`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD,
`Patent Owner.
`
`_____________________________
`
`Case IPR2024-00220
`Patent No. 11,431,735
`_____________________________
`
`
`DECLARATION OF DR. ANGELOS STAVROU
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1002
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`

`

`
`
`TABLE OF CONTENTS
`
`ENGAGEMENT ............................................................................................. 1
`I.
`QUALIFICATIONS ....................................................................................... 1
`II.
`III. COMPENSATION ......................................................................................... 3
`IV.
`INFORMATION CONSIDERED .................................................................. 3
`V.
`LEGAL PRINCIPLES .................................................................................... 4
`VI. THE RELEVANT TIMEFRAME FOR ANALYSIS ..................................... 7
`VII. PERSON OF ORDINARY SKILL IN THE ART .......................................... 8
`VIII. STATE OF THE ART .................................................................................... 8
`A. Virtualization ........................................................................................ 9
`B.
`Snapshots ............................................................................................ 19
`C.
`Cloud Computing ................................................................................ 24
`D.
`Cyber Security .................................................................................... 27
`1.
`Types of Threats and Vulnerabilities ....................................... 27
`2.
`Detecting Threats and Vulnerabilities ...................................... 35
`3.
`Responding to Threats and Vulnerabilities .............................. 44
`IX. OVERVIEW OF THE ’735 PATENT .......................................................... 49
`
`Challenged Claims .............................................................................. 52
`A.
`Prosecution History of the ’735 Patent ............................................... 52
`B.
`CLAIM CONSTRUCTION .......................................................................... 53
`A. Determining/Determine a “Location” of a Snapshot .......................... 53
`B.
`“Analyzing the Snapshot” ................................................................... 54
`i
`
`X.
`
`
`
`

`

`
`XI. OVERVIEW OF THE PRIOR ART ............................................................. 56
`A. Veselov (U.S. Patent No. 11,216,563, EX1007) ................................ 56
`B.
`Basavapatna (U.S. Pub. No. 2013/0191919, EX1008) ....................... 60
`XII. GROUND 1: CLAIMS 1-7, 9-17, AND 19 WERE OBVIOUS OVER
`VESELOV AND BASAVAPATNA ............................................................ 62
`A.
`Independent Claims ............................................................................ 63
`1.
`Independent Claim 1 ................................................................. 63
`2.
`Independent Claim 10 ............................................................. 101
`3.
`Independent Claim 11 ............................................................. 104
`4.
`Reasons Why a Person of Ordinary Skill in the Art
`Would Have Combined Veselov and Basavapatna ................ 109
`Dependent Claims ............................................................................. 115
`1.
`Dependent Claims 2 and 12 .................................................... 115
`2.
`Dependent Claims 3 and 13 .................................................... 122
`3.
`Dependent Claims 4 and 14 .................................................... 124
`4.
`Dependent Claims 5 and 15 .................................................... 134
`5.
`Dependent Claims 6 and 16 .................................................... 145
`6.
`Dependent Claims 7 and 17 .................................................... 152
`7.
`Dependent Claims 9 and 19 .................................................... 157
`XIII. CONCLUDING STATEMENTS ............................................................... 159
`XIV. APPENDIX A – MATERIALS CITED ..................................................... 161
`
`
`B.
`
`
`
`ii
`
`

`

`I, Angelos Stavrou, declare as follows:
`
`I.
`
`ENGAGEMENT
`
`1.
`
`I have been retained by counsel for Wiz, Inc. as an expert witness in the
`
`above-captioned proceeding. I have been asked to provide my opinion about the
`
`state of the art of the technology described in U.S. Patent No. 11,431,735 (the “’735
`
`patent”) and on the patentability of claims 1-7, 9-17, and 19 of this patent. The
`
`following is my written testimony on these topics.
`
`II. QUALIFICATIONS
`
`2.
`
`I received my M.Sc. in Electrical Engineering, M.Phil., and Ph.D. (with
`
`distinction) in Computer Science all from Columbia University. I also hold an M.Sc.
`
`in theoretical Computer Science from the University of Athens and a B.Sc. in
`
`Physics with distinction from the University of Patras, Greece.
`
`3.
`
`I am a Virginia Tech Innovation Campus founding Professor, and the
`
`Entrepreneurship activities lead. I am also a member of the Bradley Department of
`
`Electrical & Computer Engineering at Virginia Tech. From 2017 to 2020, I was a
`
`Professor in the Computer Science Department at George Mason University
`
`(“GMU”), teaching courses including Operating Systems Security and Cyber
`
`Security Laboratory. From 2012 to 2017, I was an Associate Professor in GMU’s
`
`Computer Science Department, teaching courses including Operating Systems
`
`Security, Enterprise Security Practices, and Enterprise Security Technology. From
`
`
`
`1
`
`

`

`
`
`2014 to 2017, I was an Academic Director in GMU’s School of Management for the
`
`M.S. in Management of Secure Information Systems Program. From 2013 to 2015,
`
`I was an Academic Director in GMU’s Computer Science Department for the M.S.
`
`in Information Security and Assurance Program. From 2011 to 2020, I was an
`
`Associate Researcher in the Computer Security Division at the National Institute of
`
`Standards and Technology (“NIST”). I am a co-author of numerous publications
`
`involving virtualization and cyber security, among other topics. EX1003, 3-19.
`
`4.
`
`I am also the founder of Quokka, Kryptowire Labs, Aether Argus, and
`
`Impedyme Inc. I have served as a principal investigator on research awards from
`
`NSF, DARPA, IARPA, DHS, AFOSR, ARO, ARL, and ONR. I have written more
`
`than 140 peer-reviewed conference and journal articles. Furthermore, I am an
`
`inventor of nineteen issued patents and several pending patent applications. I am an
`
`Associate Editor of IEEE Transactions on Computers, IEEE Security & Privacy, and
`
`IEEE Internet Computing magazine and a co-chair of the IEEE Blockchain initiative.
`
`I am a senior member of the ACM, USENIX, and IEEE. My current research
`
`interests include security and reliability for distributed systems, security principles
`
`for virtualization, and anonymity, focusing on building and deploying large-scale
`
`systems.
`
`
`
`2
`
`

`

`
`
`5.
`
`I received the GMU Department of Computer Science Outstanding
`
`Research Award in 2010, 2016, and 2018. Also, I was awarded the 2012 George
`
`Mason Emerging Researcher, Scholar, Creator Award, a university-wide award. In
`
`2013, I received the IEEE Reliability Society Engineer of the Year award. My team
`
`at Kryptowire was awarded the DHS Cyber Security Division’s “Significant
`
`Government Impact Award” in 2017 and the “Bang for the Buck Award” in 2019.
`
`Currently, I am the primary Principal Investigator (PI) in two DARPA awards
`
`focusing on Cyber Security for cloud and wireless systems, namely the DARPA
`
`OPS-5G and CASTLE efforts.
`
`III. COMPENSATION
`
`6.
`
`I am being compensated for my time at my standard consulting rate.
`
`My compensation is not contingent upon the results of my study and analysis, the
`
`substance of my opinions, or the specifics of my testimony. I have no financial
`
`interest in the outcome of this matter or in any litigation involving the ’735 patent.
`
`IV.
`
`INFORMATION CONSIDERED
`
`7. My opinions are based on my years of education, research and
`
`experience, as well as my investigation and study of relevant materials. In preparing
`
`this declaration, I have reviewed the ’735 patent and the ’735 patent’s file history
`
`(EX1004). I have also reviewed the materials cited in this declaration, a list of which
`
`is provided in Appendix A.
`
`3
`
`
`
`

`

`
`
`V. LEGAL PRINCIPLES
`
`8.
`
`I understand that a claim is not patentable under 35 U.S.C. §102 as
`
`anticipated if the claim as a whole is described, either expressly or inherently, in a
`
`single prior art reference. I understand that this also requires that the prior art
`
`reference disclose that each claim element is arranged as recited in the claims.
`
`9.
`
`I have been advised that a claimed invention is not patentable under 35
`
`U.S.C. §103 if it is obvious. A patent claim is unpatentable if the claimed invention
`
`would have been obvious to a person of ordinary skill in the field at the time the
`
`claimed invention was made. This means that even if all of the requirements of the
`
`claim cannot be found in a single prior art reference that would anticipate the claim,
`
`a person of ordinary skill in the relevant field who knew about all this prior art would
`
`have come up with the claimed invention.
`
`10.
`
`I have further been advised that the ultimate conclusion of whether a
`
`claim is obvious should be based upon several factual determinations. That is, a
`
`determination of obviousness requires inquiries into: (1) the level of ordinary skill
`
`in the field; (2) the scope and content of the prior art; (3) what difference, if any,
`
`existed between the claimed invention and the prior art; and (4) any secondary
`
`evidence bearing on obviousness.
`
`11.
`
`I have been advised that, in determining the level of ordinary skill in
`
`the field that someone would have had at the time the claimed invention was made,
`
`
`
`4
`
`

`

`
`
`I should consider: (1) the levels of education and experience of persons working in
`
`the field; (2) the types of problems encountered in the field; and (3) the sophistication
`
`of the technology.
`
`12.
`
`I have also been advised that, in determining the scope and content of
`
`the prior art, in order to be considered as prior art, a reference must be reasonably
`
`related to the claimed invention of the patent. A reference is reasonably related if it
`
`is in the same field as the claimed invention or is from another field to which a person
`
`of ordinary skill in the field would look to solve a known problem.
`
`13.
`
`I have been advised that a patent claim composed of several elements
`
`is not proved obvious merely by demonstrating that each of its elements was
`
`independently known in the prior art. In evaluating whether such a claim would
`
`have been obvious, I may consider whether there are reasons that would have
`
`prompted a person of ordinary skill in the field to combine the elements or concepts
`
`from the prior art in the same way as in the claimed invention.
`
`14.
`
`I have been further advised that there is no single way to define the line
`
`between true inventiveness on the one hand (which is patentable) and the application
`
`of common sense and ordinary skill to solve a problem on the other hand (which is
`
`not patentable). For example, market forces or other design incentives may be what
`
`produced a change, rather than true inventiveness. I may consider whether the
`
`
`
`5
`
`

`

`
`
`change was merely the predictable result of using prior art elements according to
`
`their known functions, or whether it was the result of true inventiveness. I may also
`
`consider whether there is some teaching or suggestion in the prior art to make the
`
`modification or combination of elements claimed in the patent. I may consider
`
`whether the innovation applies a known technique that had been used to improve a
`
`similar device or method in a similar way. I may also consider whether the claimed
`
`invention would have been obvious to try, meaning that the claimed innovation was
`
`one of a relatively small number of possible approaches to the problem with a
`
`reasonable expectation of success by those skilled in the art.
`
`15.
`
`I have also been advised, however, that I must be careful not to
`
`determine obviousness using the benefit of hindsight; many true inventions might
`
`seem obvious after the fact. I should put myself in the position of a person of
`
`ordinary skill in the field at the time the claimed invention was made and I should
`
`not consider what is known today or what is learned from the teaching of the patent.
`
`16. Finally, I have been advised that any obviousness rationale for
`
`modifying or combining prior art must include a showing that a person of ordinary
`
`skill would have had a reasonable expectation of success.
`
`17. With regard to secondary considerations of nonobviousness, I have
`
`been advised that any objective evidence may be considered as an indication that the
`
`
`
`6
`
`

`

`
`
`claimed invention would not have been obvious at the time the claimed invention
`
`was made. I understand that the purpose of secondary considerations is to prevent a
`
`hindsight analysis of the obviousness of the claims.
`
`18.
`
`I have been advised that there are several factors that may be considered
`
`as a secondary consideration. These factors include the commercial success of the
`
`invention, industry praise for the invention, skepticism of the invention, licensing of
`
`the invention, copying of the invention, any long-felt need that the invention solved,
`
`failure of others, and unexpected results of the invention.
`
`19.
`
`I have been further advised that in order for evidence of secondary
`
`considerations to be significant, there must be a sufficient nexus between the claimed
`
`invention and the evidence of secondary considerations. I understand that this nexus
`
`serves to provide a link between the merits of the claimed invention and the evidence
`
`of secondary considerations provided.
`
`VI. THE RELEVANT TIMEFRAME FOR ANALYSIS
`
`20.
`
`I understand that the ’735 patent issued from U.S. Application No.
`
`16/585,967 (“the ’967 Application”), which claimed priority to Provisional
`
`Application No. 62/797,718, filed on January 28, 2019. EX1001, Face. The ’735
`
`patent does not claim priority to any other patent applications. Id. I have been asked
`
`to assume that the effective filing date for the claims at issue here is January 28,
`
`2019.
`
`
`
`7
`
`

`

`
`
`VII. PERSON OF ORDINARY SKILL IN THE ART
`
`21. As I noted earlier in §V, I have been advised that, in determining the
`
`level of ordinary skill in the field that someone would have had at the time the
`
`claimed invention was made, I should consider: (1) the levels of education and
`
`experience of persons working in the field; (2) the types of problems encountered in
`
`the field; and (3) the sophistication of the technology.
`
`22.
`
`In my opinion, a person of ordinary skill in the art at the relevant time
`
`would have had (1) at least a bachelor’s degree in computer science, computer
`
`engineering, electrical engineering, or a related degree, and (2) would also have 2-3
`
`years of professional experience with cyber security analysis and virtualization.
`
`Such experience includes, for example, malware analysis, security analysis of cloud
`
`computing systems, and security analysis of virtual machines. I satisfied these
`
`requirements before January 28, 2019. See supra, §II. Additional experience can
`
`compensate for less education and vice versa. The State-of-the-Art section below
`
`summarizes some basic background knowledge of the type that persons of ordinary
`
`skill in the art would have had.
`
`VIII. STATE OF THE ART
`
`23.
`
`In this section, I provide a brief overview of the background art as
`
`understood by a person of ordinary skill in the art as of January 28, 2019. First, I
`
`provide a general overview of virtualization technology and cloud computing. I then
`
`
`
`8
`
`

`

`
`
`provide a high-level discussion of cyber security, including several types of threats
`
`and vulnerabilities that were commonly exploited, how those threats were detected,
`
`and common responses to detected threats. I also explain how these cyber security
`
`threat-detection, classification, and mitigation approaches were applied
`
`in
`
`virtualized cloud computing assets available as of January 28, 2019.
`
`A. Virtualization
`
`24. Virtualization refers to the decades-old process of emulating physical
`
`computers. EX1009 (Wolf), xxiii (“In running as a virtual machine, a computer’s
`
`hardware is emulated and presented to an operating system as if the hardware truly
`
`existed.”); 1 EX1010 (Waldspurger), 2 (“Virtual machines have been used for
`
`
`
`
`1 EX1009 includes excerpts from “Virtualization: From the Desktop to the
`
`Enterprise,” a book by C. Wolf and E. Halter, published in 2005 by APRESS. This
`
`book was obtained from https://link.springer.com/book/10.1007/978-1-4302-0027-
`
`7. To avoid overburdening the record, EX1009 includes only the front matter,
`
`chapter 1, chapter 6, chapter 7, and appendix A, since the book is quite large and I
`
`only cite to chapters 1, 6, and 7 and the appendix.
`
`
`
`9
`
`

`

`
`
`decades.”).2 Indeed, the technology was described as well-known even by the
`
`1970s. EX1011 (Goldberg), 35 (“[M]uch of the software for the simulated machine
`
`executes directly on the hardware without software interpretation. Systems of this
`
`kind are called virtual machine systems, the simulated machines are called virtual
`
`machines (VMs), and the simulator software is called the virtual machine monitor
`
`(VMM). … IBM[] improved virtual machine support for System/370.”).3
`
`25. An emulated physical computer was called a “virtual machine” or
`
`“VM.” EX1009 (Wolf), xxiii (“[W]orkstations and servers no longer need dedicated
`
`
`
`
`2 EX1010 is a copy of “Memory Resource Management in VMware ESX
`
`Server,” by C. Waldspurger, published by USENIX in 2002 as a part of the 5th
`
`Symposium on Operating Systems Design and Implementation. This copy was
`
`obtained from
`
`https://www.usenix.org/legacy/event/osdi02/tech/waldspurger/waldspurger.pdf.
`
`3 EX1011 is a copy of “Survey of Virtual Machine Research,” by R. Goldberg,
`
`published by the IEEE Computer Society in June 1974 in Computer Magazine,
`
`Vol. 7, No. 6. This copy was obtained from
`
`https://ieeexplore.ieee.org/document/6323581.
`
`
`
`10
`
`

`

`
`
`physical hardware such as a CPU or motherboard in order to run as independent
`
`entities. Instead, they can run inside a virtual machine (VM).”); EX1012 (Microsoft
`
`Computer Dictionary), 556 (“VM n. Acronym for Virtual Machine. An operating
`
`system for IBM mainframes that provides virtual-machine capability. VM was
`
`developed by IBM customers and later taken over by IBM itself under the name
`
`OS/VM.”).4 A virtual machine acted like a physical machine, in that it typically ran
`
`a standard operating system, such as Linux or Windows, and could run standard
`
`software applications, such as web servers.
`
` EX1010 (Waldspurger), 2
`
`(Virtualization software such as VMware’s ESX Server “is in production use on
`
`servers running multiple instances of unmodified operating systems such as
`
`Microsoft Windows 2000 Advanced Server and Red Hat Linux 7.2.”). Desktop,
`
`server, cloud, and datacenter providers routinely used many different virtualization
`
`solutions and products, spanning both closed and open-source, available for desktop,
`
`server, and cloud applications.
`
`
`
`
`4 EX1012 includes excerpts from Microsoft Computer Dictionary, 5th edition.
`
`To avoid overburdening the record, since the dictionary is quite large, EX1012
`
`only includes the front matter and the pages to which I cite.
`
`
`
`11
`
`

`

`
`
`26. The term “virtualization” most commonly referred to a hypervisor-
`
`based process. A hypervisor, sometimes called a Virtual Machine Monitor (VMM),
`
`was a software program that enabled the emulation of the hardware of a physical
`
`machine, e.g. by “instantiating” virtual machines. The hardware running the
`
`hypervisor was called the “host” (and the operating system was called the host
`
`operating system), whereas emulated virtual machines running inside them were
`
`referred to as “guests” (and their operating systems were called guest operating
`
`systems). EX1009 (Wolf), 5. A single VM could be “instantiated,” that is, copied
`
`and spun up, into one or more running guest “instances.”
`
`27. A guest VM’s operating system and software applications were
`
`typically isolated from the other VMs on the system and were therefore unaware that
`
`they were actually executing in a virtual, rather than in a physical, machine. EX1010
`
`(Waldspurger), 2 (“Each virtual machine (VM) is given the illusion of being a
`
`dedicated physical machine that is fully protected and isolated from other virtual
`
`machines.”); EX1009 (Wolf), 505 (“By setting up virtual partitions, existing
`
`applications and users ‘see’ each virtual machine as an independent physical server
`
`although they share common CPU, disk, memory, and network resources”). This
`
`
`
`12
`
`

`

`
`
`“enables application isolation since malicious or greedy applications cannot impact
`
`other applications co-located on the same physical server.” EX1013 (Wood), 229.5
`
`28. The figure below compares a traditional physical server to a virtual
`
`server:
`
`EX1009 (Wolf), 505, Figure A-5. As shown on the left, a traditional physical server
`
`included a single operating system that was tied directly to the server’s hardware. In
`
`contrast, a virtual server (shown on the right) included one or more guest VMs (such
`
`
`
`
`
`
`5 EX1013 is a copy of “Black-box and Gray-box Strategies for Virtual Machine
`
`Migration,” by T. Wood et al., published by USENIX in 2007 as a part of NSDI
`
`’07: 4th USENIX Symposium on Networked Systems Design & Implementation.
`
`This copy was obtained from https://www.usenix.org/conference/nsdi-07/black-
`
`box-and-gray-box-strategies-virtual-machine-migration.
`
`
`
`13
`
`

`

`
`
`as Virtual Machine 1 or Virtual Machine 2), each with its own operating system.
`
`But rather than interact with the physical machine’s hardware, these operating
`
`systems interacted with a virtualization layer (such as a hypervisor or VMM) that
`
`gave each the impression it was interacting with its own physical machine. Thus,
`
`“virtualization technology … allow[ed] many physical servers to be hosted and
`
`isolated from each other on fewer physical machines.” EX1009 (Wolf), 505.
`
`29. The host typically allocated some portion of each of its resources (e.g.,
`
`CPU, memory, I/O, storage) for exclusive use by each virtual machine. The host
`
`could change this allocation in response to many possible technical and non-
`
`technical requirements that changed over time. “For example, a sudden increase in
`
`number of customers may place a greater strain on [an existing VM],” and “[i]f the
`
`virtual machine host isn’t overloaded,” it or a “user can adjust CPU and memory
`
`shares” for the hosted virtual machines. EX1009 (Wolf), 514-15; see also EX1013
`
`(Wood), 229 (“A workload increase can be handled by in-creasing the resources
`
`allocated to a virtual server”).
`
`30. Computer data was commonly accessed or referenced at different types
`
`of virtual or non-virtual locations. For example, data’s location might refer to the
`
`data’s general location (e.g., a directory, a general computing environment, or a
`
`remote storage service where the data was located) or a more specific location of the
`
`
`
`14
`
`

`

`
`
`data (e.g., an address or file path). See, e.g., EX1009 (Wolf), 242 (“VMFolder:
`
`Location of VM's files on the host system”), 246-57 (discussing “[l]ocation” of VM
`
`files, drives/folders containing VMs, and snapshots); EX1015 (VMWare vSphere),
`
`56 (“When you manage the virtual infrastructure, you access objects and their
`
`properties and methods based on their location in the inventory.”); EX1021 (NIST
`
`Cloud Computing), 8 (discussing resources’ general locations); EX1031 (NIST IT
`
`Asset Mgmt), 1 (Executive Summary) (“The NIST Cybersecurity IT Asset
`
`Management Practice Guide
`
`is a proof-of-concept solution demonstrating
`
`commercially available technologies that can be implemented to track the location
`
`and configuration of networked devices and software across an enterprise. Our
`
`example solution spans traditional physical asset tracking, IT asset information,
`
`physical security, and vulnerability and compliance information. Users can now
`
`query one system and gain insight into their entire IT asset portfolio”). Even for
`
`data in a virtualized environment, its location could refer to a virtual location (e.g.,
`
`the virtualized environment where the data is located, or a more specific virtual
`
`location such as a virtual address or virtual file path) or a non-virtual location (e.g.,
`
`a general location of a storage service or a more specific physical storage location),
`
`since data was routinely stored and accessed in non-virtual storage regardless of
`
`whether the data also exists in the virtualization layer. See, e.g., EX1009, 242, 246-
`
`
`
`15
`
`

`

`
`
`57; EX1010 (Waldspurger), 3-4 (discussing exemplary mappings between virtual
`
`and non-virtual locations). One common way of referencing virtual data was a
`
`“virtual address.” Virtual machines used “virtual addresses” to map the location of
`
`data as it appeared inside a virtual machine to a physical location on a disk. EX1012
`
`(Microsoft Computer Dictionary), 553 (“virtual address n. In a virtual memory
`
`system, the address that the application uses to reference memory. The memory
`
`management unit (MMU) translates this address into a physical address before the
`
`memory is actually read or written to.”); EX1009 (Wolf), 2 (“The virtualization layer
`
`is responsible for mapping virtualized hardware to the host’s physical resources.”).
`
`A single file or piece of data would have both a virtual address and a physical
`
`location on disk, mapped together by the virtualization layer software, as illustrated
`
`in the following example:
`
`
`
`16
`
`

`

`
`
`EX1014 (Klemperer), 22. 6 To a guest VM, files appeared to be stored in a
`
`contiguous “logical volume” or “virtual disk drive,” but the file data could be
`
`
`
`
`
`
`6 EX1014 is a copy of “Efficient Hypervisor Based Malware Detection”, by P.
`
`Klemperer, published in May 2015 by Carnegie Mellon University. This copy was
`
`obtained from
`
`
`
`
`
`17
`
`

`

`
`
`physically stored in multiple discontinuous physical drives. See EX1015 (VMware
`
`vSphere), 124 (“Each datastore is a logical container, analogous to a file system on
`
`a logical volume, where the host places virtual disk files and other virtual machine
`
`files. Datastores hide specifics of the physical storage device and provide a uniform
`
`model for storing virtual machine files.”).7
`
`31. Software containers were another form of virtualization that were well
`
`understood and widely used at the time. A container was an isolated, lightweight
`
`silo for running an application on the host operating system. Software containers
`
`virtualized an operating system to run reusable software packages in various virtual
`
`environments. EX1016 (NIST Application Container), ii (“Application container
`
`
`
`
`https://kilthub.cmu.edu/articles/thesis/Efficient_Hypervisor_Based_Malware_Dete
`
`ction/6716180.
`
`7 EX1015 is a copy of the vSphere Web Services SDK Programming Guide,
`
`published in April 2018 by VMware, Inc. This copy was obtained from
`
`https://vdc-download.vmware.com/vmwb-repository/dcr-public/cdbbd51c-4824-
`
`4a1b-ad43-45df55a76a76/8cb3ed93-cac2-46aa-b329-db5a096af5bc/vsphere-web-
`
`services-sdk-67-programming-guide.pdf.
`
`
`
`18
`
`

`

`
`
`technologies, also known as containers, are a form of operating system virtualization
`
`combined with application software packaging. Containers provide a portable,
`
`reusable, and automatable way to package and run applications. This publication
`
`explains the potential security concerns associated with the use of containers and
`
`provides recommendations for addressing these concerns.”);8 EX1017 (Rosendahl),
`
`1:16-20 (“In the container model, a kernel of an operating system ( e.g. , Linux )
`
`allows for multiple isolated user-space instances, or ‘containers,’ executing
`
`simultaneously.”); see also EX1017 (Rosendahl), 1:20-35 (discussing operation and
`
`benefits of containers).
`
`B.
`
`Snapshots
`
`32. Virtual machines provided various features to manage and backup
`
`resources. One such feature in most virtual machines was a “snapshot.” Snapshots
`
`were well known and had been used to create a point in time copy of a virtual
`
`
`
`
`8 EX1016 is a copy of September 2017 publication by the National Institute of
`
`Standards and Technology (“NIST”), which is an agency within the U.S.
`
`Department of Commerce supporting innovation and competitiveness. This copy
`
`was obtained from https://doi.org/10.6028/NIST.SP.800-190.
`
`
`
`19
`
`

`

`
`
`machine since at least 2005, well before the ’735 patent. EX1009 (Wolf), 257
`
`(“With online snapshots, you can create a point-in-time copy of a running virtual
`
`machine. With an online snapshot saved, you can revert to the snapshot later. This
`
`gives you the ability to create an image of a VM, make any changes you want, and
`
`with the click of a button roll the VM back to the time of the last snapshot.”); see
`
`also EX1018 (NIST Full Virtualization Technologies), 2-6 (“A snapshot is a record
`
`of the state of a running image, generally captured as the differences between an
`
`image and the current state. For example, a snapshot would record changes within
`
`virtual storage, virtual memory, network connections, and other state-related data.
`
`Snapshots allow the guest OS to be suspended and subsequently resumed without
`
`having to shut down or reboot the guest OS. Many, but not all, virtualization systems
`
`can take snapshots.”).9 Further, snapshots had been used to create a copy of a VM
`
`on different hosts. EX1018 (NIST Full Virtualization Technologies), 2-6 (“On some
`
`hypervisors, snapshots of the guest OS can even be resumed on a different host.”).
`
`Most virtualization technologies offered utility functions that included the
`
`
`
`
`9 EX1018 is a copy of a January 2011 NIST publication obtained from
`
`https://doi.org/10.6028/NIST.SP.800-125.
`
`
`
`20
`
`

`

`
`
`generation, storage, indexing, and import of snapshots. EX1019 (Rawat), Abstract;
`
`see also EX1020 (Sancheti), Abstract, 21:42-22:58 (describing use of API calls to
`
`interact with snapshots).
`
`33. Snapshots could contain important and sensitive data that was
`
`important to keep secure. EX1018 (NIST Full Virtualization Technologies), 2-6
`
`(“Note that one of the biggest security issues with images and snapshots is that they
`
`contain sensitive data (such as passwords, personal data, and so on) just like a
`
`physical hard drive. Because it is easier to move around an image or snapshot than
`
`a hard drive, it is more important to think about the security of the data in that image
`
`or snapshot. Snapshots can be more risky than images because snapshots contain
`
`the contents of RAM memory at the time that the snapshot was taken, and this might
`
`include sensitive information that was not even stored on the drive itself.”). Because
`
`snapshots provided insight into the virtual machine they were taken from (including
`
`the machine’s memory), they could be used to provide insight into vulnerabilities of
`
`the virtual machine.
`
`34. A snapshot could be comprised of one or more files, depending on the
`
`mechanism that was used to generate the snapshot. As with computer data more
`
`generally, a snapshot’s “location” could refer to the types of locations I discussed
`
`above in paragraph 30. See, e.g., EX1009 (Wolf), 257 (“The snapshot information
`
`
`
`21
`
`

`

`
`
`will be saved in the same location as the VM’s virtual disk files.”); EX1015
`
`(VMWare vSphere), 56 (“When you manage the virtual infrastructure, you access
`
`objects and their properties and methods based on their location in the inventory.”).
`
`It was common for a hypervisor to have a default (predetermined) location where
`
`VM snapshot files were stored. Locating snapshot files was often facilitated by
`
`utilities provided by the virtualization hypervisor via a console, Graphical User
`
`Interface (“GUI”) or Ap