program code; and maintaining a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.

With respect to claim 5 Satish teaches the method of claim 4, but does not disclose further comprising using the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code.
Krten teaches further comprising using the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.

With respect to claim 11 Satish teaches the method of claim 1, but does not disclose further comprising: determining that a transition from the first section to the second section is allowed during execution of the executable program code, wherein the determination is made using a transition table comprising at least one mapping of an allowable transition from a first label associated with the first section to a second label associated with the second section.
Krten teaches further comprising: determining that a transition from the first section to the second section is allowed during execution of the executable program code, wherein the determination is made using a transition table comprising at least one mapping of an allowable transition from a first label associated with the first section to a second label associated with the second section (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program

With respect to claim 15 Satish teaches the non-transitory computer-readable medium of claim 12, but does not disclose further comprising instructions that, when executed by the processing device, cause the processing device to: associate a plurality of labels to the plurality of sections of the executable program code, wherein the first section is associated with a first label of the plurality of labels and the second section is associated with a second label of the plurality of labels; and maintain a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations.
Krten teaches further comprising: associating a plurality of labels to the plurality of sections of the executable program code; and maintaining a transition table that specifies allowed transitions between the plurality of labels associated with the plurality of sections in view of the one or more annotations (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.

With respect to claim 16 Satish teaches the non-transitory computer-readable medium of claim 15, but does not disclose further comprising instructions that, when executed by the processing device, cause the processing device to use the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code. 
Krten teaches further comprising instructions that, when executed by the processing device, cause the processing device to use the transition table to determine whether the transition from the first section to the second section is allowed during execution of the executable program code (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.

Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Monaban et al (US 2015/0294114) in view of Krten et al (US 2015/0113640) in view of Franz et al (9,250,937).
With respect to claim 7 Satish teaches the method of claim 1, but does not disclose further comprising: receiving a page fault in response to an attempt to execute a transition from the first section to the second section; and using a transition table to determine whether the transition from the first section to the second section is allowed, wherein the transition table comprises at least one mapping of an allowable transition from a first label associated with the first section to a second label associated with the second section.
Krten teaches using a transition table to determine whether the transition from the first section to the second section is allowed, wherein the transition table comprises at least one mapping of an allowable transition from a first label associated with the first section to a second label associated with the second section (see Krten figure 7 and paragraph 0076 i.e. Let us assume that the control graph of FIG. 6 is implemented by TAS using the mapping provided in the table 70 given in FIG. 7. That is to say that, for example, Fragment2 sends one of two source tokens, SourceToken2a and SourceToken2b to TAS, and receives a target token that effects the control transfer to either Fragment3 or Fragment4). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten. While Satish teaches a control flow graph Satish does not describe making a transition table from the control flow graph that specifies allowed transitions between the plurality of labels. This transition table could then be easily use to make sure transfer are valid (see Krten paragraph 0003 and 0076). Therefore one would have been motivated to have made a transition table from the control flow graph for the program.
Satish in view of Krten does not teach receiving a page fault in response to an attempt to execute a transition from the first section to the second section.
Franz teaches receiving a page fault in response to an attempt to execute a transition from the first section to the second section (see Franz column 5 lines 37-48 i.e. The library installs a handler for the segmentation fault signal (SIGSEGV in Linux), which is raised whenever a processor instruction attempts to access memory it does not have permission for. Whenever the processor attempts to execute a non-executable page, it triggers a page fault in the MMU).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Krten in further view of Franz to used page faults. While Satish does not teach page faults in Satish all pages are set to non-executable and are only set to executable when the handler determines that the target page is allowed based on the control flow graph. Franz teaches that the jump to the non-executable page would generate a page fault to invoke the handler to check the control flow graph. Therefore one would have been motivated to have generate a page fault to invoke the handler.


Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable Satish et al (US 8,645,923) in view of Monaban et al (US 2015/0294114) in view of Franz et al (9,250,937).
With respect to claim 9 Satish teaches the method of claim 1, but does not disclose further comprising, responsive to a determination that a transition from the first section to the second section is not allowed: suspending execution of the executable program code; cloning the executable program code to a virtual machine operating as a sandbox; and transferring control to a virtual machine to execute the executable program code to carry out the transition.
Franz teaches further comprising, responsive to a determination that the transition from the first section to the second section is not allowed: suspend execution of the executable program code; clone the executable program code to a virtual machine operating as a sandbox; and transfer control to the virtual machine to execute the executable program code to carry out the transition (see Franz column 8 lines 4-10 i.e. The operating system calls the SIGSEGV signal handler each time a processor instruction tries to write to a protected page, as long as the page is protected. However, this occurs before the actual instruction writes the data; we have to either emulate the instruction itself (while keeping the page read-only), or make the page writable and allow the original instruction to execute); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Satish in view of Franz to emulate the instruction that the program to trying to write to as a way to make the page writable while keeping the origin page content so that the emulate page can be compared to the origin page content to see if the page was modified. Therefore one would have been motivated to have emulated the page.

Allowable Subject Matter
Claim 10 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as overcoming the nonstatutory double patenting rejection.
With respect to claim 10 the prior art does not teach the method of claim 9, wherein the virtual machine is loaded with the second section of the executable program code but not the first section of the executable program code.

Other Prior Art
Benameur et al “Systems and methods for enforcing secure software execution” teaches  computer-implemented method for enforcing secure software execution may include (1) providing at least one known benign input to an executable file that is susceptible to abnormal code execution, (2) observing a series of function calls made by the executable file as the executable file processes the known benign input, (3) storing the series of function calls as a control flow graph that represents known safe function call pathways for the executable file, and (4) forcing a subsequent execution of the executable file to follow the series of function calls stored in the control flow graph to protect the executable file against abnormal code execution. Various other methods, systems, and computer-readable media

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492