Local isolator application with cohesive application-isolation interface

US 10,552,639 B1
Filed: 07/11/2019
Issued: 02/04/2020
Est. Priority Date: 02/04/2019
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium that stores instructions that, when executed by one or more processors, cause the one or more processors to perform actions, the actions comprising:

instantiating an isolator application on a rendering computing device;

providing, from the isolator application instance on the rendering computing device to an execution computing device that is remotely located, separate, and distinct from the rendering computing device, a request to instantiate a remote application in the execution computing device;

obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, first draw commands and first position information that corresponds to the first draw commands, the first draw commands and the first position information being associated with an output of the remote application instance; and

rendering, by the isolator application instance on the rendering computing device, one or more portions of the output of the remote application instance based on the obtained first draw commands and the obtained first position information, without obtaining on the rendering computing device a web application that enables a web browser to participate in an application-isolation session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and techniques for application isolation by remote-enabling applications are provided. Example embodiments provide an Adaptive Rendering Application Isolation System (“ARAIS”), which transparently and dynamically enables applications to run in an isolated execution environment yet be rendered locally via a local isolator application having one or more cohesive application-isolation interfaces in a manner that facilitates providing the ARAIS indications of user actions that are otherwise lost and executing functions that are otherwise unavailable during fully secure isolation sessions absent one or more cohesive application-isolation interfaces. In one embodiment, the ARAIS includes an orchestrator server which comprises remoting level determination logic and rules engine, pre-computed graphics libraries, connection support logic, data repositories for objects such as a render cache, whitelists, blacklists, client privileges, and application information, and one or more secure containers running remote application instances. These components cooperate with the one or more cohesive application-isolation interfaces of the isolation application to provide isolation sessions with a user experience that is typically available only during non-isolation sessions.

151 Citations

30 Claims

1. A non-transitory computer-readable medium that stores instructions that, when executed by one or more processors, cause the one or more processors to perform actions, the actions comprising:
- instantiating an isolator application on a rendering computing device;
  
  providing, from the isolator application instance on the rendering computing device to an execution computing device that is remotely located, separate, and distinct from the rendering computing device, a request to instantiate a remote application in the execution computing device;
  
  obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, first draw commands and first position information that corresponds to the first draw commands, the first draw commands and the first position information being associated with an output of the remote application instance; and
  
  rendering, by the isolator application instance on the rendering computing device, one or more portions of the output of the remote application instance based on the obtained first draw commands and the obtained first position information, without obtaining on the rendering computing device a web application that enables a web browser to participate in an application-isolation session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the rendering comprises rendering, by the isolator application instance on the rendering computing device, one or more portions of the output of the remote application instance based on the obtained first draw commands and the obtained first position information, without obtaining on the rendering computing device a web application that enables a web browser to participate in an application-isolation session and without obtaining bitmap rasterizations of the first draw commands from the execution computing device to render the one or more portions of the output of the remote application instance.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, second draw commands and second position information that corresponds to the second draw commands, the second draw commands and the second position information being associated with a modified output of the remote application instance; and
      
      rendering, by the isolator application instance on the rendering computing device, one or more portions of the modified output of the remote application instance based on the obtained second draw commands and the second obtained position information.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, a file that provides a visual representation of the one or more portions of the output of the remote application instance; and
      
      causing, by the isolator application instance on the rendering computing device, a printing device that is communicably coupled to the rendering computing device to print the visual representation of the one or more portions of the output of the remote application instance based on the obtained file.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, a file that provides a visual representation of the one or more portions of the output of the remote application instance; and
      
      storing, by the isolator application instance on the rendering computing device, the obtained file on another non-transitory computer-readable medium that is communicably coupled to the rendering computing device.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, content in the one or more portions of the output of the remote application instance; and
      
      storing, by the isolator application instance on the rendering computing device, the obtained content in a clipboard buffer of the rendering computer device to enable the rendering computer device to paste the stored content in one or more other applications instantiated on the rendering computing device.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device, the input including a user selection from a menu provided by the isolator application instance, the menu being visible to and available to the user before providing the request to instantiate the remote application in the execution computing device; and
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the isolator application is a ribbon application, and the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device, the input including a user selection from a sub-menu that the isolator application instance provides responsive to user selection of a portion of an application menu of the isolator application instance, one or more of the application menu or the sub-menu being visible to and available to the user before providing the request to instantiate the remote application in the execution computing device; and
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, an indicator of a media source and second position information associated with media from the media source, the media source being remotely located, separate, and distinct from the rendering computing device and the execution computing device;
      
      obtaining, by the isolator application instance on the rendering computing device, the media from the media source based on the obtained indicator; and
      
      rendering, by the isolator application instance on the rendering computing device, the obtained media at one or more locations over or in the one or more portions of the output of the remote application instance based on the second position information.
  - 10. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - obtaining, by the isolator application instance on the rendering computing device and from one or more hardware devices that are communicably coupled to the rendering computing device, audio or visual data; and
      
      providing, by the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, the audio or visual data.
  - 11. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of an extension having an instance installed on the isolator application instance to cause the remote application instance to install, instantiate, or configure an instance of the extension on the remote application instance on the execution computing device;
      
      detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device to the extension instance installed on the isolator application instance;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input to the extension instance installed on the isolator application instance to cause the extension instance on the remote application instance on the execution computing device to mirror the extension instance installed on the isolator application instance.
  - 12. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - forwarding an application programming interface (API) call of an extension on the isolator application to the remote application instance to proxy the API call between the extension and the remote application instance.
  - 13. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of an extension that is not installed on the isolator application instance to cause the remote application instance to install, instantiate, or configure an instance of the extension on the remote application instance on the execution computing device;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, second draw commands and second position information that corresponds to the second draw commands, the second draw commands and the second position information being associated with output for the extension instance on the remote application instance on the execution computing device; and
      
      rendering, by the isolator application instance on the rendering computing device, one or more portions of the output for the extension instance on the remote application instance on the execution computing device based on the obtained second draw commands and the obtained second position information, the one or more portions of the output for the extension instance being rendered over at least a portion of a menu bar of the isolator application instance on the rendering computing device, the menu bar being displayed before providing the request to instantiate the remote application in the execution computing device.
  - 14. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - responsive to determining that an extension on the isolator application relies on one or more aspects of the output of the remote application instance that are presently unavailable local to the rendering computing device, obtaining, by the isolator application instance on the rendering computing device, the one or more aspects from the remote application instance; and
      
      providing, by the isolator application on the rendering computing device, the one or more obtained aspects to the extension to facilitate the extension completing one or more actions.
  - 15. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - determining, by the isolator application instance on the rendering computing device and before rendering the one or more portions of the output of the remote application instance, one or more fonts or portions of configuration information that the isolator application instance on the rendering computing device will use in rendering the one or more portions of the output of the remote application instance based on a list of fonts or portions of configuration information available to the isolator application; and
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, one or more indicators of the one or more fonts or portions of configuration information to cause the remote application instance on the execution computing device to render the one or more portions of the output of the remote application instance in a same manner as the isolator application instance on the rendering computing device.
  - 16. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, a request for data;
      
      displaying, by the isolator application instance on the rendering computing device, a file dialog that enables a user of the rendering computing device to navigate a file manager and to select one or more files based on the request for data;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, the selected one or more files based on the request for data.
  - 17. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, communicative access to one or more debugging endpoints in the remote application instance on the execution computing device; and
      
      displaying, by the isolator application instance on the rendering computing device, debugging information associated with the remote application instance based on connection of a debugging tool of the isolator application instance on the rendering computing device connecting to the one or more accessible debugging endpoints in the remote application instance on the execution computing device.
  - 18. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - measuring one or more characteristics associated with one or more media streams from one or more other sources to the isolator application;
      
      negotiating, by the isolator application, one or more properties for the one or more media streams based on the one or more measured characteristics; and
      
      streaming, to the isolator application from the one or more other sources, the one or more media streams with the one or more properties.
  - 19. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      evaluating, by the isolator application instance on the rendering computing device, the user input based on context information available on the rendering computing device;
      
      determining, by the isolator application instance on the rendering computing device, that the user input includes an attempt to provide sensitive information to the remote application instance on the execution computing device based on the evaluation; and
      
      preventing, by the isolator application instance on the rendering computing device, the user input from being provided to the remote application instance on the execution computing device based on the determination.
  - 20. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input from a user of the rendering computing device;
      
      determining, by the isolator application instance on the rendering computing device, that the user input is associated with a domain or host name;
      
      resolving, by the isolator application instance on the rendering computing device, the domain or host name via a hosts file or domain name server (DNS) to obtain an Internet Protocol (IP) address associated with the domain or host name; and
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the obtained IP address.
  - 21. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input to find content in the output of the remote application instance from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input instruction to find content in the output of the remote application instance, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, second draw commands and second position information that corresponds to the second draw commands, the second draw commands and the second position information being associated with a modified output of the remote application instance that highlights the content requested to be found; and
      
      rendering, by the isolator application instance on the rendering computing device, one or more portions of the modified output of the remote application instance based on the obtained second draw commands and the second obtained position information.
  - 22. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input instruction to paste content in the output of the remote application instance from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input instruction to paste content in the output of the remote application instance, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, second draw commands and second position information that corresponds to the second draw commands, the second draw commands and the second position information being associated with a modified output of the remote application instance based on the detected user input instruction; and
      
      rendering, by the isolator application instance on the rendering computing device, one or more portions of the modified output of the remote application instance based on the obtained second draw commands and the second obtained position information.
  - 23. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input instruction to copy content in the output of the remote application instance from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input instruction to copy content in the output of the remote application instance, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, action information that includes or identifies the content; and
      
      providing, by the isolator application instance on the rendering computing device, one or more portions of the content in a clipboard buffer on the rendering computing device based on the action information.
  - 24. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input to print content in the output of the remote application instance from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input instruction to print content in the output of the remote application instance, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, action information that includes a file that provides a visual representation of the content in the output of the remote application instance; and
      
      providing, by the isolator application instance on the rendering computing device and to a printing device communicably coupled to the client computing device, the file and an instruction to print the file based on the action information.
  - 25. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - detecting, by the isolator application instance on the rendering computing device, an input to save content in the output of the remote application instance from a user of the rendering computing device;
      
      providing, from the isolator application instance on the rendering computing device and to the remote application instance on the execution computing device, an indicator of the detected user input instruction to save content in the output of the remote application instance, without obtaining on the rendering computing device a web application that causes a web browser to intercept an action detected by an event loop of the web browser and to transmit an indicator of the intercepted action;
      
      obtaining, by the isolator application instance on the rendering computing device and from the remote application instance on the execution computing device, action information that includes a file that provides a visual representation of the content in the output of the remote application instance; and
      
      providing, by the isolator application instance on the rendering computing device and to a storage device communicably coupled to the client computing device, the file and an instruction to save the file based on the action information.
  - 26. The non-transitory computer-readable medium of claim 1, wherein the actions further comprise:
    - before obtaining the first draw commands and first position information;
      
      obtaining state information associated with a domain of the execution computing device or the remote application instance based on the provided request;
      
      persistently storing in the rendering computing device the obtained state information;
      
      associating in the rendering computing device the persistently stored state information with an external domain; and
      
      providing the persistently stored state information and an identifier of the associated external domain to the execution computing device with a request for the remote application instance to load content from the external domain.
  - 27. The non-transitory computer-readable medium of claim 26, wherein the state information includes an authentication cookie.
  - 28. The non-transitory computer-readable medium of claim 26, wherein the actions further comprise:
    - displaying an address bar that includes the identifier of the associated external domain without including the domain of the execution computing device or the remote application instance, without receiving a rewrite or redirect instruction.
  - 29. The non-transitory computer-readable medium of claim 26, wherein the actions further comprise:
    - displaying an address bar that includes the identifier of the associated external domain without including the domain of the execution computing device or the remote application instance throughout an entirety of obtaining the state information, persistently storing the obtained state information, associating the persistently stored state information with the external domain, and providing the persistently stored state information and the identifier with the request.
  - 30. The non-transitory computer-readable medium of claim 26, wherein the actions further comprise:
    - displaying an address bar that includes the identifier of the associated external domain without including the domain of the execution computing device or the remote application instance throughout an entirety of obtaining the state information, persistently storing the obtained state information, associating the persistently stored state information with the external domain, and providing the persistently stored state information and the identifier with the request, without receiving a rewrite or redirect instruction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
S2 Systems Corporation (CloudFlare Incorporated)
Inventors
Buzbee, Benjamin, Koenig, Killian, Sundberg, Trevor, Conrad, Michael, Remington, Darren, Harnett, David
Primary Examiner(s)
Schwartz, Darren B

Application Number

US16/509,278
Time in Patent Office

208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

G06F 21/71   to assure secure computing ...

G06F 21/84   output devices, e.g. displa...

Local isolator application with cohesive application-isolation interface

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Local isolator application with cohesive application-isolation interface

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links