T 0917/10 (PERMITTING ACCESS ACROSS A CONTEXT BARRIER/SUN) of 28.11.2014

Summary of Facts and Submissions

I. This is an appeal against the decision, dispatched on 7 April 2010, by the opposition division to revoke European patent No. EP B 1190316 on the basis that the subject-matter of claim 1 of the then main and first auxiliary requests did not involve an inventive step, Article 56 EPC, in view of the combination of documents D1 and D8 in conjunction with common general knowledge, as exemplified by D10. The subject-matter of claim 1 of the then second auxiliary request - maintenance of the patent as granted - was found not to involve an inventive step, Article 56 EPC, in view of document D8 alone. The cited documents are as follows:

D1: WO 98/19237 A1

D8: J. H. Saltzer, M. D. Schroeder, "The Protection of Information in Computer Systems", manuscript received 11 October 1975, Copyright 1975.

D10: M. J. Bach, "The Design of the Unix Operating System", Prentice Hall Software Series, 1990, ISBN 0-13-201799-7, pages 110 to 119 and 370 to 381.

The opposition was based solely on the grounds foreseen in Article 100(a) EPC 1973, in this case lack of inventive step.

II. The following document was mentioned in examination proceedings, the applicant stating in a letter received on 6 August 2001 that it did not form prior art.

D3: "Java**(TM) Card**(TM) Runtime Environment (JCRE) 2.1 Specification", Draft 2, 14 December 1998, XP002138793.

III. The following document was mentioned in opposition proceedings:

D11: T. Frey, "Java**(TM) Card the Java**(TM) Standard for Smart Cards", pages 1 to 53, Java Days '98.

IV. A notice of appeal was received from the patent proprietor on 28 April 2010, the appeal fee being paid on the same day. The appellant requested that the patent be maintained as granted.

V. In a statement of grounds of appeal, received on 11 August 2010, the appellant requested that the patent be maintained on the basis of the description, claims and drawings according to the main and first and second auxiliary requests forming the basis of the appealed decision. Oral proceedings were requested in the event that the board was minded to refuse the main request.

VI. In a submission received on 3 January 2011 the respondent opponent requested oral proceedings if the appeal could not be dismissed in its entirety.

VII. In an annex to a summons to oral proceedings the board stated inter alia that the claimed subject-matter seemed to involve an inventive step, Article 56 EPC 1973, in view of D8, and D8 combined with D1, even considering the common general knowledge, as exemplified by D10. The board also expressed doubts as to the clarity of the claims and the novelty, Article 54 EPC 1973, of the claimed subject-matter in view of D11.

VIII. With a letter received on 28 October 2014 the appellant filed amended claims according to a main and twelve auxiliary requests, namely auxiliary requests 1, 1A, 1B, 2, 2A, 2B, 2C and 3 to 7. For all these requests the description and drawings were those as granted. The appellant made a further auxiliary request 8 that the patent be maintained as granted. The appellant requested that the case be remitted to the first instance, since the board seemed to be of the view that the reasons given in the appealed decision for revoking the patent had not been justified, this seeming to be a "fundamental deficiency" in the first instance proceedings, Article 11 RPBA (Rules of Procedure of the Boards of Appeal of the EPO). If the auxiliary requests containing amended claims were not admitted, Article 13(3) RPBA, then the appellant requested remittal to the first instance so that it could respond to the objections newly raised in the summons.

IX. In a letter received on 21 November 2014 the respondent stated that, since the board had cited D11 in the annex to the summons to oral proceedings, it had nothing to add to its written submissions and would not attend the oral proceedings. The respondent also withdrew its auxiliary request for oral proceedings.

X. Oral proceedings were held on 28 November 2014, the appellant being represented and the respondent absent, as announced in advance. In the course of the oral proceedings the appellant filed a new main request comprising claims 1 to 8 and amended description pages 4, 5 and 8. The appellant's final requests were to set the decision under appeal aside and to maintain the patent based on the main request filed during the oral proceedings, description pages 1 to 3, 6, 7 and 9 to 37 as granted, description pages 4, 5 and 8 as filed during oral proceedings, and the drawings as granted. The appellant withdrew all other requests.

XI. At the end of the oral proceedings the board announced its decision.

XII. The claims according to the main request comprise two independent claims: claim 1 to a method and claim 8 to a computer program product referring to the method of claims 1 to 7. Claim 1 reads as follows:

"A method for operating a small footprint device (400) that comprises a processing machine (410), wherein the small footprint device is a smart card or a cellular telephone, wherein program modules are executed on the processing machine, and wherein the processing machine (410) comprises a virtual machine (720) running on a processor (300) and includes an object system for managing the objects of an object-oriented implementation, characterised by: executing groups of one or more program modules in separate contexts (420, 620; 760, 770, 780; 1000, 1010, 1020) running on said virtual machine, providing a context barrier (600; 600') for separating and isolating the contexts and for controlling the access of a program module executing in one context to information and/or a program module executing in another context, wherein each of said objects is owned by an associated context, and providing a global data structure, wherein each program module of each context is allowed to read data from and write data to the global data structure, and wherein said global data structure is used to pass references to objects between contexts."

Reasons for the Decision

1. The admissibility of the appeal

In view of the facts set out at points I, IV and V above, the appeal complies with the admissibility criteria under the EPC and is consequently admissible.

2. The context of the invention

2.1 The patent relates to implementing security on "small footprint" devices (see figure 3), such as smart cards and cellular telephones, by providing a context barrier or "firewall" between different execution contexts, thus isolating different program modules on the same device from each other to avoid interaction between them, be it accidental or unauthorized.

2.2 The invention addresses the problem of allowing controlled access across the context barrier; see paragraph [0032] of the patent. As set out in the claims, this problem is solved using a global data structure, each program module of each context being allowed to read data from and write data to the global data structure, the global data structure being used to pass references to objects between contexts so that program modules can communicate with each other; see figure 13, described in paragraph [0066], and section 6.2.2, "Global Arrays" in paragraphs [0188] to [0192].

3. The amendments to the patent

3.1 The respondent has argued, regarding previous versions of claim 1, that the feature that the processing machine includes an object system for managing the objects of an object-oriented implementation is not based on the patent, in particular paragraphs [0052] and [0054], and is added subject-matter, Article 123(2) EPC. This feature is also present in claim 1 of the present main request. The board is not convinced by this argument, since this feature is disclosed in original figure 7; 750 and discussed on page 11, lines 11 to 13.

3.2 The claims of the main request have been restricted with respect to those of the patent as granted, firstly by deleting the claims relating to a small footprint device (see granted claims 10 to 16) and the claim to the use of a network (see granted claim 17). Secondly, method claim 1 - and by reference also computer program product claim 8 - has been restricted by removing the alternatives "various other small or miniature devices" and by adding two groups of features. The first group of features, namely that the processing machine comprises a virtual machine running on a processor and includes an object system for managing the objects of an object-orientated implementation, is disclosed on original page 9, lines 20 to 23, and page 11, lines 5 to 8 and 11 to 13. The second group of features, namely that the global data structure is used to pass references to objects between contexts, is disclosed on original page 14, lines 24 to 25.

3.3 The description of the patent has been adapted to the amended claims, Rule 27(1)(c) EPC 1973.

3.4 The board is consequently satisfied that the patent has not been amended in such a way that it contains subject-matter which extends beyond the content of the application as filed or that extends the protection it confers. Hence the board finds that the amendments comply with Article 123(2) and (3) EPC.

4. Clarity, Article 84 EPC 1973

4.1 The respondent has argued, regarding an earlier version of the claims, that the feature in claim 1, which is also set out in claim 1 of the present main request, namely the processing machine comprising an object system for managing the objects of an object-oriented implementation, in particular the expression "object-oriented implementation" is unclear, Article 84 EPC 1973.

4.2 The board does not accept this argument, since the person skilled in the art of computing would understand what is meant by the expression "object-oriented implementation" (which is also used in paragraph [0054], lines 18 to 19, of the patent) as a matter of general knowledge. Moreover the description specifically explains the term "object-oriented" in a glossary (see paragraph [0356]), stating that "Object-Oriented is a programming methodology based on the concept of an object, which is a data structure encapsulated with a set of routines, called methods, which operate on the data."

4.3 Hence the board finds that the claims are clear, Article 84 EPC 1973.

5. The prior art on file

5.1 Document D8

5.1.1 D8 is a tutorial paper relating to protecting computer-stored information from unauthorized use or modification. Paragraph 26 of the reasons for the decision refers to D8 disclosing the creation of "protected subsystems" and writing to/reading from a commonly accessible file. The glossary in D8 defines a protected sub-system as a "collection of procedures and data objects that is encapsulated in a domain of its own so that the internal structure of a data object is accessible only to the procedures of the protected subsystem and the procedures may be called only at designated entry points".

5.1.2 According to the cited example, an instructor maintains course grade records on a shared computer system and allows each student to access the system to read only their own grades and also to view a histogram of class grades for each assignment; see page 44, penultimate paragraph, to page 46, second paragraph, and figure 14 on pages 45 and 46. An assistant can also access the system to enter new grades. Previously entered grades cannot be changed without the instructor's express approval. This functionality is provided by a protected subsystem (see page 45, lines 19 to 21), denoted by the outer circle in figure 14, enclosing three programs (P1, P2 and P3) which can all access the grade record data segments (termed "protected objects"; see page 45, line 12) shown at the bottom of figure 14; see page 45, second paragraph, and figure 14 spanning pages 45 and 46. The effect of "encapsulation" (see page 45, line 9) is that other programs cannot read or access the programs and data directly, but rather must invoke "care taker programs", termed "designated entry points" (the three apertures for students, assistants and the instructor, respectively, in the enclosure shown in figure 14), to manipulate the protected objects indirectly and in a controlled way. According to page 46, first paragraph, "borrowed" programs can be run in their own protected subsystem so that they do not have access to all the user's data and programs and thus can only do limited damage, if they are malicious.

5.2 Document D11

5.2.1 D11 is a "PowerPoint style" presentation of 53 pages/slides relating to the Java standard for smart cards, given by an employee of the respondent at the "Java days '98" conference in 1998.

5.2.2 The availability of D11 to the public

According to the respondent, the "Java days '98" conference was held in Frankfurt on 12 and 13 November 1998 and thus before the priority date (22 January 1999). The appellant has not disputed that D11 was made publicly available at this conference. Hence it is common ground between the parties, and the board agrees, that D11 was made available to the public at the conference before the priority date and thus forms prior art, Article 54(2) EPC 1973.

5.2.3 The disclosure of D11

D11 concerns the Java Card standard for smart cards. Such smart cards can be inserted into a terminal or interface device, for instance to provide authentication for carrying out financial transactions; see pages 3 and 4. According to page 2, a subset of the Java Virtual Machine runs on the card and interprets instructions in byte code (see page 17), secure applications, termed "applets", being isolated from each other by a firewall. According to pages 32 and 23, each applet runs in its own context. Objects are created in their context and are only accessible within their context; see page 32, last bullet point. According to the same page, the JCRE (Java Card Runtime Environment) context is a privileged context which manages every applet context. According to pages 33 and 34, the JCRE provides entry point objects which can be invoked by a sharing request from any other applet context. Hence, although objects from one context cannot be shared directly with another context, methods are provided to pass a reference to an object to be shared; see page 35. Hence, as the appellant explained at the oral proceedings, in D11 shared interfaces are used to implement, as D11 puts it, "controlled breakthrough in the firewall for interapplet communication"; see page 35, in particular the first bullet-point.

D11 also discloses global data which is not owned by a specific context and can be accessed by any applet; see pages 34 and 41. However, as the appellant explained at the oral proceedings, the global data, in particular the APDU (Application Protocol Data Unit) buffer, is not used for inter-applet communication, but rather is used in the context of communication between the applets running on the smart card and the terminal; see page 41, last bullet-point. As stated on page 41, last bullet-point, "all applets can access it [the APDU buffer] without running into security/firewall problems". The board understands this to mean that, contrary to the appellant's submission in the oral proceedings, each applet in D11 is allowed to read data from and write data to the APDU buffer, a global data structure.

5.3 Document D1

D1 relates to an IC card, which can be a smart card (see figure 21) or part of a cellular phone (see figure 22), comprising a microcontroller and memory on which a Card Java Virtual Machine (JVM) runs, interpreting instructions before execution. According to page 31, line 33, to page 32, line 14, data and applications (see figure 14; 141a,b,c) in the IC card are isolated from each other using a firewall mechanism provided by the card JVM which detects any attempt by an application to reference the data or code space used by another application.

5.4 Document D10

The opposition division, in an annex to its summons to oral proceedings, argued that a file could be considered to be a global data structure and cited examples known from D10, namely "named pipes" (see page 113, section 5.12.2) and lock files (see page 370, section 11.2.3). D10 comprises two extracts from a text book. Pages 110 to 119 concern "system calls for the file system" and, in particular, section 5.12 relating to "Pipes" which allow transfer of data between processes in a FIFO manner without knowing which process is at the other end of the pipe. Lock files store semaphore values in a global array (see page 376, 2**(nd) line) and are used to avoid collisions between processes by ensuring that only one process can access a shared resource at a time.

5.5 The JCRE specification reproduced in the description of the patent and mentioned as D3 in the appealed decision

5.5.1 If prior art, this specification would be of potential relevance at least to the question of inventive step in view of the statement at the end of section 6.2.2 "Global arrays" that the APDU buffer "is suitable for passing data across applet contexts".

5.5.2 Original pages 18 to 47/18 of the description, corresponding to pages 8 to 37 of the patent, reproduce the Java Card Runtime Environment (JCRE) 2.1 specification, draft 2, dated 14 December 1998. This date falls before the priority date of the patent, namely 22 January 1999. According to paragraph [0043] of the patent, this is an unpublished draft of the specification. The same draft specification was cited in the International Search Report, but the appellant, then applicant, stated that it was not prior art. The respondent has not challenged this statement. In the oral proceedings before the board the appellant's representative stated that he was not certain whether the draft specification formed prior art or not.

5.5.3 Whilst the appellant has retreated slightly from its initial position of certainty that the draft specification is not prior art, the respondent has not argued to the contrary that it is prior art. In view of the fact that it is for the respondent opponent to make its case in these contentious opposition appeal proceedings, the board concludes that, for the purposes of the present decision, the draft specification does not belong to the prior art, Article 54(2) EPC 1973.

6. Inventive step, Article 56 EPC 1973, starting from D8

6.1 According to the appealed decision, D8 formed the closest prior art, the subject-matter of claim 1 of the then main request differing from the disclosure of D8 in the feature that "the programs are run on a virtual machine".

6.2 The appellant has disputed whether D8 forms the closest prior art and is an appropriate starting point for assessing inventive step. The respondent has argued that, even if D8 is not the closest prior art, it is relevant to the assessment of inventive step if the skilled person, starting from D8, could have arrived at the claimed subject-matter in an obvious manner. The board accepts the respondent's argument.

6.3 In the light of the above analysis, the board finds that, in terms of claim 1 of the present main request, D8, in particular page 45, second paragraph, and figure 14, discloses a method for operating a device that comprises a processing machine, wherein program modules (P1, P2, P3) are executed on the processing machine, and [the processing machine] includes an object system for managing the objects of an object-oriented implementation (see page 45, lines 8 to 16), the method also comprising executing groups of one or more program modules in separate contexts (see page 45, lines 8 to 16), providing a context barrier ("encapsulation") for separating and isolating the contexts and for controlling the access of a program module executing in one context to information and/or a program module executing in another context, wherein each of said objects is owned by an associated context.

6.4 The appellant has argued that D8 does not disclose that the device has a small footprint or include a smart card or a cellular telephone. The board agrees. D8, dated 1974, is concerned with multi-user computer systems which would be classified as "minicomputers" or "mainframes"; see, for example, the references to the IBM System 370 (page 5) and the DEC PDP-11/45 (page 49). There is no reference in D8 to "small footprint" devices such as smart cards or cellular phones.

6.5 The appellant has also argued, and the board agrees, that D8 does not disclose providing a global data structure, wherein each program module of each context is allowed to read data from and write data to the global data structure. The expression "global data structure" in the context of the patent is understood in the light of paragraph [0066], lines 36 to 40, to mean a data structure which can be read and written to from all other contexts. Hence the "grade record" shown in figure 14 of D8 does not fulfill this definition because it can only be accessed by the programs within the protected enclosed subsystem, meaning that it cannot be accessed by those contexts outside the protected enclosed subsystem. As the appellant puts it, the "grade record" is a commonly accessible file rather than a globally accessible file.

6.6 The appellant has also argued, and the board agrees, that D8 does not disclose the global data structure being used to pass references to objects between contexts. In the student grade example discussed in D8, data can be passed via the grade record from the program (P2) used by an assistant entering grades to the program (P1) used by a student reading his/her grades; see page 46, title of figure 14. The board understands the data in question to be the grades themselves, there being no suggestion in the example that the data could be references to objects.

6.7 Hence the subject-matter of claim 1 of the present main request differs from the disclosure of D8 in the following features:

a. The processing machine comprises a virtual machine running on a processor, the separate contexts running on the virtual machine.

b. The device has a small footprint and is a smart card or a cellular telephone.

c. Providing a global data structure, wherein each program module of each context is allowed to read data from and write data to the global data structure, and

d. Wherein said global data structure is used to pass references to objects between contexts.

6.8 The reasons for the appealed decision rely on two arguments: firstly, that D1 taught the skilled person to apply "a virtual machine like JAVA" to D8, and, secondly, that in the context of a smart card at the priority date the running of programs on a virtual machine would have been an "alternative the skilled person would choose from". The board is not convinced by either reasoning, since neither an objective technical problem nor its solution is identified in the appealed decision. The respondent has argued that it would be obvious for the skilled person to apply the teaching of D8 regarding "Care-Taker" programs to the smart cards known inter alia from D1. The board is however not convinced that the skilled person starting from D1 (or D8) would have recognised any technical problem which could have been solved by applying the teaching of D8 (or D1).

6.9 The board notes that D8 itself discloses the use of virtual machines to implement a multi-user computer (see page 11, 5th paragraph), which the skilled person addressing the problem of implementing the method disclosed on page 45, second paragraph, would have applied as a usual matter of design. Hence difference feature "a", taken alone, does not involve an inventive step.

6.10 As difference feature "b" involves the application of D8 to devices which did not exist when D8 was written, the board is not convinced that an obvious problem or solution exists which could have led the skilled person to implement this difference feature.

6.11 Difference features "c" and "d" relate to a global data structure, which goes against the teaching in D8 of encapsulating programs so that they cannot access data outside their own context.

6.12 Hence the board finds that the subject-matter of claim 1 according to the main request involves an inventive step, Article 56 EPC 1973, in view of D8 alone or D8 combined with D1. The board comes to the same conclusion when also taking into account the disclosure of D10, cited by the respondent as exemplifying common general knowledge. It follows that the subject-matter of claim 8, setting out a computer program product for carrying out the method according to inter alia claim 1, also involves an inventive step, Article 56 EPC 1973.

6.13 It follows that the documents and reasoning given in the appealed decision do not prejudice the maintenance of the patent according to the present main request.

7. Inventive step, Article 56 EPC 1973, starting from D11

7.1 The board finds that D11 forms the closest prior art on file. In view of the above analysis, the subject-matter of claim 1 according to the present main request differs from the disclosure of D11 in that the global data structure is used to pass references to objects between contexts.

7.2 At the oral proceedings the appellant argued that using the global data structure to pass references to objects between contexts allows communication between program modules to occur across the context barrier. The invention lay in realizing that the global data structure, in particular the APDU buffer, known from D11 could not only be used for communication between each applet and the terminal but also to provide, in addition to the shareable interfaces known from D11, a new, second way of allowing inter-applet communication across the context barrier.

7.3 The board finds the appellant's argument convincing. The objective technical problem can be seen as how to implement the method for operating the device known from D11, in itself an obvious problem. The solution according to the invention is to use the global data structure to pass references to objects between contexts. This difference feature is not known from the prior art on file (D3 not being prior art), and the board can see no obvious reason for the person skilled in the field of computing to have modified the method known from D11 in this way.

7.4 Hence the board finds that the subject-matter of claim 1 according to the main request involves an inventive step, Article 56 EPC 1973, in view of D11. It follows that the subject-matter of claim 8, setting out a computer program product for carrying out the method according to inter alia claim 1 also involves an inventive step, Article 56 EPC 1973.

7.5 Thus considerations based on possible obviousness in view of D11 do not prejudice the maintenance of the patent according to the main request either.

Order

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the first instance with the order to maintain the patent based on the main request filed during oral proceedings, description pages 1 to 3, 6, 7 and 9 to 37 as granted, description pages 4, 5 and 8 as filed during oral proceedings, and drawings as granted.