This application is entitled to the filing date 14 Apr. 2000 of provisional application 60/197,125.
Manufacturers and operators of networked devices need a comprehensive solution for automatically upgrading the devices, particularly those that are remotely located. These upgrades can provide the deployed devices with new features, reliability enhancements, performance improvements, updated applications, updated application data, security patches, and bug fixes. The present invention removes the end-customer burden of manually upgrading remote devices and reduces the manufacturer's expenditures for costly support visits and product recalls. This invention provides manufacturers of deployed devices with a powerful competitive advantage by reducing their support costs and addressing their customers' increasing expectations for reliability, easier manageability and reduced cost of ownership. The invention consists of three parts, a development environment used to configure a device specific agent embedded in the target device, a server computer to create and publish upgrades, and the specific agent software itself.
Since the present invention incorporates a device-initiated approach to upgrades, the many disadvantages of server-initiated upgrades are obviated.
These present invention allows the server to be stateless. Stateless servers don't need to keep a record of previous interactions with the deployed devices. Therefore the server need not detect and track which device was upgraded and when said device was upgraded. This also means that since the device does the requesting that there is no problem with network firewalls that keep out unwanted or undocumented communication. If an upgrade is interrupted the deployed device just makes the upgrade request again and continues where it left off when the interruption occurred. To make an upgrade available for a set of target devices, the manufacturer of the device creates an upgrade module. An upgrade module consists of the upgrade image and the security keys used for authentication and data verification. The upgrade module also contains the policies that the manufacturer defines to govern the distribution of the upgrade. We use the term manufacturer throughout this disclosure to mean anyone desiring to make deployed devices that can be upgraded remotely. Upgrade policies control which devices are authorized to receive upgrades. These policies can be based on specific criteria such as host name, schedule, or desired pace of the rollout. For example, these policies could be used in conjunction with the manufacturer's support policy to provide upgrades only to those end customers that desire them.
The upgrade process is secure, reliable, and restartable. It leverages industry-standard TCP/IP and HTTP protocols. The device initiates a request to the upgrade server using a specially designated URL, port and security keys that have been previously programmed into the deployed device. The server processes the request by verifying the security key, matching the request with the available upgrade modules residing on the server, and validating the request with the policies defined for that upgrade module. If the request is validated, the server notifies the device that a valid upgrade is available. The device then initiates the download, verifies the integrity of the image, and authenticates the source using the National Institute of Standard and Technology (NIST) Digital Signature Standard (DSS). After a successful download, the device applies the upgrade, as appropriate, using a device specific mechanism defined by the JavaScript (a trademark of Sun Microsystems) or executable process, and sends an acknowledgement to the server.
The process to create and package the agent software starts with creating the security keys. These keys will be transferred to the server and used in the process of publishing an upgrade. The agent itself is then created and deployed into the device. The agent includes the upgrade components, the public key, configuration informatioh and optional embedded JavaScript files.
The upgrade component represents an upgradeable entity on the target device, for example, a printer driver, and defines the upgrade configuration for that entity. The agent is included into every deployed device and enables the device to automatically find and download new upgrades. Moving these files to the target device using standard file transfer procedures deploys the files that make up the agent. Executing the files or binaries in any way the operating system provides completes the deployment. The execution of these files normally occurs during device boot-up but could also be deployed by a scheduler or via manual request. The upgrade module that is made available to the device using the embedded agent is then created. The module is then published on the server. Upon request from the deployed device the server then transfers the upgrade to the device. The embedded device agent then applies the upgrade.
The server used for the upgrades is similar to a Web server and is deployed in the same manner. The server receives HTTP-based upgrade requests from the deployed devices and is made accessible to those devices by a TCP/IP network. The connection can be made over the Internet, the intranet, a VPN (Virtual Private Network), or through a dialup connection.
Using a embedded subset of JavaScript in the deployed device allows the file size to be minimized. The capabilities of the embedded JavaScript used include arithmetic operators, logical operators, global functions, local and global variables and the “if”, “else”, “for” and “return” keywords. The embedded JavaScript functions not supported are floating point numbers, arrays, objects and function declarations. The embedded JavaScript subset provides typical scripting functionality as well as a mechanism for binding embedded JavaScript function calls to computationally intensive C functions. As with any scripting language, one of the primary advantages is the quick and easy development, cycle-compiling and linking is not necessary. Disadvantages include the lack of privacy, since scripts are deployed in source form, and slower performance than compiled code, although recent developments have made the code run faster. The embedded JavaScript subset used has its global variables active for the life of the agent running. Therefore it exists beyond the life of the script. An application written in “C” can declare and set these variables. The variables are then accessible by any script evaluated by the engine. This allows data to be passed from one script to another. The embedded JavaScript subset can declare “C” functions, these functions may then be used by any embedded JavaScript subset that may be interpreted by the engine. This violates the normal security associated with the JavaScript language, but it does allow the application running on the deployed device to define and execute any action with all the benefits of compiled “C”. This binding mechanism also allows the application to extend functions such as “loadModule”. Many of these functions are overloaded to provide different execution based on the number of parameters passed. Since the embedded JavaScript subset used is a non-typed language, the number of parameters is the sole criteria for determining which behavior to take. To implement the upgrade process a number of functions have been added to the JavaScript interpreter included with the upgrade agent. These functions can be used with any JavaScript file used by the upgrade agent or server. All JavaScript variables are stored as strings. Therefore, these functions all return a string value to the script. The “C” function employed can be invoked by the JavaScript subset or by executed processes. These functions enable developers to increase the configurability and functionality of the upgrade agent. The JavaScript subset can load and call “C” functions by using the callFunction JavaScript API or by binding the function to a new JavaScript API using addJsFunc as is later described. Many of the following functions are standard system APIs preceded by the character “g”. Generally, if the in-memory file system feature of the upgrade agent is not being used, then these APIs are converted to standard system calls. If the in-memory file system is used, they are converted to an in-memory equivalent function where the “g” is replaced with an “im” and the first letter of the standard name is capitalized.