`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`_____________________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`WIZ, INC.,
`Petitioner,
`
`v.
`
`ORCA SECURITY LTD,
`Patent Owner.
`
`_____________________________
`
`Case IPR2024-01191
`Patent No. 11,775,326
`_____________________________
`
`
`DECLARATION OF DR. ANGELOS STAVROU
`
`
`
`
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1002
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`TABLE OF CONTENTS
`
`ENGAGEMENT .............................................................................................. 1
`I.
`QUALIFICATIONS ........................................................................................ 1
`II.
`III. COMPENSATION .......................................................................................... 3
`IV.
`INFORMATION CONSIDERED ................................................................... 3
`V.
`LEGAL PRINCIPLES ..................................................................................... 4
`VI. THE RELEVANT TIMEFRAME FOR ANALYSIS ..................................... 7
`VII. PERSON OF ORDINARY SKILL IN THE ART .......................................... 8
`VIII. STATE OF THE ART ..................................................................................... 8
`A. Virtualization ......................................................................................... 9
`B.
`Snapshots ............................................................................................. 21
`C.
`Cloud Computing ................................................................................ 29
`D.
`Cyber Security ..................................................................................... 37
`1.
`Types of Security Risks ............................................................ 38
`2.
`Detecting Security Risks ........................................................... 47
`3.
`Responding to Security Risks ................................................... 63
`IX. OVERVIEW OF THE ’326 PATENT .......................................................... 71
`A.
`Challenged Claims .............................................................................. 73
`B.
`Prosecution History of the ’326 Patent ............................................... 76
`CLAIM CONSTRUCTION .......................................................................... 76
`A. Determining a “Location” of a Snapshot ............................................ 77
`B.
`“Analyzing the Snapshot” ................................................................... 78
`
`X.
`
`
`
`i
`
`

`

`XI. OVERVIEW OF THE PRIOR ART ............................................................. 79
`A. Veselov (U.S. Patent No. 11,216,563, EX1007) ................................. 79
`B.
`Basavapatna (U.S. Pub. No. 2013/0191919, EX1008) ....................... 85
`C.
`Czarny (U.S. Patent No. 9,749,349; EX1084) .................................... 89
`D. Giakouminakis (U.S. Patent No. 9,141,805; EX1044) ....................... 93
`XII. GROUND 1: CLAIMS 1-21 AND 28 WERE OBVIOUS OVER
`VESELOV AND BASAVAPATNA ............................................................ 94
`A.
`Reasons to Combine Veselov and Basavapatna.................................. 95
`B.
`Independent Claims 1, 15, and 18 ..................................................... 102
`1.
`Preambles ................................................................................ 103
`2.
`Element 18.i ............................................................................ 107
`3.
`Elements 1.1, 15.1, and 18.1 ................................................... 108
`4.
`Elements 1.2, 15.2, and 18.2 ................................................... 111
`5.
`Elements 1.3, 15.3, and 18.3 ................................................... 142
`6.
`Elements 1.4, 15.4, and 18.4 ................................................... 145
`Dependent Claims ............................................................................. 149
`1.
`Claims 2 and 19....................................................................... 149
`2.
`Claim 3 .................................................................................... 152
`3.
`Claims 4, 16, and 17 ............................................................... 160
`4.
`Claim 5 .................................................................................... 167
`5.
`Claim 6 .................................................................................... 170
`6.
`Claim 7 .................................................................................... 173
`7.
`Claim 8 .................................................................................... 175
`8.
`Claim 9 .................................................................................... 181
`9.
`Claim 10 .................................................................................. 186
`10. Claim 11 .................................................................................. 192
`ii
`
`C.
`
`
`
`

`

`11. Claim 12 .................................................................................. 194
`12. Claim 13 .................................................................................. 196
`13. Claim 14 .................................................................................. 199
`14. Claim 20 .................................................................................. 209
`15. Claim 21 .................................................................................. 210
`16. Claim 28 .................................................................................. 211
`XIII. GROUND 2: CLAIMS 4-5 AND 17 WERE OBVIOUS OVER
`VESELOV, BASAVAPATNA, AND CZARNY ....................................... 213
`A.
`Reasons to Combine Veselov, Basavapatna, and Czarny ................. 214
`B.
`Claims 4 and 17 ................................................................................. 219
`C.
`Claim 5 .............................................................................................. 223
`XIV. GROUND 3: CLAIMS 22-27 WERE OBVIOUS OVER VESELOV,
`BASAVAPATNA, AND GIAKOUMINAKIS ........................................... 226
`A.
`Reasons to Combine Veselov, Basavapatna, and Giakouminakis .... 227
`B.
`Claims 22 and 27 ............................................................................... 232
`1.
`Elements 22.1 and 27.1 ........................................................... 232
`2.
`Elements 22.2 and 27.2 ........................................................... 237
`Claim 23 ............................................................................................ 240
`C.
`Claim 24 ............................................................................................ 246
`D.
`Claim 25 ............................................................................................ 249
`E.
`Claim 26 ............................................................................................ 252
`F.
`XV. CONCLUDING STATEMENTS ................................................................ 253
`XVI. APPENDIX A – MATERIALS CITED ...................................................... 254
`
`
`
`
`iii
`
`

`

`I, Angelos Stavrou, declare as follows:
`
`I.
`
`ENGAGEMENT
`
`1.
`
`I have been retained by counsel for Wiz, Inc. as an expert witness in the
`
`above-captioned proceeding. I have been asked to provide my opinion about the
`
`state of the art of the technology described in U.S. Patent No. 11,775,326 (the “’326
`
`patent”) and on the patentability of claims 1-28 of this patent. The following is my
`
`written testimony on these topics.
`
`II. QUALIFICATIONS
`
`2.
`
`I received my M.Sc. in Electrical Engineering, M.Phil., and Ph.D. (with
`
`distinction) in Computer Science all from Columbia University. I also hold an M.Sc.
`
`in theoretical Computer Science from the University of Athens and a B.Sc. in
`
`Physics with distinction from the University of Patras, Greece.
`
`3.
`
`I am a Virginia Tech Innovation Campus founding Professor, and the
`
`Entrepreneurship activities lead. I am also a member of the Bradley Department of
`
`Electrical & Computer Engineering at Virginia Tech. From 2017 to 2020, I was a
`
`Professor in the Computer Science Department at George Mason University
`
`(“GMU”), teaching courses including Operating Systems Security and Cyber
`
`Security Laboratory. From 2012 to 2017, I was an Associate Professor in GMU’s
`
`Computer Science Department, teaching courses including Operating Systems
`
`Security, Enterprise Security Practices, and Enterprise Security Technology. From
`
`
`
`1
`
`

`

`2014 to 2017, I was an Academic Director in GMU’s School of Management for the
`
`M.S. in Management of Secure Information Systems Program. From 2013 to 2015,
`
`I was an Academic Director in GMU’s Computer Science Department for the M.S.
`
`in Information Security and Assurance Program. From 2011 to 2020, I was an
`
`Associate Researcher in the Computer Security Division at the National Institute of
`
`Standards and Technology (“NIST”). I am a co-author of numerous publications
`
`involving virtualization and cyber security, among other topics. EX1003 (CV), 3-
`
`19.
`
`4.
`
`I am also the founder of Quokka, Kryptowire Labs, Aether Argus, and
`
`Impedyme Inc. I have served as a principal investigator on research awards from
`
`NSF, DARPA, IARPA, DHS, AFOSR, ARO, ARL, and ONR. I have written more
`
`than 140 peer-reviewed conference and journal articles. Furthermore, I am an
`
`inventor of nineteen issued patents and several pending patent applications. I am an
`
`Associate Editor of IEEE Transactions on Computers, IEEE Security & Privacy, and
`
`IEEE Internet Computing magazine and a co-chair of the IEEE Blockchain initiative.
`
`I am a senior member of the ACM, USENIX, and IEEE. My current research
`
`interests include security and reliability for distributed systems, security principles
`
`for virtualization, and anonymity, focusing on building and deploying large-scale
`
`systems.
`
`
`
`2
`
`

`

`5.
`
`I received the GMU Department of Computer Science Outstanding
`
`Research Award in 2010, 2016, and 2018. Also, I was awarded the 2012 George
`
`Mason Emerging Researcher, Scholar, Creator Award, a university-wide award. In
`
`2013, I received the IEEE Reliability Society Engineer of the Year award. My team
`
`at Kryptowire was awarded the DHS Cyber Security Division’s “Significant
`
`Government Impact Award” in 2017 and the “Bang for the Buck Award” in 2019.
`
`Currently, I am the primary Principal Investigator (PI) in two DARPA awards
`
`focusing on Cyber Security for cloud and wireless systems, namely the DARPA
`
`OPS-5G and CASTLE efforts.
`
`III. COMPENSATION
`
`6.
`
`I am being compensated for my time at my standard consulting rate.
`
`My compensation is not contingent upon the results of my study and analysis, the
`
`substance of my opinions, or the specifics of my testimony. I have no financial
`
`interest in the outcome of this matter or in any litigation involving the ’326 patent.
`
`IV.
`
`INFORMATION CONSIDERED
`
`7. My opinions are based on my years of education, research and
`
`experience, as well as my investigation and study of relevant materials. In preparing
`
`this declaration, I have reviewed the ’326 patent and the ’326 patent’s file history
`
`(EX1004). I have also reviewed the materials cited in this declaration, a list of which
`
`is provided in Appendix A.
`
`3
`
`
`
`

`

`V. LEGAL PRINCIPLES
`
`8.
`
`I understand that a claim is not patentable under 35 U.S.C. §102 as
`
`anticipated if the claim as a whole is described, either expressly or inherently, in a
`
`single prior art reference. I understand that this also requires that the prior art
`
`reference disclose that each claim element is arranged as recited in the claims.
`
`9.
`
`I have been advised that a claimed invention is not patentable under 35
`
`U.S.C. §103 if it is obvious. A patent claim is unpatentable if the claimed invention
`
`would have been obvious to a person of ordinary skill in the field at the time the
`
`claimed invention was made. This means that even if all of the requirements of the
`
`claim cannot be found in a single prior art reference that would anticipate the claim,
`
`a person of ordinary skill in the relevant field who knew about all this prior art would
`
`have come up with the claimed invention.
`
`10.
`
`I have further been advised that the ultimate conclusion of whether a
`
`claim is obvious should be based upon several factual determinations. That is, a
`
`determination of obviousness requires inquiries into: (1) the level of ordinary skill
`
`in the field; (2) the scope and content of the prior art; (3) what difference, if any,
`
`existed between the claimed invention and the prior art; and (4) any secondary
`
`evidence bearing on obviousness.
`
`11.
`
`I have been advised that, in determining the level of ordinary skill in
`
`the field that someone would have had at the time the claimed invention was made,
`
`
`
`4
`
`

`

`I should consider: (1) the levels of education and experience of persons working in
`
`the field; (2) the types of problems encountered in the field; and (3) the sophistication
`
`of the technology.
`
`12.
`
`I have also been advised that, in determining the scope and content of
`
`the prior art, in order to be considered as prior art, a reference must be reasonably
`
`related to the claimed invention of the patent. A reference is reasonably related if it
`
`is in the same field as the claimed invention or is from another field to which a person
`
`of ordinary skill in the field would look to solve a known problem.
`
`13.
`
`I have been advised that a patent claim composed of several elements
`
`is not proved obvious merely by demonstrating that each of its elements was
`
`independently known in the prior art. In evaluating whether such a claim would
`
`have been obvious, I may consider whether there are reasons that would have
`
`prompted a person of ordinary skill in the field to combine the elements or concepts
`
`from the prior art in the same way as in the claimed invention.
`
`14.
`
`I have been further advised that there is no single way to define the line
`
`between true inventiveness on the one hand (which is patentable) and the application
`
`of common sense and ordinary skill to solve a problem on the other hand (which is
`
`not patentable). For example, market forces or other design incentives may be what
`
`produced a change, rather than true inventiveness. I may consider whether the
`
`
`
`5
`
`

`

`change was merely the predictable result of using prior art elements according to
`
`their known functions, or whether it was the result of true inventiveness. I may also
`
`consider whether there is some teaching or suggestion in the prior art to make the
`
`modification or combination of elements claimed in the patent. I may consider
`
`whether the innovation applies a known technique that had been used to improve a
`
`similar device or method in a similar way. I may also consider whether the claimed
`
`invention would have been obvious to try, meaning that the claimed innovation was
`
`one of a relatively small number of possible approaches to the problem with a
`
`reasonable expectation of success by those skilled in the art.
`
`15.
`
`I have also been advised, however, that I must be careful not to
`
`determine obviousness using the benefit of hindsight; many true inventions might
`
`seem obvious after the fact. I should put myself in the position of a person of
`
`ordinary skill in the field at the time the claimed invention was made and I should
`
`not consider what is known today or what is learned from the teaching of the patent.
`
`16. Finally, I have been advised that any obviousness rationale for
`
`modifying or combining prior art must include a showing that a person of ordinary
`
`skill would have had a reasonable expectation of success.
`
`17. With regard to secondary considerations of nonobviousness, I have
`
`been advised that any objective evidence may be considered as an indication that the
`
`
`
`6
`
`

`

`claimed invention would not have been obvious at the time the claimed invention
`
`was made. I understand that the purpose of secondary considerations is to prevent a
`
`hindsight analysis of the obviousness of the claims.
`
`18.
`
`I have been advised that there are several factors that may be considered
`
`as a secondary consideration. These factors include the commercial success of the
`
`invention, industry praise for the invention, skepticism of the invention, licensing of
`
`the invention, copying of the invention, any long-felt need that the invention solved,
`
`failure of others, and unexpected results of the invention.
`
`19.
`
`I have been further advised that in order for evidence of secondary
`
`considerations to be significant, there must be a sufficient nexus between the claimed
`
`invention and the evidence of secondary considerations. I understand that this nexus
`
`serves to provide a link between the merits of the claimed invention and the evidence
`
`of secondary considerations provided.
`
`VI. THE RELEVANT TIMEFRAME FOR ANALYSIS
`
`20.
`
`I understand that the ’326 patent issued from U.S. Application No.
`
`18/055,181 (“the ’181 application”), filed November 14, 2022. EX1001, Face. The
`
`’201 application claims priority to Provisional Application No. 62/797,718, filed
`
`January 28, 2019. I have been asked to treat January 28, 2019 as the effective filing
`
`date for purposes of my analysis.
`
`
`
`7
`
`

`

`VII. PERSON OF ORDINARY SKILL IN THE ART
`
`21. As I noted earlier in §V, I have been advised that, in determining the
`
`level of ordinary skill in the field that someone would have had at the time the
`
`claimed invention was made, I should consider: (1) the levels of education and
`
`experience of persons working in the field; (2) the types of problems encountered in
`
`the field; and (3) the sophistication of the technology.
`
`22.
`
`In my opinion, a person of ordinary skill in the art (“POSA”) at the
`
`relevant time would have had (1) at least a bachelor’s degree in computer science,
`
`computer engineering, electrical engineering, or a related degree, and (2) would also
`
`have 2-3 years of professional experience with cyber security analysis and
`
`virtualization. Such experience includes, for example, malware analysis, security
`
`analysis of cloud computing systems, and security analysis of virtual machines. I
`
`satisfied these requirements before January 28, 2019. See supra, §II. Additional
`
`experience can compensate for less education and vice versa. The State-of-the-Art
`
`section below summarizes some basic background knowledge of the type that
`
`persons of ordinary skill in the art would have had.
`
`VIII. STATE OF THE ART
`
`23.
`
`In this section, I provide a brief overview of the background art as
`
`understood by a POSA as of January 28, 2019. The material that I cite below
`
`confirms my own recollection and understanding, based on my experience in the
`
`
`
`8
`
`

`

`field, of the state of the art before January 28, 2019. First, I provide a general
`
`overview of virtualization technology and cloud computing. I then provide a high-
`
`level discussion of cyber security, including several types of threats and
`
`vulnerabilities that were commonly exploited, how those threats were detected, and
`
`common responses to detected threats. I also explain how these cyber security
`
`threat-detection, classification, and mitigation approaches were applied in
`
`virtualized cloud computing assets available as of January 28, 2019.
`
`A. Virtualization
`
`24. Virtualization refers to the decades-old process of emulating physical
`
`computers. EX1009 (Wolf), xxiii (“In running as a virtual machine, a computer’s
`
`hardware is emulated and presented to an operating system as if the hardware truly
`
`existed.”); 1 EX1010 (Waldspurger), 2 (“Virtual machines have been used for
`
`
`
`
`1 EX1009 includes excerpts from “Virtualization: From the Desktop to the
`
`Enterprise,” a book by C. Wolf and E. Halter, published in 2005 by APRESS. This
`
`book was obtained from https://link.springer.com/book/10.1007/978-1-4302-0027-
`
`7. To avoid overburdening the record, EX1009 includes only the front matter,
`
`
`
`
`
`9
`
`

`

`decades.”).2 Indeed, the technology was described as well-known even by the
`
`1970s. EX1011 (Goldberg), 35 (“[M]uch of the software for the simulated machine
`
`executes directly on the hardware without software interpretation. Systems of this
`
`kind are called virtual machine systems, the simulated machines are called virtual
`
`machines (VMs), and the simulator software is called the virtual machine monitor
`
`(VMM) … IBM[] improved virtual machine support for System/370.”).3
`
`
`
`
`chapter 1, chapter 6, chapter 7, and appendix A, since the book is quite large and I
`
`only cite to chapters 1, 6, and 7 and the appendix.
`
`2 EX1010 is a copy of “Memory Resource Management in VMware ESX
`
`Server,” by C. Waldspurger, published by USENIX in 2002 as a part of the 5th
`
`Symposium on Operating Systems Design and Implementation. This copy was
`
`obtained from
`
`https://www.usenix.org/legacy/event/osdi02/tech/waldspurger/waldspurger.pdf.
`
`3 EX1011 is a copy of “Survey of Virtual Machine Research,” by R. Goldberg,
`
`published by the IEEE Computer Society in June 1974 in Computer Magazine,
`
`Vol. 7, No. 6. This copy was obtained from
`
`https://ieeexplore.ieee.org/document/6323581.
`
`
`
`10
`
`

`

`25. An emulated physical computer was called a “virtual machine” or
`
`“VM.” EX1009 (Wolf), xxiii (“[W]orkstations and servers no longer need dedicated
`
`physical hardware such as a CPU or motherboard in order to run as independent
`
`entities. Instead, they can run inside a virtual machine (VM).”). A VM acted like a
`
`physical machine, in that it typically ran a standard operating system, such as Linux
`
`or Windows, and could run standard software applications, such as web servers.
`
`EX1010 (Waldspurger), 2 (Virtualization software such as VMware’s ESX Server
`
`“is in production use on servers running multiple instances of unmodified operating
`
`systems such as Microsoft Windows 2000 Advanced Server and Red Hat Linux
`
`7.2.”). Desktop, server, cloud, and datacenter providers routinely used many
`
`different virtualization solutions and products, spanning both closed and open-
`
`source, available for desktop, server, and cloud applications.
`
`26. The term “virtualization” most commonly referred to a hypervisor-
`
`based process. A hypervisor, sometimes called a Virtual Machine Monitor (VMM),
`
`was a software program that enabled the emulation of the hardware of a physical
`
`machine, e.g. by “instantiating” virtual machines. The hardware running the
`
`hypervisor was called the “host” (and the operating system was called the host
`
`operating system), whereas emulated virtual machines running inside them were
`
`referred to as “guests” (and their operating systems were called guest operating
`
`
`
`11
`
`

`

`systems). EX1009 (Wolf), 5. A single VM could be “instantiated,” that is, copied
`
`and spun up, into one or more running guest “instances.”
`
`27. A guest VM’s operating system and software applications were
`
`typically isolated from the other VMs on the system and were therefore unaware that
`
`they were actually executing in a virtual, rather than in a physical, machine. EX1010
`
`(Waldspurger), 2 (“Each virtual machine (VM) is given the illusion of being a
`
`dedicated physical machine that is fully protected and isolated from other virtual
`
`machines.”); EX1009 (Wolf), 505 (“By setting up virtual partitions, existing
`
`applications and users ‘see’ each virtual machine as an independent physical server
`
`although they share common CPU, disk, memory, and network resources”). This
`
`“enables application isolation since malicious or greedy applications cannot impact
`
`other applications co-located on the same physical server.” EX1013 (Wood), 229.4
`
`
`
`
`4 EX1013 is a copy of “Black-box and Gray-box Strategies for Virtual Machine
`
`Migration,” by T. Wood et al., published by USENIX in 2007 as a part of NSDI
`
`’07: 4th USENIX Symposium on Networked Systems Design & Implementation.
`
`This copy was obtained from https://www.usenix.org/conference/nsdi-07/black-
`
`box-and-gray-box-strategies-virtual-machine-migration.
`
`
`
`12
`
`

`

`28. The figure below compares a traditional physical server to a virtual
`
`server:
`
`
`
`EX1009 (Wolf), 505, Fig. A-5. As shown on the left, a traditional physical server
`
`included a single operating system that was tied directly to the server’s hardware. In
`
`contrast, a virtual server (shown on the right) included one or more guest VMs (such
`
`as Virtual Machine 1 or Virtual Machine 2), each with its own operating system.
`
`But rather than interact with the physical machine’s hardware, these operating
`
`systems interacted with a virtualization layer (such as a hypervisor or VMM) that
`
`gave each the impression it was interacting with its own physical machine. Thus,
`
`“virtualization technology … allow[ed] many physical servers to be hosted and
`
`isolated from each other on fewer physical machines.” EX1009 (Wolf), 505. Hosted
`
`VMs were also typically assigned IP and MAC addresses to allow them to send and
`
`receive network data. EX1009 (Wolf), xxiv (“[C]lients won’t connect to a physical
`
`computer but instead connect to a logical virtual server running on top of one or
`
`more physical computers.”), 22 (guest host VMs have their own IP and MAC
`
`
`
`13
`
`

`

`addresses that are used to send and receive traffic through a virtual network interface
`
`mapped to a physical interface); EX1012 (Doctor), 9:9-25 (VM’s virtual network
`
`interface is assigned a network address (e.g., IP address) through which it may
`
`receive data); EX1048 (Price), ¶31 (“[I]nformation can be obtained using VMM
`
`access engine 280 identifying the status and location (e.g., IP or MAC address) of
`
`each enumerated virtual machine in system 240….”).
`
`29. The host typically allocated some portion of each of its resources (e.g.,
`
`CPU, memory, I/O, storage) for exclusive use by each virtual machine. The host
`
`could change this allocation in response to many possible technical and non-
`
`technical requirements that changed over time. “For example, a sudden increase in
`
`number of customers may place a greater strain on [an existing VM],” and “[i]f the
`
`virtual machine host isn’t overloaded,” it or a “user can adjust CPU and memory
`
`shares” for the hosted virtual machines. EX1009 (Wolf), 514-15; see also EX1013
`
`(Wood), 229 (“A workload increase can be handled by increasing the resources
`
`allocated to a virtual server….”).
`
`30. Computer data and computer resources were commonly accessed or
`
`referenced at different types of virtual or non-virtual locations. For example, data’s
`
`location might refer to the data’s general location (e.g., a directory, a general
`
`computing environment, or a remote storage service where the data was located) or
`
`
`
`14
`
`

`

`a more specific location of the data (e.g., an address or file path). See, e.g., EX1009
`
`(Wolf), 242 (“VMFolder: Location of VM’s files on the host system”), 246-57
`
`(discussing “[l]ocation” of VM files, drives/folders containing VMs, and snapshots);
`
`EX1015 (VMWare vSphere), 56 (“When you manage the virtual infrastructure, you
`
`access objects and their properties and methods based on their location in the
`
`inventory.”); EX1021 (NIST Cloud Computing), 8 (discussing resources’ general
`
`locations); EX1031 (NIST IT Asset Mgmt), 1 (Executive Summary) (“The NIST
`
`Cybersecurity IT Asset Management Practice Guide is a proof-of-concept solution
`
`demonstrating commercially available technologies that can be implemented to track
`
`the location and configuration of networked devices and software across an
`
`enterprise. Our example solution spans traditional physical asset tracking, IT asset
`
`information, physical security, and vulnerability and compliance information. Users
`
`can now query one system and gain insight into their entire IT asset portfolio”).
`
`Even for data in a virtualized environment, its location could refer to a virtual
`
`location (e.g., the virtualized environment where the data is located, or a more
`
`specific virtual location such as a virtual address or virtual file path) or a non-virtual
`
`location (e.g., a general location of a storage service or a more specific physical
`
`storage location), since data was routinely stored and accessed in non-virtual storage
`
`regardless of whether the data also exists in the virtualization layer. See, e.g.,
`
`
`
`15
`
`

`

`EX1009 (Wolf), 242, 246-57; EX1010 (Waldspurger), 3-4 (discussing exemplary
`
`mappings between virtual and non-virtual locations). External systems typically
`
`communicated with a virtualization layer via an associated endpoint such as an IP
`
`address, MAC address, etc. EX1080 (Lambeth), 5:34-42 (“[I]n one conventional
`
`technique, some address mapping between guest physical addresses, hypervisor
`
`virtual addresses, and machine addresses associated with the network frames is
`
`performed to determine the destination of the network frame.”); EX1054 (Ackley)
`
`1:31-42 (“[A] method for receiving, in a hypervisor, a packet including a destination
`
`media access control (MAC) address field having a MAC address of the hypervisor
`
`and a destination Internet protocol (IP) address field having an IP address of a virtual
`
`machine (VM) coupled to the hypervisor. In turn, the hypervisor can determine a
`
`MAC address of the VM using the IP address of the VM and apply the VM MAC
`
`address to the destination MAC address field of the packet and forward the packet
`
`to the VM from the hypervisor.”); EX1074 (VMware Infrastructure),5 12 (“After
`
`
`
`
`5EX1074 (VMware Infrastructure) is a copy of “VMware Infrastructure
`
`Architecture Overview,” published in 2006 by VMware, Inc. This copy was
`
`obtained from https://www.vmware.com/pdf/vi_architecture_wp.pdf.
`
`
`
`16
`
`

`

`authentication, a view of the resources and virtual machines that belongs to the user
`
`is presented. For accessing a virtual machine console directly, the VI Client first
`
`obtains the virtual machine location from the VirtualCenter Management Server
`
`through the VI API.”); EX1048 (Price), ¶21 (“Virtual machine manager 130
`
`interfaces can include interfaces and application programming interfaces (APIs) that
`
`can provide operations and accessing including guest management, offline registry
`
`access, virtual disk access, and other features of virtual machines that maybe running
`
`or accessible through a particular virtualization host environment. As an example,
`
`a virtual machine manager associated with VMware™ virtualization tools can
`
`include such interfaces as the VIX API and VDDKAPI, among others. Further,
`
`virtual machine manager-provided interfaces can be leveraged … to allow outside
`
`security tools access to firewalled and other protected virtualized appliances and
`
`resources.”). VMs used virtual memory addresses to map the location of data as it
`
`appeared inside a virtual machine to a physical location on a disk. E.g., EX1009
`
`(Wolf), 2 (“The virtualization layer is responsible for mapping virtualized hardware
`
`to the host’s physical resources.”). A single file or piece of data would have both a
`
`virtual memory address and a physical location on disk, mapped together by the
`
`virtualization layer software, as illustrated in the following example:
`
`
`
`17
`
`

`

`EX1014 (Klemperer), 22. 6 To a guest VM, files appeared to be stored in a
`
`contiguous “logical volume” or “virtual disk drive,” but the file data could be
`
`
`
`
`
`
`6EX1014 is a copy of “Efficient Hypervisor Based Malware Detection,” by P.
`
`Klemperer, published in May 2015 by Carnegie Mellon University. This copy was
`
`obtained from
`
`
`
`
`
`18
`
`

`

`physically stored in multiple discontinuous physical drives. See EX1015 (VMware
`
`vSphere), 124 (“Each datastore is a logical container, analogous to a file system on
`
`a logical volume, where the host places virtual disk files and other virtual machine
`
`files. Datastores hide specifics of the physical storage device and provide a uniform
`
`model for storing virtual machine files.”).7
`
`31. Software containers were another form of virtualization that were well
`
`understood and widely used at the time. A container was an isolated, lightweight
`
`
`
`
`https://kilthub.cmu.edu/articles/thesis/Efficient_Hypervisor_Based_Malware_Dete
`
`ction/6716180.
`
`7 EX1015 is a copy of the vSphere Web Services SDK Programming Guide,
`
`published in April 2018 by VMware, Inc. This copy was obtained from
`
`https://vdc-download.vmware.com/vmwb-repository/dcr-public/cdbbd51c-4824-
`