14634032 (P.T.A.B. Dec. 21, 2018)

Ex Parte Sickendick et al

Patent Trial and Appeal BoardDec 21, 2018

14634032 (P.T.A.B. Dec. 21, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/634,032 02/27/2015 26902 7590 12/26/2018 Department of the Air Force AFMCLO/JAZ 2240 B Street Building 11 Wright-Patterson AFB, OH 45433-7109 FIRST NAMED INVENTOR Karl A. Sickendick UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. AFD 1338 3782 EXAMINER CATTUNGAL, DEREENA T ART UNIT PAPER NUMBER 2431 NOTIFICATION DATE DELIVERY MODE 12/26/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): Pamela.Kuns@us.af.mil afmclo.jaz.1@us.af.mil afmclo.jaz.pat@us.af.mil PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KARL A. SICKENDICK, THOMAS E. DUBE, JONATHAN W. BUTTS, and BARRY E. MULLINS Appeal2017-011647 Application 14/634,032 1 Technology Center 2400 Before JOSEPH L. DIXON, JENNIFER S. BISK, and JOYCE CRAIG, Administrative Patent Judges. BISK, Administrative Patent Judge. DECISION ON APPEAL 2 Appellants seek our review under U.S.C. Â§ 134(a) of the Examiner's rejection of claims 1-23. We have jurisdiction under 25 U.S.C. Â§ 6(b ). We affirm. 1 Appellants identify the real party in interest as the United States of America, as represented by the Secretary of the Air Force, Wright-Patterson AFB, OH. App. Br. 1. 2 Throughout this Decision we have considered the Specification filed February 27, 2015 ("Spec."), the Final Rejection mailed November 4, 2016 ("Final Act."), the Appeal Brief filed May 9, 2017 ("App. Br."), the Examiner's Answer mailed July 28, 2017 ("Ans."), and the Reply Brief filed September 19, 2017 ("Reply Br."). Appeal 2017-011647 Application 14/634,032 BACKGROUND Appellants' invention relates to identifying maliciously modified firmware. Spec. ,r 3. Claim 1, reproduced below with indentation added, is illustrative of the claimed subject matter: 1. A method for disassembling firmware, the method comprising: receiving a binary firmware image of unknown architecture and format; dividing the binary firmware image using a sliding window into a plurality of segments; classifying segments of the plurality of segments as file types; identifying code file types among the classified segments of the plurality of segments; classifying code architectures of the identified code file types of the classified plurality of segments; and disassembling at least the code file types of the binary firmware image based on the classified code architecture. App. Br. (Claims Appendix A-1 ). THE REJECTIONS 1. Claims 1, 10, and 19 stand rejected under 35 U.S.C. Â§ 112(a) for failing to comply with the written description requirement. Final Act. 3--4. This rejection applies to all claims because claims 2-9, 11-18, and 20-23 depend from claims 1, 10, and 19. 2. Claims 1--4, 6-13, 15-20, 22, and 23 stand rejected under 35 U.S.C. Â§ I03(a) as being obvious overRepasi (US 2007/0277241 Al, published Nov. 29, 2007) and Conti (Gregory Conti et al., Automated Mapping of Large Binary Objects Using Primitive Fragment Type Classification, ScienceDirect 2010, at S3-SI2). Id. at 4--13. 2 Appeal 2017-011647 Application 14/634,032 3. Claims 5, 14, and 21 stand rejected under 35 U.S.C. Â§ 103(a) as being obvious over Repasi, Conti, and Kolter (J. Zico Kolter & Marcus A. Maloof, Learning to Detect and Classify Malicious Executables in the Wild, Journal of Machine Leaming Research, Dec. 2006, 2721-2744). Id. at 13-16. ANALYSIS We have considered all of Appellants' arguments and any evidence presented. We highlight and address specific findings and arguments for emphasis in our analysis below. THE Â§ 112 REJECTION The Examiner rejects claims 1, 10, and 19 under Â§ 112 (a) for failing to comply with the written description requirement. Final Act. 3--4. In particular, the Examiner considers as new matter the claim limitation "receiving a binary firmware image of unknown architecture and format." Id. at 3. According to the Examiner, the Specification "does not clearly define[]" that it includes binary firmware of unknown architecture and format and "fails to provide working examples as to how one of ordinary skill in the art would make use of the invention." Ans. 4. Appellants argue that "a binary firmware image of unknown architecture and format is not new matter and has implicit or at least inherent support" in the Specification. App. Br. 12. According to Appellants, embodiments of the invention are used to reverse engineer firmware, meaning that the components, construction, and inner workings of the firmware are unknown. Id. at 12-13 (citing Spec. ,r 56; 3 Appeal 2017-011647 Application 14/634,032 http://www.dictionary.com/browse/reverse----engineer? s=t). 3 Appellants add that the claimed invention uses "file carving techniques to segment the firmware and classification techniques to properly classify those segments" for the purpose of determining the inner workings of a binary firmware image. Id. at 13 (citing Spec. Fig. 3, ,r,r 58, 60). Appellants conclude that "one of ordinary skill in the art would recognize that the received firmware must necessarily be 'a binary firmware image of unknown architecture and format' or there would be no reason to have to reverse engineer the image." Id. ( emphasis omitted). We agree with Appellants that a person of ordinary skill in the art would understand from the Specification that the binary firmware image may have unknown architecture and format. For example, the Specification states that "[ f]irmware is a black box to the user, and a proprietary, undocumented, binary blob to the researcher." Spec ,r 20. Although the Examiner notes that this statement appears when discussing the prior art (Ans. 4), the Specification notes that "[u]ntil recently, little need existed to quickly reverse engineer [such] firmware," but that changes in technology and security issues have made reverse engineering a priority, thus the invention seeks to define such a process. Spec. ,r,r 21-22. We find that a person of ordinary skill in the art would understand from this description that the binary firmware to be reverse engineered by the described invention 3 The Examiner takes issue with Appellants' proffered definition of "reverse engineering" because of the publication date. Ans. 4. We agree with Appellants that their proffered definition is consistent with the common meaning of that term and that the meaning has not changed significantly in the time period at issue. Moreover, Appellants explain that a second dictionary, Miriam-Webster, has a similar definition and states that the phrase was first used in 1973. App. Br. 3. 4 Appeal 2017-011647 Application 14/634,032 would have unknown inner workings that could include both architecture and format. Moreover, the Specification, when discussing the invention, states that "[ r ]eal firmware images vary widely in composition" and "[ a ]fter finding a likely match for a code section's architecture, the system disassembles that section." Spec. ,r,r 89--90. This disclosure along with the many instances in the Specification discussing identifying code file types and classifying code architectures of firmware, make clear that the point of the invention is to reverse engineer firmware of unknown architecture and formatting. See, e.g., Spec. Fig. 3, ,r,r 23, 25, 26, 50, 58, 60, 66, 89, 90, 94, 107. We, therefore, do not sustain the Examiner's rejection of claims 1, 10, and 19 under U.S.C. Â§ 112(a). THEÂ§ 103 REJECTIONS Claim 1 The Examiner rejects claim 1 over a combination of Repasi and Conti. Final Act. 4---6. The Examiner relies on Repasi for most of the limitations, but relies on Conti for "dividing the binary firmware image using a sliding window into a plurality of segments," "classifying segments ... as file types," and "identifying code file types among the classified segments .... " Id. at 5. According to the Examiner, it would have been obvious to one of ordinary skill in the art before the invention was filed to modify Repasi using Conti's teachings because "such a setup make[s] the binary mapping valuable to analyze and it provide[ s] a rapid insight into the structure of large, potentially massive, binary objects by identifying the location of the varying types of data they contain." Id. at 5---6 (citing Conti, 9). 5 Appeal 2017-011647 Application 14/634,032 Appellants argue that Repasi does not teach "receiving a binary firmware image of unknown architecture and format" as asserted by the Examiner. App. Br. 14--16. According to Appellants, because Repasi teaches identifying the device from which the firmware is received, "[ t ]here is no way that the architecture of the firmware can be unknown." Id. at 15. Appellants do not support this assertion with explanation or evidence. The Examiner responds that "[ s ]imply knowing the device from which the firmware is obtained is known, does not require that the format and architecture are also known." Ans. 6. As an example, the Examiner states "let's assume a device is a Microsoft OS device, just because the device is known the architecture cannot be clearly identified as it could be a NTFS or FAT 16/32 file system." Id. Appellants do not address this example in their Reply Brief, but again assert, without further explanation or evidence, that "[t]here is no way that the architecture of the firmware can be unknown if the device that the firmware is being copied from is known." Reply Br. 5. We are not persuaded, by Appellants' bare conclusion, that because the device in Repasi is known, the architecture and format are also known in all circumstances. Additionally, in the Answer, the Examiner explains that Conti also teaches receiving a binary firmware image of unknown architecture and format. Ans. 6 ( citing Conti, 1 ). Appellants do not address this point in the Reply Brief. See Reply Br. 4--5. Therefore, Appellants have not overcome the Examiner's showing that the prior art teaches "receiving a binary firmware image of unknown architecture and format." Appellants also argue that Repasi does not disclose "classifying code architectures of the identified code file types of the classified plurality of 6 Appeal 2017-011647 Application 14/634,032 segments" as asserted by the Examiner. App. Br. 16. According to Appellants, using cryptographic hashes, checksums, and pattern matching, as disclosed by Repasi, does not qualify as classifying code architectures. Id. Appellants do not further explain this assertion or provide evidentiary support. Id. In response, the Examiner explains that because the Specification does not define the term "classifying code architectures," the broadest reasonable interpretation of this term includes the checksum module taught in Repasi. Ans. 7 (citing Repasi ,r,r 98-99, 114, 116). Appellants do not address the construction of the term "classifying code architectures" in their Reply Brief. See Reply Br. 4--5. Because the Examiner's construction is not, on its face, unreasonable, Appellants have not overcome the Examiner's showing that the prior art teaches "classifying code architectures of the identified code file types of the classified plurality of segments." Finally, Appellants argue that "the Examiner provides no objective reason why one of ordinary skill in the art would be motivated to modify Repasi or Conti to include the claimed subject matter of claim 1." App. Br. 17. The Examiner, however, explicitly points to Conti as supplying the motivation to combine Conti's sliding window algorithm with Repasi's firmware scanning system. Final Act. 5---6 (citing Conti, 9); Ans. 8. We determine, therefore, that Appellants have not overcome the Examiner's showing that a person of ordinary skill in the art would have found it obvious to combine the teachings of Conti and Repasi. For these reasons, we sustain the Examiner's rejection of claim 1. 7 Appeal 2017-011647 Application 14/634,032 Claims 2-4, 6-13, 15-20, 22, and 23 The Examiner rejects claims 2--4, 6-13, 15-20, 22, and 23 over a combination of Repasi and Conti. Final Act. 6-13. For each of these claims, Appellants rely on the same arguments made with respect to claim 1. App. Br. 17-19. These arguments however, are not persuasive for the reasons discussed above. Consequently, we find Appellants' arguments do not show error in the Examiner's factual findings and the finding of obviousness of claims 2--4, 6-13, 15-20, 22, and 23. Claims 5, 14, and 21 The Examiner rejects claims 5, 14, and 21 over a combination of Repasi, Conti, and Kolter. Final Act. 14--16. For each of these claims, Appellants rely on the same arguments made with respect to claim 1. App. Br. 20. These arguments however, are not persuasive for the reasons discussed above. Consequently, we find Appellants' arguments do not show error in the Examiner's factual findings and the finding of obviousness of claims 5, 14, and 21. CONCLUSION We conclude the Examiner erred in rejecting claims 1, 10, and 19 under 35 U.S.C. Â§ 112. We conclude Appellants have not demonstrated the Examiner erred in rejecting claims 1-23 under 35 U.S.C. Â§ 103. DECISION Because we affirm at least one ground of rejection with respect to each claim on appeal, we affirm the Examiner's rejection of claims 1-23. 8 Appeal 2017-011647 Application 14/634,032 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a). See 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED 9