T 1434/06 (Privileged mode for driver authentication/AMD) 12-04-2010
Download and more information:
Software modem with privileged mode driver authentication
I. This appeal is against the decision of the examining division dispatched 13 April 2006, refusing European patent application No. 02744332.4 for lack of novelty (Article 52(1) and Article 54 EPC 1973) over prior art document:
D1: US-A-6 149 522.
II. The notice of appeal was received on 12 May 2006. The appeal fee was paid on the same day. With the statement setting out the grounds of appeal received on 24 July 2006, the appellant requested that the appealed decision be set aside and that a patent be granted on the basis of the original claims (main request) or of claims 1 to 10 submitted with the statement setting out the grounds of appeal (auxiliary request).
III. With a letter received 16 April 2008 the appellant submitted that "should the Examiner [sic] raise further objections to the application, or maintain objections at present on file applicant requests Oral Proceedings".
IV. Independent claim 1 according to the main request reads as follows:
"1. A computer system (100), comprising: a peripheral device (215); a processing unit (110) adapted to execute a driver (240) for interfacing with the peripheral device (215) in a standard mode of operation and an authentication agent (90) in a privileged mode of operation, wherein the authentication agent (90) includes program instructions adapted to authenticate the driver (240)."
The subject-matter of independent method claim 7 essentially corresponds in terms of method features to that of claim 1.
1. Admissibility
The appeal is admissible.
Main request
2. Novelty (Article 54(2) EPC 1973)
The appealed decision is based on lack of novelty over D1. No amendments have been made to the claims. The decision was taken after a first communication without oral proceedings. No examination of inventive step for the independent claims took place during the first instance proceedings.
2.1 The examining division argued in the contested decision that document D1 disclosed a computer system (column 6, line 63, "electronic casino gaming system"), comprising a peripheral device (column 6, line 65, "several system components"), a processing unit (column 6, line 66, "microprocessor") adapted to execute a driver for interfacing with the peripheral device in a standard mode of operation (column 7, line 9, "related drivers") and an authentication agent in a privileged mode of operation (column 7, line 9, "authentication software"). The authentication agent included program instructions adapted to authenticate the driver (column 8, lines 9-10, "ROM 30 contains ... the system drivers" and column 9, lines 44-46, "to authenticate the content of all memory devices, such as the contents of ROM 30"). The examining division believed that the authentication software disclosed in D1, column 7, line 9 was to be considered as being executed in a privileged mode of operation since the authentication procedure was able to authenticate the game at a variety of different times without disabling the game (D1, column 13, lines 4-6) and since it did not need to be verified by any other program before being loaded (D1, fig. 7, boxes 104-114).
The appellant essentially argued in the statement setting out the grounds of appeal that the privileged mode of operation was a mode of operation different and distinct from the standard mode that was used by the processor complex 110 for normal operations. Document D1 was concerned with authenticating loadable casino game data 36 in an electronic casino gaming system. For example, document D1 described calling an authentication routine when it was desirable to compute a message digest of the casino game data sets 36 (see document D1, column 8 lines 15-27). The appellant disagreed with the examining division's interpretation of the term "privileged mode". Authentication software did not need to be in a privileged mode in order to authenticate the game at a variety of different times without disabling the game. The fact that the authentication software could be run while the game was operational simply implied that the authentication software could be run concurrently with other software that was being used to implement the game. Persons of ordinary skill in the art having benefit of the present disclosure would appreciate that conventional processors were capable of running numerous programs or threads in parallel (or in some other manner that permits more than one program or thread to be operating concurrently) while the processor was operating in a standard mode and that no privileged mode was required for this to occur.
The appellant further disagreed with the conclusion that the authentication software operated in a privileged mode because it did not need to be verified by any other program before being loaded. Document D1 described determining whether or not an anchor application was valid and then loading (or prohibiting loading of) the anchor application based on this determination (see document D1, figure 7). However, document D1 did not teach that this determination needed to be made in any particular mode of operation. To the contrary, document D1 did not describe any particular modes of operation and was completely silent with regard to a privileged mode of operation of the electronic casino gaming system. For at least the aforementioned reasons document D1 failed to describe or suggest a processing unit that was adapted to execute a driver for interfacing with a peripheral device in a standard mode of operation and authentication agent in a privilege mode of operation.
2.2 Independent claims 1 and 7 are directed to driver authentication in general, and are not limited to modem drivers. The appellant argued that D1 did not disclose a privileged mode of operation as specified in claims 1 and 7. The present application states (see top of page 7):
"In general, a privileged mode is defined as a mode of operation not visible to other processes, such as applications or drivers, executing on the computer 100. SMM is simply one illustrative privileged mode currently available.
Other privileged contexts include the use of a separate processing entity, such as a cryptoprocessor, independent from the main system microprocessor. The functions of privileged mode software are executed by the cryptoprocessor and are thus secure from tampering by other software applications executing on the main system microprocessor. Still another privileged context is possible using a main system microprocessor having a secure architecture extension. In such an implementation, the cryptoprocessor is integrated into the main system microprocessor and controlled with secure commands."
According to the board's understanding "privileged mode" is a known term in the art and the above interpretation is not in contradiction with the skilled person's understanding of that term.
2.3 The examining division in particular argued that D1 discloses that the authentication software is executed in a privileged mode because:
a) the authentication procedure is able to authenticate the game at a variety of different times without disabling the game (D1, column 13, lines 4-6) and
b) it does not need to be verified by any other program before being loaded (D1, Figure 7, boxes 104-114).
Argument a) does not convince, since it would be quite possible for the game and the authentication software to be run concurrently in an ordinary multi-tasking/multi-threading environment on the same microprocessor in the same mode, normally the standard mode of operation. Moreover according to D1 it is the game data set which is authenticated, not the game application software. Therefore, the board agrees with the appellant that the game and the authentication software can be run concurrently. Such parallel processing does not necessarily suggest a privileged mode for the authentication, i.e. a mode not visible for the game as defined in the present application.
Argument b) does not convince either, because it is merely speculation what occurs in the system described in D1 before the authentication program code is loaded. There are many other ways of protecting such a code and the board does not find any disclosure, explicit or implicit, which would justify the specific interpretation given in argument b).
2.4 However the board does not entirely agree with the appellant. It notes that, in a side aspect, D1 does deal with authentication of software programs including drivers (see e.g. column 4, line 14 onwards, in particular line 20; column 9, line 63 onwards). One security aspect is that the authentication software is stored in a ROM memory, but nothing is disclosed about different modes of operation, in particular there is no reference to or indication of a privileged mode for running the authentication software or a separate processor for doing this. It is rather a coincidental disclosure that unspecified software drivers are authenticated, because the whole ROM memory 30 comprising, inter alia, the driver software is authenticated (e.g. column 10, lines 1-4, discloses the integrity of all software is checked to reveal unauthorized changes). There is no discussion of any specific security problem regarding drivers. The board notes that consideration of novelty with respect to D1 is correct since the claimed subject-matter can then be interpreted in its broadest way. However, the board has doubts that D1, which primarily deals with an electronic casino gaming system which involves authenticating casino game data sets, is a good starting point for assessing inventive step, where similarity of problem or purpose of a teaching is a relevant consideration.
2.5 In the light of the analysis of the disclosure of D1 the subject-matter of independent claims 1 and 7 is new over D1 which does not disclose a processing unit adapted to execute a driver for interfacing with a peripheral device in a standard mode of operation and an authentication agent in a privilege mode of operation.
3. According to Article 111(1) EPC 1973 the board may exercise any power within the competence of the examining division (which was responsible for the decision appealed) or remit the case to that department for further prosecution. It is thus at the board's discretion whether it examines and decides the case or whether it remits the case to the first instance. The appealed decision was solely based on Article 54(1) and (2) EPC 1973. In particular, the requirement of Article 56 EPC 1973 has not yet been examined by the first instance for the subject-matter of the present independent claims on file. The board therefore considers that in the present case remittal is the more appropriate course of action.
Regarding the appellant's auxiliary request for oral proceedings submitted with the letter received 16 April 2008, it is clear from the mandatory wording of Article 116(1) EPC 1973 that a party who requests oral proceedings is in principle entitled to such proceedings (see for example T 19/87, OJ EPO 1988, 268). However in the present case the request for oral proceedings was made on an auxiliary basis and reads "should the Examiner [sic] raise further objections to the application, or maintain objections at present on file applicant requests Oral Proceedings". The board notes that remitting the case does not fall under the conditions set in this request, since the objection for lack of novelty on which the appealed decision was based is not maintained and no further objections are raised by the board. The appellant requested grant of a patent on the basis of the main request or the auxiliary request. However, as stated in decision T 42/90, the decision to remit the case to the first instance is not to be considered as being adverse to that party, so that no oral proceedings before the board need to be appointed.
4. Since the main request overcomes the objections on which the appealed decision is based, the board does not need to deal with the auxiliary request.
ORDER
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the department of first instance for further prosecution on the basis of the main request.