HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.Download PDFPatent Trials and Appeals BoardDec 16, 20212020006254 (P.T.A.B. Dec. 16, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/749,112 01/30/2018 Jeffrey Kevin Jeansonne 84914796 1015 22879 7590 12/16/2021 HP Inc. 3390 E. Harmony Road Mail Stop 35 Fort Collins, CO 80528-9544 EXAMINER WOLDEMARIAM, NEGA ART UNIT PAPER NUMBER 2433 NOTIFICATION DATE DELIVERY MODE 12/16/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipa.mail@hp.com jessica.pazdan@hp.com yvonne.bailey@hp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte JEFFREY KEVIN JEANSONNE, RICHARD A. BRANLEY, JR., and VALI ALI ________________ Appeal 2020-006254 Application 15/749,112 Technology Center 2400 ____________ Before JOSEPH L. DIXON, JOHNNY A. KUMAR, and MATTHEW J. McNEILL, Administrative Patent Judges. McNEILL, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from the Examiner’s final rejection of claims 1‒6 and 8‒15, which are all the claims pending in this application. We have jurisdiction under 35 U.S.C. § 6(b). We affirm in part. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42 (2018). Appellant identifies the real party in interest as Hewlett-Packard Development Company, LP, a wholly-owned affiliate of HP Inc. Appeal Br. 3. Appeal 2020-006254 Application 15/749,112 2 STATEMENT OF THE CASE Introduction The claimed subject matter relates to detecting intrusions into firmware while an operating system is running. Spec. ¶ 1. Claims 1, 8, and 12 are illustrative of the claimed subject matter and read as follows: 1. A computer program product for providing notifications to a user of an intrusion into firmware comprising: non-transitory computer readable medium comprising computer usable program code embodied therewith to, when executed by a processor, detect intrusion to the firmware of a computing system while an operating system is running. 8. A method for logging events and providing notification of intrusions to system management mode (SMM) firmware on a computing device during runtime, comprising: storing an event data structure describing intrusions to SMM firmware on a computing device during runtime in a non- volatile memory in a computing system. 12. A computer user interface comprising: a first window indicating a notice that an intrusion into system management mode (SMM) firmware of a computing system has occurred; and an indicator describing how a user is to obtain more details on the event. The Examiner’s Rejections Claims 1‒4, 6, and 8‒11 stand rejected under 35 U.S.C. § 102 as anticipated by Jeansonne (US 2016/0063255 A1; Mar. 3, 2016). Final Act. 2‒5. Claim 5 stands rejected under 35 U.S.C. § 103 as unpatentable over Jeansonne and Held (US 2013/0013905 A1; Jan. 10, 2013). Final Act. 5‒6. Appeal 2020-006254 Application 15/749,112 3 Claim 12 stands rejected under 35 U.S.C. § 103 as unpatentable over Held and Petersen (US 2012/0005542 A1; Jan. 5, 2012). Final Act. 6‒7. Claims 13‒15 stand rejected under 35 U.S.C. § 103 as unpatentable over Held, Petersen, and Jeansonne. Final Act. 7‒8. ANALYSIS Claim 1 Appellant argues the Examiner has failed to establish that Jeansonne discloses computer code to “detect intrusion to the firmware of a computing system while an operating system is running.” Appeal Br. 7‒8; Reply Br. 1‒ 4. In particular, Appellant argues the Examiner’s findings regarding runtime detection are not supported by the cited portions of the reference. Reply Br. 1‒3. Appellant argues paragraph 9 of Jeansonne discloses BIOS code that can run after the operating system loads, but does not disclose firmware intrusion detection after the operating system loads. Reply Br. 1‒2. Appellant argues paragraph 13 does not disclose an operating system running and the Examiner’s finding to the contrary has no support in the reference. Id. at 2. Appellant argues paragraph 39 likewise does not support the Examiner’s finding that the operating system is running during firmware intrusion detection. Id. at 3. Appellant has not persuaded us of Examiner error. The Examiner finds, and we agree, Jeansonne discloses protecting firmware from being compromised due to malware attack and a secondary non-volatile memory that is used to store a copy of the system firmware and system date. Ans. 3 (citing Jeansonne ¶ 13). The Examiner finds Jeansonne discloses an embedded controller that monitors the integrity of the secondary non-volatile memory to ensure the content has not been compromised due to malware, a Appeal 2020-006254 Application 15/749,112 4 code bug, or another cause, which the Examiner finds discloses detecting an intrusion while an operating system is running. Id. (citing Jeansonne ¶ 39). Appellant’s argument that the Examiner’s findings are unsupported by the reference is unpersuasive. Jeansonne discloses “embedded controller 202 can monitor the integrity of the content (code and data) stored in the primary non-volatile memory 204 and/or secondary non-volatile memory 216 to ensure that the content has not been compromised due to malware, a code bug, or other cause.” Jeansonne ¶ 39. Thus, Jeansonne discloses embedded controller 202 can detect intrusion into secondary non-volatile memory 216, which stores a copy of the firmware (see Ans. 3 (citing Jeansonne ¶ 13)). Jeansonne discloses embedded controller 202 can perform this integrity check at various times “such as when the computing system 200 comes out of reset, during a low power state of the computing system 200, or during runtime of the computing system 200.” Jeansonne ¶ 40 (emphasis added). Thus, Jeansonne discloses that this intrusion detection can occur “while an operating system is running,” as claimed. Appellant’s arguments to the contrary do not persuasively identify error in the Examiner’s findings. For these reasons, we sustain the Examiner’s anticipation rejection of claim 1. We also sustain the anticipation rejection of claims 2‒4 and 6, for which Appellant relies on the same arguments. See Appeal Br. 7‒8. We also sustain the Examiner’s obviousness rejection of claim 5, for which Appellant relies on the same arguments. See id. at 10. Claim 8 The Examiner finds Jeansonne discloses “storing an event data structure describing intrusions to system management mode (SMM) Appeal 2020-006254 Application 15/749,112 5 firmware on a computing device during runtime.” Final Act. 4 (citing Jeansonne ¶¶ 14, 37). Appellant argues the Examiner’s findings do not address the limitation that the claimed firmware is SMM firmware. Appeal Br. 9. Appellant argues the Specification defines SMM as “an operating mode of x86 central processing units (CPUs) in which execution of at least the operating system is suspended and separate software, which is part of the firmware, is executed with high privileges.” Id. (citing Spec. ¶ 21). Appellant argues Jeansonne does not disclose SMM firmware and the Examiner has not made findings to establish that it does. Id. In response to Appellant’s arguments, the Examiner repeats the findings made regarding claim 1 without specifically addressing the SMM firmware limitation. See Ans. 3‒4. On this record, we are constrained to agree with Appellant that the Examiner has not made sufficient factual findings regarding all of the limitations recited in claim 8. In particular, the Examiner has not made any findings regarding SMM firmware or explained how Jeansonne discloses such firmware as it is defined by the Specification. Accordingly, we do not sustain the anticipation rejection of independent claim 8. We also do not sustain the anticipation rejection of dependent claims 9‒11. Claim 12 Appellant argues the portions of Held and Petersen cited by the Examiner do not teach or suggest “SMM firmware,” as defined in the Specification. Appeal Br. 10 (citing Spec. ¶ 21). In particular, Appellant argues paragraph 14 of Held teaches the system may store an initialization firmware verification module, but does not mention SMM firmware. Id. Appeal 2020-006254 Application 15/749,112 6 Appellant argues paragraphs 28 and 51 of Held teach a high-level description of defense of BIOS code, but do not mention SMM firmware. Id. Appellant argues paragraph 50 of Petersen teaches a pop-up window including details of an event, but this is not relevant to the SMM firmware limitation. Id. Appellant has not persuaded us of Examiner error. The Specification defines “system management mode (SMM)” as “an operating mode of x86 central processor units (CPUs) in which execution of at least the operating system is suspended and separate software, which is part of the firmware, is executed with high privileges.” Spec. ¶ 21. The Examiner finds, and we agree, Held teaches BIOS storage attack protection and notification. Final Act. 6 (citing Held ¶¶ 14, 28, 51). Held teaches verifying the BIOS of a computing platform by executing a processor initialization module in response to a reset. Held ¶ 51. Held teaches that a reset is a restart event where flow control is returned from the operating system to the processor initialization module. Held ¶ 15. Although Held does not explicitly use the term SMM, Held teaches the operating system is suspended and the processor initialization module, which is part of the firmware, is executed to verify the integrity of the BIOS. We agree with the Examiner that these disclosures teach, or at least suggest, the disputed limitations. For these reasons, we sustain the Examiner’s obviousness rejection of claim 12. We also sustain the Examiner’s obviousness rejection of claims 13‒15, for which Appellant relies on the same arguments. See Appeal Br. 10. DECISION SUMMARY In summary: Appeal 2020-006254 Application 15/749,112 7 Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1‒4, 6, 8‒11 102 Jeansonne 1‒4, 6 8‒11 5 103 Jeansonne, Held 5 12 103 Held, Petersen 12 13‒15 103 Held, Petersen, Jeansonne 13‒15 Overall Outcome 1‒6, 12‒15 8‒11 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED IN PART Copy with citationCopy as parenthetical citation
