Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`· · · · · ·UNITED STATES PATENT AND TRADEMARK OFFICE
`
`· · · · · · · · _______________________________
`
`· · · · · · BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`· · · · · · · · ·______________________________
`
`· · ·PALO ALTO NETWORKS, INC.
`
`· · · · · · · · ·Petitioner· · · · · CASE NO.
`
`· · ·vs.· · · · · · · · · · · · · · ·IPR2015-01979
`
`· · ·FINJAN, INC.
`
`· · · · · · · · ·Patent Owner
`· · ·__________________________/
`
`· · · ·
`
` · · · · · · · ·DEPOSITION OF AVIEL RUBIN, PH.D.
`
`· · · · · · · · · · MONDAY, NOVEMBER 14, 2016
`
`· · · · · · · · · · · · · · 12:49 P.M.
`
`· · · · · · · · · · 102 W. PENNSYLVANIA AVENUE,
`
`· · · · · · · · · THE ROYSTON BUILDING, SUITE 350
`
`· · · · · · · · · · · TOWSON, MARYLAND 21204
`
`· · · · · · ·
`
` · ·REPORTED BY:· Ronda J. Thomas, RPR, CRR
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`·YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 1
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`·1· ·APPEARANCES:
`
`·2
`
`Page 2
`
`·1· · · · · · · · · · ·INDEX TO EXHIBITS
`
`·2· · · · · · · · · · ·AVIEL RUBIN, Ph.D.
`
`Page 4
`
`·3· · · · ON BEHALF OF THE PATENT OWNER:
`
`·3· · · · · Palo Alto Networks, Inc. vs. Finjan, Inc.
`
`·4· · · · MICHAEL LEE, ESQUIRE
`
`·4· · · · · · · · · Monday November 14, 2016
`
`·5· · · · · ·Kramer, Levin, Naftalis and Frankel, LLP
`
`·5
`
`·6· · · · · ·990 Marsh Road
`
`·6· ·Exhibit No.· · · · · · · · · · · · · · · · · Marked
`
`·7· · · · · ·Menlo Park, California 94025
`
`·7· ·Exhibit 1· ·Supplemental Declaration of Aviel· · ·6
`
`·8· · · · · ·Telephone:· 650-752-1416
`
`·8· · · · · · · ·Rubin In Support Of Petitioner's
`
`·9· · · · · ·Email:· Mhlee@kramerlevin.com
`
`·9· · · · · · · ·Reply
`
`10
`
`10· ·Exhibit 2· ·Article, "Install-Time Vaccination· ·11
`
`11· · · · ON BEHALF OF THE PETITIONER:
`
`11· · · · · · · ·of Windows Executables to Defend
`
`12· · · · BRIAN EUTERMOSER, ESQUIRE
`
`12· · · · · · · ·Against Stack Smashing Attacks."
`
`13· · · · · ·Cooley, LLP
`
`13· ·Exhibit 3· ·U.S. Patent No. 8,141,154· · · · · · 30
`
`14· · · · · ·380 Interlocken Crescent, Suite 900
`
`14· ·Exhibit 4· ·U.S. Patent Application No.· · · · · 30
`
`15· · · · · ·Broomfield, Colorado 80021
`
`15· · · · · · · ·2005-0108562 to Khazan
`
`16· · · · · ·Telephone:· 720-566-4203
`
`17· · · · · ·Email:· Beutermoser@cooley.com
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25· ·ALSO PRESENT:· ADAM NUDELMAN, VIDEOGRAPHER
`
`·1· · · · · · · · · · ·INDEX TO EXAMINATION
`
`Page 3
`
`·2
`
`·3· ·WITNESS:
`
`·4· ·Examination By:· · · · · · · · · · · · · · · · Page
`
`·5· ·Mr. Lee· · · · · · · · · · · · · · · · · · · · · ·6
`
`·6
`
`·7
`
`·8
`
`·9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 5
`·1· · · · ·MONDAY, NOVEMBER 14, 2016, TOWSON, MARYLAND
`·2· · · · · · · · · · · · ·12:49 P.M.
`·3· · · · · · · · · · · · · *· ·*· ·*
`·4· · · · · · · · · · · · ·PROCEEDINGS
`·5· · · · · · · ·THE VIDEOGRAPHER:· Here begins tape number
`·6· ·one in the videotaped deposition of Dr. Aviel Rubin in
`·7· ·the matter of Palo Alto Networks, Inc. versus Finjan,
`·8· ·Inc., in the U.S. District Court for the Northern
`·9· ·District of California.· San Jose Division.· Case No.
`10· ·IPR2015-01974.
`11· · · · · · · ·Today's date is 11/14/16.· Time on the
`12· ·video monitor is 12:49 p.m.· Videographer today is Adam
`13· ·Nudelman representing Gore Brothers.· Video deposition
`14· ·is taken place at Gore Brother, 102 West Pennsylvania
`15· ·Avenue, Towson, Maryland.
`16· · · · · · · ·Would counsel please voice identify
`17· ·themselves and state whom they represent.
`18· · · · · · · ·MR. LEE:· Michael Lee representing Patent
`19· ·Owner Finjan, Kramer Levin.
`20· · · · · · · ·MR. EUTERMOSER:· Brian Eutermoser with
`21· ·Cooley on behalf of Petitioner Palo Alto Networks.
`22· · · · · · · ·THE VIDEOGRAPHER:· Court reporter today is
`23· ·Ronda Thomas representing Gore Brothers. Will the
`24· ·reporter please swear in the witness.
`25· ·Whereupon,
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`2 to 5 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 2
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 6
`
`·1· · · · · · · · · · AVIEL RUBIN, PH.D.,
`·2· ·called as a witness, having been first duly sworn to
`·3· ·tell the truth, the whole truth, and nothing but the
`·4· ·truth, was examined and testified as follows:
`·5· · · · · · · · · EXAMINATION BY MR. LEE:
`·6· · · · Q· · · Please state your full name and address for
`·7· ·the record.
`·8· · · · A· · · Aviel David Rubin, at 3 Thornhaugh,
`·9· ·T-H-O-R-N-H-A-U-G-H, Court in Pikesville, Maryland
`10· ·21208.
`11· · · · Q· · · Do you understand why you're here today?
`12· · · · A· · · Yes.
`13· · · · Q· · · Why are you here today?
`14· · · · A· · · You are taking my deposition.
`15· · · · Q· · · What do you understand this deposition to
`16· ·be about?
`17· · · · A· · · My supplemental declaration in the '154
`18· ·patent IPR case.
`19· · · · · · · ·(Deposition Exhibit 1 was marked for
`20· ·purposes of identification.)
`21· · · · Q· · · You've been handed an exhibit marked as
`22· ·Exhibit Number 1.· Exhibit Number 1 is entitled,
`23· ·"Supplemental Declaration Of Aviel Rubin In Support Of
`24· ·Petitioner's Reply," marked as Palo Alto Networks
`25· ·Exhibit 1045.
`
`Page 8
`·1· · · · Q· · · Which opinions are you referring to?
`·2· · · · A· · · The opinions in this document.
`·3· · · · Q· · · Can you summarize the opinions in this
`·4· ·document that you're referring to?
`·5· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·6· ·Document speaks for itself.
`·7· · · · A· · · It's a very short document so I don't think
`·8· ·that I need to summarize it.· It's what it says here.
`·9· · · · Q· · · Can you summarize it, though?
`10· · · · · · · ·MR. EUTERMOSER:· Same objection.
`11· · · · A· · · I'm worried that if I summarize it I would
`12· ·leave something out so I could read it to you if you
`13· ·would like.
`14· · · · Q· · · So sitting here today, you cannot give me
`15· ·any kind of summary of your declaration, correct?
`16· · · · · · · ·MR. EUTERMOSER:· Same objection.· Also
`17· ·mischaracterizes his testimony.
`18· · · · A· · · I could but I would worry that if I
`19· ·summarized I might leave something out and so, you
`20· ·know, it's a very short document and I think it speaks
`21· ·for itself.
`22· · · · Q· · · Please provide your summary?
`23· · · · · · · ·MR. EUTERMOSER:· Same objections.
`24· · · · A· · · So I stated that I have personal knowledge
`25· ·of the facts in this declaration.· I list my rate.· And
`
`Page 7
`·1· · · · · · · ·Is Exhibit Number 1 the supplemental
`·2· ·declaration you're referring to?
`·3· · · · A· · · Yes.
`·4· · · · Q· · · Can you refer to page 7 of Exhibit Number
`·5· ·1.· Let me know when you're there.
`·6· · · · A· · · I'm there.
`·7· · · · Q· · · Is that your signature at the bottom of
`·8· ·page 7?
`·9· · · · A· · · Yes.
`10· · · · Q· · · Did you sign this document on October 28th,
`11· ·2016?
`12· · · · A· · · Yes.
`13· · · · Q· · · Why were you asked to put in a supplemental
`14· ·declaration on October 28th, 2016?
`15· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`16· ·Caution the witness not to reveal communications with
`17· ·counsel.
`18· · · · A· · · Yeah, I can't discuss the communications I
`19· ·had with the lawyers.
`20· · · · Q· · · You cannot say any reason why, correct,
`21· ·sitting here today on November 14th, 2016?
`22· · · · A· · · It's part of the process.· They -- the two
`23· ·parties responded to each other and the attorneys in
`24· ·their response I suppose wanted to cite to their expert
`25· ·and so I provided these opinions.
`
`Page 9
`·1· ·I talk about the items that I was reviewing and my own
`·2· ·expertise.
`·3· · · · · · · ·Then I describe the document, Medvidovic
`·4· ·deposition transcript, and a document by Nebenzahl and
`·5· ·Wool -- it's a typo by the way.· It should be "Wool"
`·6· ·and it says "Wood."
`·7· · · · · · · ·Then after that I talk about that one of
`·8· ·ordinary skill would have known how to instrument
`·9· ·applications.· And I give some quotes from Khazan that
`10· ·support, support that.
`11· · · · · · · ·And then I talk about things that Khazan
`12· ·discloses, discuss Detours, and how Khazan describes
`13· ·what Detours does.· And why Khazan describes that Win
`14· ·132 API functions are instrumentive.· And some more
`15· ·things that Khazan describes.
`16· · · · · · · ·And then I talk about how one of ordinary
`17· ·skill in the art would have known how to apply the
`18· ·teachings of Khazan to instrument an executable
`19· ·application.
`20· · · · · · · ·I talk about the Medvidovic's testimony and
`21· ·why I disagree with his testimony.
`22· · · · · · · ·And I then talk about the Nebenzahl and
`23· ·Wool article and I explain why that article bolsters my
`24· ·position that IDA Pro was in common use before the '154
`25· ·patent and then I talk about, you know, that one of
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`6 to 9 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 3
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 10
`·1· ·ordinary skill in the art would know how to instrument
`·2· ·an application using IDA Pro as identified in Khazan.
`·3· · · · · · · ·I talk about my disagreement with
`·4· ·Medvidovic's and what would have been obvious to one of
`·5· ·ordinary skill in the art.· How to instrument
`·6· ·applications with Khazan.
`·7· · · · · · · ·Then I reserved my right to offer more
`·8· ·opinions.· That's, there may be more things in here but
`·9· ·that's, I guess the summary of it.
`10· · · · Q· · · You mentioned that you cited Exhibit Number
`11· ·1044 Nebenzahl and Wool, correct?
`12· · · · A· · · Yes.
`13· · · · Q· · · When were you first aware of this document?
`14· · · · A· · · Probably in late 2003, 2004.
`15· · · · Q· · · How did you become aware of the Nebenzahl
`16· ·document?
`17· · · · A· · · So I worked actively as a researcher in
`18· ·this field and actually Avishai Wool, the second
`19· ·officer is someone I know very well.· He was at the
`20· ·labs when I was at AT&T labs.· He was at Bell Labs.
`21· ·And in fact he was my host for my last sabbatical at
`22· ·Tel Aviv University.· So his research is research that
`23· ·I followed closely.· And when he wrote this paper I'm
`24· ·sure that I was aware of it, along with a lot of other
`25· ·papers in the field at the time.
`
`Page 12
`
`·1· · · · Q· · · What's an application?
`·2· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·3· · · · A· · · In what context?
`·4· · · · Q· · · In the context of what you said,
`·5· ·instrumenting applications?
`·6· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·7· · · · A· · · So you're talking about the context of
`·8· ·the '154 patent or just in general outside of this
`·9· ·case.
`10· · · · Q· · · In the context of your declaration?
`11· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`12· · · · A· · · Can you show me which occurrence you're
`13· ·referring to in my declaration.
`14· · · · Q· · · I'm talking about your summary.· You said,
`15· ·you're talking about instrumenting applications,
`16· ·correct?
`17· · · · A· · · Yes.
`18· · · · Q· · · So my question is, what is an application?
`19· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`20· · · · A· · · So are you referring to paragraph 14 for
`21· ·example where I say that I disagree with
`22· ·Dr. Medvidovic's testimony that Khazan does not teach
`23· ·instrumenting applications?· Is that the applications
`24· ·that you're talking about.
`25· · · · Q· · · Again, you gave a summary.· Do you recall
`
`Page 11
`·1· · · · Q· · · The Nebenzahl document, it's not cited in
`·2· ·your previous declaration, correct?
`·3· · · · A· · · That's right.
`·4· · · · Q· · · You could have cited the Nebenzahl document
`·5· ·in your previous declaration, correct?
`·6· · · · · · · ·MR. EUTERMOSER:· Object to form.
`·7· · · · A· · · I suppose I could cite any document that I
`·8· ·want.
`·9· · · · · · · ·(Deposition Exhibit 2 was marked for
`10· ·purposes of identification.)
`11· · · · Q· · · You've been handed an exhibit marked as
`12· ·Exhibit Number 2.· Exhibit Number 2 is entitled,
`13· ·"Install-Time Vaccination of Windows Executables to
`14· ·Defend Against Stack Smashing Attacks."· By Nebenzahl
`15· ·and Wool.
`16· · · · · · · ·And at the bottom it's marked as
`17· ·Exhibit 1044.
`18· · · · · · · ·Is this the Nebenzahl document we have been
`19· ·referring to?
`20· · · · A· · · Yes.
`21· · · · Q· · · Previously you mentioned that instrumenting
`22· ·applications.· Do you recall that?
`23· · · · A· · · When I was summarizing the report?
`24· · · · Q· · · Correct.
`25· · · · A· · · Yes.
`
`Page 13
`
`·1· ·that?
`·2· · · · A· · · Right.
`·3· · · · Q· · · Where you talked about instrumenting
`·4· ·applications.· You understand what an application is,
`·5· ·correct?
`·6· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·7· ·Argumentative.
`·8· · · · A· · · Yes.
`·9· · · · Q· · · What is an application?
`10· · · · · · · ·MR. EUTERMOSER:· Same objection.
`11· · · · A· · · I'm just --
`12· · · · · · · ·MR. EUTERMOSER:· Also vague and ambiguous.
`13· · · · A· · · I'm trying to understand if you're
`14· ·referring to applications in paragraph 14 when you ask
`15· ·me what's an application or is it something broader?
`16· · · · Q· · · It's within the context of your
`17· ·declaration?
`18· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`19· · · · A· · · I mentioned application in multiple places
`20· ·so I want to look and review because you are looking
`21· ·for a catchall now that will cover all of them, right?
`22· · · · Q· · · I'm just talking about your summary that
`23· ·you said of your declaration.· You mentioned
`24· ·instrumenting applications, correct?
`25· · · · A· · · Right.· One of the reasons that I didn't
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`10 to 13 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 4
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 14
`·1· ·want to give a summary is that I didn't want to, you
`·2· ·know, I didn't prepare a summary of this.· I just
`·3· ·prepared this document.· And I didn't want to be held
`·4· ·to that summary because it was kind of on-the-fly.
`·5· · · · · · · ·So I'd rather look at a specific part of my
`·6· ·declaration and answer questions about that than an
`·7· ·on-the-fly summary that I provided.
`·8· · · · Q· · · So sitting here today, you can't tell me
`·9· ·what an application is, correct?
`10· · · · · · · ·MR. EUTERMOSER:· Objection.
`11· ·Mischaracterizes his testimony.· It's also vague and
`12· ·ambiguous.
`13· · · · A· · · That's not correct.· I just have multiple
`14· ·locations that I discuss an application in here and I'm
`15· ·asking which one you want me to, to describe or define
`16· ·for you?· Or if you're asking for a catchall that will
`17· ·cover all of them.
`18· · · · Q· · · In your summary you talked about
`19· ·instrumenting applications, I just want to know what
`20· ·you mean by applications?
`21· · · · · · · ·MR. EUTERMOSER:· Objection.· Vague and
`22· ·ambiguous.· Mischaracterizes his testimony.
`23· · · · A· · · So my summary was not precise the way the
`24· ·document is.· I put a lot of thought into it and
`25· ·reviewed every word.· And the summary was an on-the-fly
`
`Page 16
`·1· · · · A· · · I don't have multiple meanings for the word
`·2· ·"application."
`·3· · · · Q· · · Can you tell me what the meaning of
`·4· ·application is that you applied in your declaration?
`·5· · · · · · · ·MR. EUTERMOSER:· Objection.· Vague and
`·6· ·ambiguous.· Foundation.
`·7· · · · A· · · So I would say when I'm talking about
`·8· ·applications in this declaration, I'm talking about
`·9· ·instrumenting applications, which is talking about code
`10· ·that's running or executables.
`11· · · · Q· · · So an application is code that's running;
`12· ·is that correct?
`13· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`14· · · · A· · · Well, you could have an application that
`15· ·isn't running but it's code that can run or that's
`16· ·running.
`17· · · · Q· · · So is it fair to say that an application in
`18· ·your opinion is code that can be run?
`19· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`20· · · · A· · · I would say that code that can be run can
`21· ·be part of an application.
`22· · · · Q· · · So it's not fair to say that any code that
`23· ·can be run is an application?
`24· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`25· · · · A· · · Well, I think in general that might be the
`
`Page 15
`·1· ·description, I didn't come here today to answer
`·2· ·questions about my summary.· I want to answer questions
`·3· ·about the documents.
`·4· · · · · · · ·I'm trying to understand if you want a
`·5· ·specific instance that you want to point to of
`·6· ·application or if you're asking me to define it in a
`·7· ·way that covers all the instances of the word
`·8· ·application in the actual declaration, not on-the-fly
`·9· ·summary.
`10· · · · Q· · · What different types of applications do you
`11· ·discuss in your declaration?
`12· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`13· · · · · · · ·(Witness reading.)
`14· · · · A· · · So there's some described on page 2 in
`15· ·paragraph 2 where I quote Khazan talking about binary
`16· ·machine executable programs, script programs and
`17· ·command programs which I understand to mean shell
`18· ·scripts.· Those are different types applications.
`19· · · · Q· · · So just to be clear, where do you use the
`20· ·term applications and provide two different meanings
`21· ·for them?
`22· · · · A· · · I never said I did.
`23· · · · Q· · · So when you use the word "application,"
`24· ·there's only one meaning, correct?
`25· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`
`Page 17
`·1· ·case, but in this particular declaration I'm talking
`·2· ·about instrumenting code, instrumenting applications
`·3· ·and how you could prevent malicious code from running
`·4· ·inside of other codes so I don't think it's limited
`·5· ·here to self-contained applications like if you would
`·6· ·purchase.· Like, if you went in and purchased Microsoft
`·7· ·Word, yeah, that's an application.· But in the context
`·8· ·here we're talking about code that can be instrumented
`·9· ·to prevent malware from running.
`10· · · · Q· · · So in the context of your declaration is it
`11· ·fair to say that an application is any code that can be
`12· ·run?
`13· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`14· · · · A· · · Let me say that what I do think is fair to
`15· ·say is that when I talk about the instrumentation of
`16· ·applications I'm talking about the instrumentation of
`17· ·code that can run.
`18· · · · Q· · · So can you answer the question that I asked
`19· ·is whether an application is any code that can be run?
`20· · · · · · · ·MR. EUTERMOSER:· Objection.· Asked and
`21· ·answered.
`22· · · · A· · · So I don't look at it from that point of
`23· ·view.· I look at it from the point of view that if
`24· ·you're talking about technologies for instrumenting
`25· ·applications, you're talking about instrumenting code.
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`14 to 17 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 5
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 18
`·1· ·Whether or not it's any code, you know, I didn't
`·2· ·provide the boundaries of what defines an application.
`·3· ·I'm just saying that I'm talking about instrumenting
`·4· ·code that can run.
`·5· · · · Q· · · So sitting here today you can't answer
`·6· ·either way whether an application is any code that can
`·7· ·be run, correct?
`·8· · · · · · · ·MR. EUTERMOSER:· Objection.· Vague and
`·9· ·ambiguous.· Mischaracterizes his testimony.
`10· · · · A· · · Again, I don't think that the boundaries of
`11· ·what defines an application is relevant here.· It's
`12· ·really just if you're looking at code that's running
`13· ·and you're talking about instrumenting it, that's
`14· ·instrumenting an application, whatever the application
`15· ·is.· Whether all the code is an application or it's not
`16· ·part of the application is not relevant to this
`17· ·discussion.
`18· · · · Q· · · So in your opinion an application is not
`19· ·any code that can be run, correct?
`20· · · · · · · ·MR. EUTERMOSER:· Same objections.· Also
`21· ·relevance and outside the scope.
`22· · · · A· · · I don't think I said that.
`23· · · · Q· · · Is that your opinion though?
`24· · · · A· · · Is what?
`25· · · · Q· · · Is it your opinion that an application is
`
`Page 20
`
`·1· ·program does.
`·2· · · · Q· · · Why would a person want to figure out what
`·3· ·a program does?
`·4· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·5· · · · A· · · So there's a whole field called reverse
`·6· ·engineering and if, let's say -- so let me -- it's a
`·7· ·question that's sort of not really relevant to what
`·8· ·we're talking about so I'm going to give an example
`·9· ·that's not also.
`10· · · · · · · ·Let's say there are two competing companies
`11· ·and they're very, very strongly competitive with each
`12· ·other.· And one of the companies gets their hands on a
`13· ·binary that the other company uses for their product
`14· ·and they want to understand what their competitor's
`15· ·algorithms are and all they have is this binary, then
`16· ·they could disassemble it, reverse engineer it and
`17· ·understand what the algorithm was that was implemented.
`18· ·Without that disassembly step it wouldn't be possible
`19· ·to understand what their algorithms were.
`20· · · · Q· · · Before you gave that explanation, you said
`21· ·that it's not relevant to what we're talking about?
`22· · · · A· · · The question that you asked wasn't
`23· ·relevant.· You asked me why would a reverse engineer
`24· ·want to analyze a program.
`25· · · · Q· · · Why is that not relevant?
`
`Page 19
`
`·1· ·not any code that can be run?
`·2· · · · · · · ·MR. EUTERMOSER:· Same objections.
`·3· · · · A· · · I don't offer opinion about what is or
`·4· ·isn't an application in my declaration.
`·5· · · · Q· · · Previously we were talking about the IDA
`·6· ·Pro disassembler.· Do you recall that?
`·7· · · · A· · · Yes.
`·8· · · · Q· · · What's a disassembler?
`·9· · · · A· · · It's a program that takes machine code and
`10· ·turns it into assembly code.
`11· · · · Q· · · What's the purpose of a disassembler?
`12· · · · A· · · It allows an analyst to look at a binary
`13· ·program in ways that are more visual and more
`14· ·understandable than just looking at machine code.
`15· · · · Q· · · Why would an analyst do this?
`16· · · · A· · · A lot of reasons.· If they want to
`17· ·understand what the program does.· Say that you're
`18· ·given a binary and you don't know what it is or what it
`19· ·does, you just find it on your system.· The first step
`20· ·would be, if you were trying to analyze it, would be to
`21· ·run it through a disassembler because it's a lot easier
`22· ·to analyze assembly code than a machine code.
`23· · · · Q· · · When you say an analyzer, what do you mean
`24· ·by an analyzer?
`25· · · · A· · · A person whose job is to figure out what a
`
`Page 21
`·1· · · · A· · · Because I don't discuss analyzing programs
`·2· ·for what they do in my declaration.
`·3· · · · Q· · · Is that the typical use of a disassembler?
`·4· · · · A· · · It's one very common use.
`·5· · · · Q· · · You wouldn't say that was a typical use,
`·6· ·correct?
`·7· · · · A· · · Oh, I would.· It's a typical use.
`·8· · · · Q· · · When you say a typical use, it's the
`·9· ·reverse engineering process, correct?
`10· · · · A· · · Right.· I would say that reverse
`11· ·engineering programs starting with binaries, typically
`12· ·the first step is to use a disassembly and IDA Pro is
`13· ·the best known disassembly.
`14· · · · Q· · · And analysts typically use this to find out
`15· ·what a competitor's program is doing?
`16· · · · A· · · That's one use that's very common.
`17· · · · Q· · · Would you say that's the typical use?
`18· · · · A· · · I wouldn't say necessarily a competitor's
`19· ·because there are a lot of scenarios where you come up.
`20· ·Another example is if you see a piece of code and you
`21· ·want to know if it's malicious, you can't tell from a
`22· ·binary what it does without disassembling it and
`23· ·performing an analysis of it.
`24· · · · Q· · · How is that different from your previous
`25· ·example?
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`18 to 21 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 6
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 22
`·1· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·2· · · · A· · · The malware doesn't deal with competitors'
`·3· ·products.
`·4· · · · Q· · · Do you see in paragraph 3 you talk about
`·5· ·Khazan describes instrumenting and executable
`·6· ·applications?
`·7· · · · A· · · Yes.
`·8· · · · Q· · · Can you elaborate what you mean by
`·9· ·libraries?
`10· · · · A· · · So libraries are an example of libraries in
`11· ·the windows environment of DLLs, dynamically linked
`12· ·libraries.· Its codes that link functions that are
`13· ·common to multiple applications.· So rather than having
`14· ·every application have to write the code for that
`15· ·function, like to print something or to read something,
`16· ·those -- that code goes into a library which different
`17· ·applications can link to and then have that
`18· ·functionality available to them.
`19· · · · Q· · · What's the difference between libraries and
`20· ·executable applications?
`21· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`22· · · · A· · · Isn't that what I just answered?
`23· · · · Q· · · Maybe you can elaborate.· Can you
`24· ·elaborate.· Strike that.· Let me ask a cleaner
`25· ·question.
`
`Page 24
`
`·1· ·point.
`·2· · · · Q· · · Why is it that a library doesn't have an
`·3· ·entry point or exit point?
`·4· · · · A· · · Because a library is not intended to stand
`·5· ·alone.· It's, it's code that is available to other
`·6· ·programs.
`·7· · · · Q· · · Can you go to paragraph 7.· Do you see
`·8· ·where you state:· Khazan gives how these calls may be
`·9· ·implemented in assembly language and an application
`10· ·binary?
`11· · · · A· · · I think you read that wrong but...
`12· · · · Q· · · Sorry?
`13· · · · A· · · You didn't say "examples."
`14· · · · Q· · · Sorry.· Let me ask a new question.
`15· · · · · · · ·So paragraph 7 it says:· Khazan gives
`16· ·examples of how these calls may be implemented and
`17· ·assembly language in an application binary.· Correct?
`18· · · · A· · · Yes.
`19· · · · Q· · · What do you mean by these calls?
`20· · · · A· · · I just need to look back because I'm
`21· ·obviously referring to something I said earlier.
`22· · · · · · · ·(Witness reading.)
`23· · · · A· · · These calls is referring to instrumented
`24· ·binaries.
`25· · · · Q· · · A call is an instrumented library?
`
`Page 23
`·1· · · · · · · ·Can you elaborate the difference between
`·2· ·libraries and executable applications?
`·3· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·4· · · · A· · · I thought that was the exact question you
`·5· ·just asked me.· You want a longer answer?
`·6· · · · Q· · · My question was, what was a library?
`·7· · · · A· · · Oh, okay.· So --
`·8· · · · Q· · · Now I'm asking what's the difference
`·9· ·between libraries and executable applications?
`10· · · · A· · · I've got it.
`11· · · · · · · ·MR. EUTERMOSER:· Objection.· Foundation.
`12· · · · A· · · So libraries, as you just said, are code
`13· ·that's common to multiple applications or they can be,
`14· ·that's available for them to call and application is a
`15· ·program that can run.
`16· · · · · · · ·So you don't -- a library doesn't have a
`17· ·starting point or an ending point, it's a collection of
`18· ·functions.· An application has a starting point and
`19· ·usually an ending point.
`20· · · · Q· · · Can you elaborate what do you mean by a
`21· ·library doesn't have a starting point or ending point?
`22· · · · A· · · There's no initial function in the library.
`23· ·There's no order to the functions in the library.· It's
`24· ·a collection of functions.· An application has an entry
`25· ·point and then has code and then it has usually an exit
`
`Page 25
`
`·1· · · · A· · · I'm sorry?
`·2· · · · Q· · · Did you say a call is an instrumented
`·3· ·library?
`·4· · · · A· · · No, I didn't say that.
`·5· · · · Q· · · Can you elaborate what you mean by these
`·6· ·calls refer to instrumented library?
`·7· · · · A· · · I didn't say that.
`·8· · · · Q· · · What do you mean by these calls?
`·9· · · · A· · · These calls refer to calls to instrumented
`10· ·binaries.
`11· · · · Q· · · What's a call?
`12· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`13· · · · A· · · I assume you mean within the context of my
`14· ·declaration and not like a phone call or something like
`15· ·that?
`16· · · · Q· · · Correct.
`17· · · · A· · · So in paragraph 7 where I'm quoting Khazan
`18· ·it talks about a particular type of target calls and
`19· ·that's an invocation of a function.
`20· · · · Q· · · Is a call an instruction?
`21· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`22· · · · A· · · Yes.· There is an instruction that's a call
`23· ·instruction.
`24· · · · Q· · · Is a call a function?
`25· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`
`
`U.S. LEGAL SUPPORTU.S. LEGAL SUPPORT
`
`(415) 362-4346(415) 362-4346
`
`22 to 25 YVer1f
`
`Patent Owner Finjan, Inc. - Ex. 2035, p. 7
`
`

`
`
`Aviel Rubin, Ph.D.Aviel Rubin, Ph.D.
`
`November 14, 2016November 14, 2016
`
`Page 26
`
`·1· · · · A· · · A call is made to a function.
`·2· · · · Q· · · But a call itself is not a function?
`·3· · · · A· · · A call itself can be a function, because
`·4· ·you can have a function called call.
`·5· · · · Q· · · And Khazan is a call, the same thing as a
`·6· ·function?
`·7· · · · A· · · I didn't see anywhere in Khazan that
`·8· ·referred to a specific call function.· Khazan talks
`·9· ·about calling functions.
`10· · · · Q· · · So Khazan differentiates calls from
`11· ·functions?
`12· · · · A· · · I didn't say that.· I just said that in
`13· ·Khazan there's no description of a function called
`14· ·call.· When Khazan describes calling he's talking about
`15· ·jumping to code that's that function code.
`16· · · · Q· · · Is it fair to say that Khazan
`17· ·differentiates calls from functions?
`18· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`19· · · · A· · · I think in order for that to be fair, there
`20· ·would have to be a place in Khazan where a distinction
`21· ·is drawn between a call and a function and I don't
`22· ·remember any language to that effect in Khazan.
`23· · · · Q· · · So is it fair to say in Khazan a call and a
`24· ·function can be the same thing?
`25· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`
`Page 28
`·1· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·2· · · · A· · · Khazan talks about instrumenting code.
`·3· ·Whether it's applications or libraries or even scripts
`·4· ·or other types of programs.
`·5· · · · Q· · · But my question is, is it fair to say that
`·6· ·Khazan instruments functions?
`·7· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`·8· · · · A· · · Well, sure.· Functions are code and some of
`·9· ·the code that can be instrumented can contain functions
`10· ·and Khazan also describes how to put a wrapper in
`11· ·assembly around a function in which case it's
`12· ·instrumenting the function.
`13· · · · Q· · · Khazan doesn't instrument calls, correct?
`14· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`15· · · · A· · · I don't know what it means to say that. I
`16· ·don't think that's a proper description of what happens
`17· ·in a program.
`18· · · · Q· · · And that's because calls don't have any
`19· ·code; is that correct?
`20· · · · · · · ·MR. EUTERMOSER:· Object to the form.
`21· · · · A· · · Calls have code.· But you're overloading
`22· ·the term call.· So the term call, you can speak in
`23· ·general and say I'm going to call a particular function
`24· ·or you could have the word "call" which could be a key
`25· ·word in your language which could then be like an exec
`
`Page 27
`·1· · · · A· · · I don't think that's a fair statement
`·2· ·either.
`·3· · · · Q· · · Why is that?
`·4· · · · A· · · Because Khazan talks about instrumenting
`·5· ·functions and doesn't talk about instrumenting calls.
`·6· ·I mean, those are, well, let me back away.
`·7· · · · · · · ·The question was whether functions and
`·8· ·calls are the same thing in Khazan?· The calling is the
`·9· ·action and the function is the thing that the action is
`10· ·being applied to.· So in that sense they're, they're,
`11· ·you know, they're different.
`12· · · · Q· · · You mentioned instrumenting functions
`13· ·versus instrumenting calls.· Do you recall that?
`14· · · · A· · · I think I got a little tongue-tied in the
`15· ·last answer so that's why I said that I was going to
`16· ·start over.
`17· · · · Q· · · Is there a difference between instrumenting
`18