T 2446/10 (Implementing security using a context barrier/ORACLE) of 11.12.2015

European Case Law Identifier: ECLI:EP:BA:2015:T244610.20151211
Date of decision: 11 December 2015
Case number: T 2446/10
Application number: 00904409.0
IPC class: G06F 9/46
G06F 1/00
G07F 7/10
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 309.469K)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: TECHNIQUES FOR IMPLEMENTING SECURITY ON A SMALL FOOTPRINT DEVICE USING A CONTEXT BARRIER
Applicant name: Oracle America, Inc.
Opponent name: GIESECKE & DEVRIENT GmbH
Board: 3.5.06
Headnote: -
Relevant legal provisions:
Rules of procedure of the Boards of Appeal Art 11
European Patent Convention Art 54(1)
European Patent Convention 1973 Art 54(1)
Keywords: Fundamental procedural defect - (no)
Novelty - (yes)
Remittal to the department of first instance - (yes)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. This is an appeal against the decision, dispatched on 30 November 2010, by the opposition division to revoke European patent No. EP B 1155365 on the basis that claim 1 according to the main and first to fifth auxiliary requests had been amended in such a way that its subject-matter extended beyond the content of the application as filed, Article 123(2) EPC. This extension was caused by the replacement of the term "principal" in claim 21 as originally filed by the term "program module" in claim 1 of the patent and the reference in the same claim to "object-oriented access". The subject-matter of the sixth to twelfth auxiliary requests was found not to be clear, Article 84 EPC, since these requests were merely expressed as combinations of other requests.

II. The opposition was based on the grounds foreseen in Article 100(a) and (c) EPC 1973, namely inventive step and added subject-matter.

III. The following document inter alia was mentioned in opposition proceedings:

D12: T. Frey, "Java**(TM) Card the Java**(TM) Standard for Smart Cards", Java Days '98.

IV. A notice of appeal was received from the patent proprietor on 14 December 2010, the appeal fee being paid on the same day. The appellant requested that the patent be maintained as granted, otherwise requesting oral proceedings.

V. In a statement of grounds of appeal, received on 23 March 2011, the appellant requested that the patent be maintained in the form of the main request on which the appealed decision was based, corresponding to the patent as granted except for the deletion of claim 12. The auxiliary request for oral proceedings was reiterated.

VI. In a submission received on 28 July 2011 the respondent opponent requested that the appeal be dismissed in its entirety and, even if the board were to conclude that the amendments to the patent complied with Article 123(2) EPC, not to remit the case to the opposition division, since the subject-matter of claim 1 of the patent lacked novelty and inventive step in view of the disclosure of D12. Oral proceedings were requested if the appeal was not to be dismissed.

VII. In a letter received on 27 October 2011 the appellant requested that appeal proceedings be limited to the consideration of added subject-matter, this being the basis of the decision under appeal, and that the case be remitted to the first instance, should the appeal be successful, for consideration of the remaining grounds of opposition. The appellant argued that Article 21(1) EPC prevented the board from considering matters that had no relevance to the decision. The appellant also drew attention to Article 11 RPBA and argued that remittal to the first instance was generally required, in the absence of special reasons to the contrary, and that the respondent had not identified any special reasons in the present case.

VIII. In an annex to a summons to oral proceedings the board gave its preliminary opinion that it did not agree with the appealed decision that the main request had been amended contrary to Article 123(2) EPC. In particular, the board agreed with the appellant that page 9, lines 26 to 27, of the description as filed gave applets and applications as examples of principals, not as the definition of the term "principal". In the board's view, "principal" was a widely used term in the fields of security and access control and had a very broad meaning, namely any entity which can be identified. Several passages in the application referred to a "principal" as an "entity"; see figure 5, 500, "PRINCIPAL (ENTITY)" and page 10, lines 1 to 3, in particular "a principal (sometimes called entity) 500". The usual meaning of the term "principal" being broad, the board was not convinced that it was "impermissibly generalised", as alleged in the appealed decision, to cover program modules. Concerning the feature of "[controlling the] object-oriented access of a program module", the board was not persuaded by the argument of the opposition division that object access could also be by means of bit by bit copying, as the overall context and teaching of the application describing an object-oriented environment seemed to provide sufficient basis for the object access mechanism being object-oriented. The board was further satisfied by the passages cited by the appellant, i.e. page 5, lines 21 to 27, stating that "two execution contexts ... can share information in a controlled secure way, using language mechanisms, such as object-oriented language mechanisms", page 5, lines 13 to 14, stating that "it would be desirable to allow object-oriented interaction between selected execution contexts only in safe ways", and page 13, lines 21 to 24, stating that "a mechanism that provides access to an object in another context can make other objects available also. For instance, invoking a method on an object in another context may return a reference to a second object in a different context" (emphasis by the board). With regard to the appellant's request to remit the case to the first instance, the board was not convinced by the appellant's argument, that there was no legal basis for the board to examine inventive step, and referred to Article 111(1) EPC 1973, according to which the board had a discretion to exercise any power within the competence of the department responsible for the decision appealed. The legal provisions referred to by the appellant were not relevant in the present case. In particular, Article 21 EPC concerned the responsibilities of the boards of appeal within the organisational structure of the EPO and their composition for particular cases, whereas Article 11 RPBA related to remittal in the case of "fundamental deficiencies" in the first instance proceedings, which the board did not find in the appealed decision. Given the direct relevance of document D12 to the present case, the board introduced D12 into the proceedings, Article 114(1) EPC, and expressed doubts as to the inventive step, Article 56 EPC 1973, of the claimed subject-matter in view of D12.

IX. With a letter received on 9 November 2015 the appellant filed amended claims according to a main and first and second auxiliary requests. The appellant made its former main request its new third auxiliary request. In the event that the board did not allow any of these requests, the appellant requested that the case be remitted to the first instance, since the board seemed to be of the view that the reasons given in the appealed decision for revoking the patent were not justified, this seeming to be a "fundamental deficiency" in the first instance proceedings, Article 11 RPBA.

X. Oral proceedings were held on 11 December 2015. The appellant's sole final request was remittal of the case to the opposition division for continuation of the opposition proceedings on the basis of the first auxiliary request. The respondent's final request was that the appeal be dismissed.

XI. At the end of the oral proceedings the board announced its decision.

XII. The claims according to the first auxiliary request comprise three independent claims: claim 1 to a method, claim 4 to a computer program product, referring to the method of claims 1 to 3, and claim 5 to a small footprint device. Claim 1 reads as follows:

"A method for operating a small footprint device (400) that includes a processing machine (410) comprising a virtual machine (720) running on a processor (300), wherein program modules are executed on the processing machine, characterized by: executing groups of one or more program modules in separate contexts (420, 620; 760, 770, 780; 1000, 1010, 1020), wherein objects of a program module are associated with a particular context; and providing a context barrier (600; 600') for separating and isolating the contexts and for controlling the object-oriented access by a principal comprising a program module executing in one context to an object of a program module executing in another context, said controlling further comprising preventing said access if said access is unauthorized and enabling said access if said access is authorized; wherein said authorization of said access includes at least one security check comprising: the virtual machine checking if the object is a shared object, and if not the check fails; if the object is a shared object, the virtual machine invoking a method on the shared object which determines whether the principal is authorised, and if not the check fails; whereby if the object is a shared object and the method determines that the principal is authorised, the access is permitted."

Reasons for the Decision

1. The admissibility of the appeal

In view of the facts set out at points I, IV and V above, the appeal complies with the admissibility criteria under the EPC and is consequently admissible.

2. Article 11 RPBA

2.1 The opposition division decided to revoke the patent on the basis of the deficiencies it found with respect to Article 123(2) EPC.

2.2 The appellant requested that the case be remitted to the first instance, since the preliminary view of the board in the annex to the summons to oral proceedings was that the reasons given in the appealed decision for revoking the patent were not justified. The appellant argued that an incorrect decision by the first instance was the most "fundamental deficiency" that could occur in first instance proceedings because a patent was lost. Accordingly, the appellant argued, the circumstances of the present case qualified under Article 11 RPBA as justifying remittal.

2.3 The board is not convinced by the appellant's arguments. The fact that the board does not agree with the conclusion of the first instance with respect to substantive matters does not mean that the first instance proceedings themselves were deficient. In the absence of fundamental deficiencies apparent in the first instance proceedings, the board does not consider Article 11 RPBA to be applicable to the present case.

3. Article 111 EPC 1973

3.1 According to Article 111(1) EPC 1973, following the examination as to the allowability of the appeal (see the board's statement in the annex to the summons; VIII supra), the Board of Appeal shall decide on the appeal.

3.2 The board has discretion either to exercise any power within the competence of the department which was responsible for the decision appealed or to remit the case to that department for further prosecution. The board agrees with the appellant that proceedings before the EPO are designed so that issues are normally decided by two instances. The board however considers that no purpose would be served by remitting a case for further prosecution based on a request that is clearly not allowable as it stands.

3.3 Thus the board considers it to be necessary to examine whether the first auxiliary request is clearly not allowable before taking a decision with respect to a remittal to the department of first instance.

4. The context of the invention

4.1 The patent relates to implementing security on "small footprint" devices (see figure 3), such as smart cards and cellular telephones, by providing a context barrier or "firewall" between different execution contexts, thus isolating different program modules on the same device from each other to avoid interaction between them, be it accidental or unauthorized.

4.2 The invention addresses the problem of allowing controlled access across the context barrier; see paragraph [0022] of the patent. The problem is solved by multiple security checks upon access of an object by a principal from another execution context; see figures 16 to 18, described in paragraphs [0060] to [0062]. In particular, a virtual machine initially checks whether the object is a shared object (1810 in figure 18). If yes, then the virtual machine invokes a method of the object (1820 in figure 18) which further checks whether the principal is authorised to access the object (1830 in figure 18) before authorising access (8140 in figure 18).

5. The prior art

5.1 D12 is a "PowerPoint style" presentation of 53 pages/slides relating to the Java standard for smart cards, given by an employee of the respondent at the "Java days '98" conference in 1998.

5.2 According to the respondent, the "Java days '98" conference was held in Frankfurt on 12-13 November 1998 and thus before the priority date of 22 January 1999. The appellant has not disputed that D12 was made publicly available at this conference. Hence it is common ground between the parties, and the board agrees, that D12 was made available to the public at the conference before the priority date and thus forms prior art, Article 54(2) EPC 1973.

5.3 D12 concerns the Java Card standard for smart cards. Such smart cards can be inserted into a terminal or interface device, for instance to provide authentication for carrying out financial transactions (see pages 3 and 4). According to page 2, a subset of the Java Virtual Machine runs on the card and interprets instructions in byte code (see page 17), secure applications, termed "applets", being isolated from each other by a firewall. According to pages 32 and 23, each applet runs in its own context. Objects are created in their context and are only accessible within their context; see page 32, last bullet point. According to the same page, the JCRE (Java Card Runtime Environment) context is a privileged context which manages every applet context. Although objects from one context cannot be shared directly with another context, methods are provided, as D12 puts it, for a "controlled breakthrough in the firewall for interapplet communication"; see page 35, in particular the first bullet-point.

6. Novelty, Article 54 EPC 1973

6.1 D12 discloses the following features set out in claim 1 of the first auxiliary request:

"A method for operating a small footprint device that includes a processing machine comprising a virtual machine running on a processor, wherein program modules are executed on the processing machine (see page 18), characterized by: executing groups of one or more program modules in separate contexts (see page 32, first bullet point), wherein objects of a program module are associated with a particular context (see page 32, last bullet point and page 35, fourth bullet point); and providing a context barrier for separating and isolating the contexts (see firewall system on pages 23 and 33) and for controlling the object-oriented access by a principal comprising a program module executing in one context to an object of a program module executing in another context (see sharing concept on pages 23, 33 and 35), said controlling further comprising preventing said access if said access is unauthorized (see page 33, second bullet point) and enabling said access if said access is authorized (see page 35); wherein said authorization of said access includes at least one security check comprising: the virtual machine checking if the object is a shared object, and if not the check fails (see page 33, first bullet point)."

6.2 The subject-matter of claim 1 differs from the disclosure of D12 in that, if the object is a shared object, the virtual machine invokes a method on the shared object which determines whether the principal is authorised. The board takes this to mean that access is permitted if the object is a shared object and the invoked method of the object determines that the principal is authorised.

6.3 Thus the subject-matter of claim 1 is new with respect to the disclosure of D12.

7. Remittal to the department of first instance

7.1 The board takes the view that, upon introduction of D12 into the proceedings, claim 1 was amended to set out a considerable number of features which were not assessed in the opposition proceedings as regards their potential technical effects, the technical problem they might solve and their inventive merit. The board finds that claim 1 of the first auxiliary request is not clearly unallowable and that the inventive step of its difference features over D12 cannot readily be assessed in the present appeal proceedings on the basis of the documents presently on file.

7.2 With regard to the respondent's objection that some of the amendments made in the first auxiliary request do not meet the requirements of Article 123(2) EPC, the board finds that the introduction of D12 into the proceedings shifted their focus to the assessment of inventive step. The board takes the view that, under the present circumstances, the main issue has become the compliance of claim 1 with Article 56 EPC 1973 regarding inventive step, whereas it would appear that the respondent's objections under Article 123(2) EPC could be easily overcome.

7.3 Under the present circumstances the board remits the case to the department of first instance for continuation of the opposition proceedings on the basis of the first auxiliary request to allow the first instance to take a position on inventive step.

Order

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the opposition division for continuation of the opposition proceedings on the basis of the first auxiliary request.

Quick Navigation