Supplemental Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,141,154
`Filing Date: June 14, 2010
`Issue Date: March 20, 2012
`
`Title: System and Method for Inspecting
`Dynamically Generated Executable Code
`
`Inter Partes Review No. 2015-01979
`
`SUPPLEMENTAL DECLARATION OF AVIEL D. RUBIN
`IN SUPPORT OF PETITIONER’S REPLY
`
`
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`Inter Partes Review of Patent No. 8,141,154
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Palo Alto Networks, Inc.
`Petitioner
`
`v.
`
`Finjan, Inc.
`Patent Owner
`
`U.S. Patent No. 8,141,154
`Filing Date: June 14, 2010
`Issue Date: March 20, 2012
`
`Title: System and Method for Inspecting
`Dynamically Generated Executable Code
`
`Inter Partes Review No. 2015-01979
`
`SUPPLEMENTAL DECLARATION OF AVIEL D. RUBIN
`IN SUPPORT OF PETITIONER’S REPLY
`
`
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`I, Aviel Rubin, declare as follows:
`
`I have personal knowledge of the facts stated in this supplemental
`
`declaration, and could and would testify to these facts under oath if called upon to
`
`do so.
`
`I have been retained by counsel for Palo Alto Networks, Inc. (Petitioner) in
`
`this case as an expert in the relevant art. I am being compensated for my work at
`
`the rate of $688 per hour. No part of my compensation is contingent upon the
`
`outcome of this petition.
`
`I was asked to study U.S. Patent 8,141,154, its prosecution history, and the
`
`prior art, and to render opinions on the obviousness or non-obviousness of the
`
`claims of the ’154 patent in light of the teachings of the prior art, as understood by
`
`a person of ordinary skill in the art in the 2005 timeframe. I previously executed a
`
`declaration in support of Palo Alto Networks’ Petition for Inter Partes Review (Ex.
`
`1002). This supplemental declaration addresses positions and testimony raised by
`
`Finjan in its Patent Owner Response.
`
`In addition to the material and information I reviewed and considered in
`
`connection with my previous declaration and my own expertise in the field, this
`
`declaration is based on the following information:
`
`
`
`
`
`
`
`1
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`
`Exhibit No.
`1038
`
`1044
`
`Description of Document
`Medvidovic deposition transcript, IPR2015-01979, Nov. 21, 2016.
`Nebenzahl & Wood, Install-time Vaccination of Windows
`Executables to Defend Against Stack Smashing Attacks, Technical
`Report EES2003-9, Nov. 4, 2003.
`
`
`I.
`
`BASED ON THE TEACHINGS OF KHAZAN, A PERSON OF ORDINARY SKILL
`WOULD HAVE KNOWN HOW TO INSTRUMENT APPLICATIONS
`It is my opinion that, based on the disclosures in Khazan, it would
`1.
`
`have been obvious to a person of ordinary skill in 2005 how to instrument
`
`applications using techniques disclosed in Khazan and techniques that were well
`
`known in the art.
`
`2.
`
`The Khazan reference broadly describes that its instrumentation
`
`techniques can be applied to many different types of programs and code:
`
`[0114] It should be noted that the foregoing techniques are applied in
`particular
`to binary machine executable codes. However,
`the
`foregoing techniques may be characterized as extensible and generally
`applicable for use with any one of a variety of different types of
`binary and machine-executable programs, as well as script programs,
`command program, and the like. (Ex. 1003 at 25 [114]; see also id. at
`26 [0118].)
`
`3.
`
`Khazan describes instrumenting libraries and executable applications,
`
`
`
`such as Win32 EXE files, for example:
`
`[0042] In this embodiment, prior to executing the application
`executable 102, an analysis may be performed by the static analyzer
`104 to examine and identify calls or invocations made from the
`application executable 102 to a predetermined set of target functions
`or routines. An embodiment may also identify additional information
`2
`
`
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`about these functions, such as, for example, particular locations within
`the application from which the calls to these functions are made,
`parameter number and type information for each call, the values that
`some of these parameters take at run-time, and the like. For example,
`in one embodiment, it may be determined that the target function calls
`to be identified are those that are external to the application 102, such
`as those calls that are made to system functions. (Ex. 1003 at 18
`[0042].)
`
`In the passage cited above, Khazan discloses, as part of the
`
`4.
`
`instrumentation process, scanning an executable file in order to find function calls.
`
`The passage also describes the case in which function calls to external libraries are
`
`found. The reason that Khazan breaks external function calls out as a special case
`
`is because calls to functions inside of an application may be treated differently than
`
`calls to a function external to the application. Khazan then describes instrumenting
`
`these functions using, in one example, code included in the Microsoft Detours
`
`package. (Ex. 1003 at 21[0079], 23 [0091].)
`
`5.
`
`Khazan describes that Detours may be used to instrument an
`
`application by replacing “the first few instructions of the target function with an
`
`unconditional jump to a user provided wrapper or stub function.” (Ex. 1003 at 23
`
`[0091].) A person of ordinary skill at the time would have known that Detours
`
`could be used to instrument an application. This is shown, for example, in the
`
`Detours paper, published
`
`in 1999, which describes applying Detours
`
`
`
`3
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`instrumentation to Win32 portable executable files, which are applications. (Ex.
`
`1012 at 3-4.)
`
`6.
`
`Khazan also teaches that: “Win 32 API functions are instrumented for
`
`the purpose of being intercepted although an embodiment may monitor or intercept
`
`any one or more different functions or routines.” (Ex. 1003 at 21 [79].)
`
`7.
`
`Khazan gives examples of how these calls may be implemented in
`
`assembly language in an application binary:
`
`[0046] The particular type of target calls and their form may vary in
`accordance with each embodiment. For example, in one embodiment,
`the binary representation of the application executable 102 may
`include a jump instruction, a call instruction, or other types of
`instructions transferring control from the application as may be the
`case for various routines being monitored.” (Ex. 1003 at 18 [0046];
`see also id. at 19 [0048].)
`
`Thus, Khazan discloses how to recognize any functions that are within
`
`8.
`
`the application executable and how to find their locations in the executable.
`
`9.
`
`In another example, Khazan also describes how to find such call
`
`instructions using the Ida Pro disassembler:
`
`“[0045] An embodiment may examine the application executable 102
`using any one of a variety of different techniques to look for any calls
`to one or more predetermined functions or routines. The static
`analyzer 104 may examine the binary code of the application
`executable 102 to look for predetermined call instructions, or other
`type of transfer instructions associated with calls to target functions.
`One embodiment uses the IDA Pro Disassembler by DataRescue
`(http://www.datarescue.com/idabase/) and Perl scripts in performing
`the static analysis of the application executable 102 to obtain the list
`
`
`
`4
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`of targets and invocation locations 106 associated with the invocations
`of the Win32 API functions, which is described in more detail
`elsewhere herein.” (Ex. 1003 at 18 [0046].)
`
`
`
`10. Based on the foregoing passages in Khazan, and the disclosures of
`
`Khazan generally, a person of ordinary skill would have known how to apply the
`
`teachings of Khazan to instrument an executable application.
`
`11. To the extent that one might argue that Khazan’s disclosure does not
`
`provide enough detail to allow a person of ordinary skill to accomplish
`
`instrumentation of an application, as I understand Dr. Medvidovic testified, I also
`
`note that techniques for instrumenting Win32 EXE files, like those disclosed in
`
`Khazan, were widely known and well understood by those in the art before 2005.
`
`12. For example, in November 2003, Nebenzahl and Wool described and
`
`implemented a method for instrumenting Win32 EXEs using the IDA Pro
`
`disassembler discussed in Khazan by disassembling the executable and discovering
`
`functions therein as early as 2003. (Ex. 1044.)
`
`The next step in our process is the discovery of function boundaries.
`To do this we wrote a parser for the IDA Pro listing file. We identify a
`function entry when we find an address that is called from some other
`address. Thus, the listing file is scanned to detect calls, and the called
`addresses are marked as function entry addresses. Each function is
`then scanned, building a tree emulating all possible branches in the
`function, until all RET commands (exit addresses) of the function are
`detected. Note that a function can have more than one entry point, and
`more than one exit point. Note also that our function discovery will
`miss “non-standard” functions — e.g., functions that are not called by
`the CALL instruction, or that do not return by the RET instruction.
`
`
`
`5
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`We believe that this is not a significant issue since compilers generate
`standard call sequences. (Ex. 1044 at 7.)
`
`In my opinion, this disclosure is consistent with a person of ordinary
`
`13.
`
`skill’s understanding of how an executable application could be instrumented using
`
`the IDA Pro disassembler specifically identified in Khazan. (Ex. 1003 at 18
`
`[0045].)
`
`14.
`
`I reviewed the transcript of the deposition of Dr. Medvidovic taken in
`
`this proceeding. (Ex. 1038.) I disagree with Dr. Medvidovic’s testimony that
`
`Khazan does not teach instrumenting applications for the reasons set forth above
`
`and based on my knowledge as a person of ordinary skill in the 2005 timeframe.
`
`(See, e.g., Ex. 1038 at 10-11 (34:16-38:9), 39 (150:8-16.).)
`
`15.
`
`It is my opinion that, based on the disclosures of Khazan, it would
`
`have been obvious to a person of ordinary skill in 2005 to instrument an
`
`application using techniques disclosed in Khazan and techniques that were well
`
`known in the art as set forth above.
`
`16.
`
`I reserve the right to offer opinions relevant to the invalidity of the
`
`’154 patent claims at issue or offer testimony in support of this Supplemental
`
`Declaration and my original Declaration. (Ex. 1002.)
`
`17.
`
`In signing this Supplemental Declaration, I recognize that the
`
`Supplemental Declaration will be filed as evidence in a contested case before the
`
`
`
`6
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
`
`
`
`Supplemental Reply Declaration of Aviel Rubin
`Inter Partes Review of Patent No. 8,141,154
`Patent Trial and Appeal Board of the United States Patent and Trademark Office. I
`
`also recognize that I may be subject to cross-examination in the case. If required, I
`
`will appear for cross-examination at the appropriate time.
`
`18.
`
`I hereby declare that all statements made herein of my own
`
`knowledge are true and that all statements made on information and belief are
`
`believed to be true and, further, that these statements were made with the
`
`knowledge that willful false statements and the like are punishable by fine or
`
`imprisonment, or both, under 18 U.S.C. § 1001.
`
`
`Dated: October 28, 2016
`
`Respectfully submitted,
`
`______________________
`Aviel Rubin
`
`
`
`
`
`
`
`7
`
`Palo Alto Networks, Inc. - Exhibit 1045
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2015-01979
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
