An introduction to the URL programming interface

Create ubiquitous controlled access to devices using UPI

Developing consistent, reliable Web applications that interface to different devices -- such as home networks, home automation systems, or realtime telemetry devices -- can be vastly simplified by treating devices as URLs. The URL programming interface (UPI) effectively provides a set of URLs for a device that are available to any user capable of performing the HTTP protocol. HTTP has become so universal that, in college computer courses, students are often given as an assignment the creation of an HTTP stack. This trend is due to the growing interest in connecting devices to the Internet. Sun Microsystems Laboratories has used the Java language to develop a technology that allows users to deploy very small HTTP stacks, with a core of less than 100 KB. These small servers can be embedded in devices or used as application servers that are similar to traditional Web servers. Such minimal servers can be used to provide an integrated presentation and service layer for a device. Since it can be a Web server that answers to URL requests, universal access to devices from any Internet node is achieved.

Several prototypes have been built for smart cards, realtime weather stations, and home automation. This article demonstrates how HTTP stacks can be used to deploy interfaces to devices, creating an extranet that contains those devices. The technology discussed in this article was developed at Sun Labs, which has built several prototypes that provide authenticated access to any device on the Internet capable of supporting Java directly or via a proxy.

The UPI was developed by Sun Labs in response to customer desires to deploy Java Card smart cards to large user populations on disparate targets. While developing a solution for such large scale deployment of smart cards, it was found that the same technology could be used for interfacing a multitude of devices, such as weather stations, home automation systems, devices in factories, and equipment in stores. One of the most useful benefits of this architecture is that the different components can easily be used with each other. For example, you can easily use a smart card to authenticate access to your home by having it interact with your home network and/or environmental systems.

Supporting devices in Web applications will add new utility to the Internet, if the technology is implemented securely. Java technology is perfect for this type of application due to its small size and security model. How do you access a device remotely using your Web borrower in a secure manner, without allowing other users to do the same unless they are also authorized? As Internet aware devices (IADs) become widespread, protecting the data they contain becomes crucial. To date, many security systems on the Internet are immature, with the use of passwords and PINs nominally required but easily circumvented. In this article, we will describe how the UPI security services provide an easy way to build an authentication access solution that does not rely on this inadequate password-based security.

While some devices have already become widely available on the Internet, the approach described here is more of a style than an API. Lets start with some specific situations in which this technology would be appropriate.

Home network

Earlier we mentioned the growing number of users that have digital bits spread out over two locations, the office and the home. The home network provides access to shared peripherals, computers, and other devices, like entertainment and environmental systems. Remote access to this network is valuable to users that are away from their homes just as it is to those that are away from their offices. Many homes have important corporate data in them in addition to personal data, and we should not rely on traditional access architectures for the sort of security features required. The UPI architecture can be used to build a controlled access environment that provides tailored custom services presented on Web pages; this is an alternative to teaching all potential users of such a system how to use FTP and telnet, and then ensuring that secure versions of these services are available everywhere. UPI makes possible a more pragmatic approach -- putting up services on Web pages and providing these services only after users have given the appropriate cryptographic credentials.

Home automation

Home automation has been identified as a growth area by many companies, which are currently developing products that let consumers better utilize the equipment in their homes. As the home network becomes common and is used for creating and storing important files, users will need to access it from the office or other remote locations. The UPI architecture provides an easy framework for building secure remote access from a Web browser and easily supports authentication, which is crucial when making your home systems accessible via the Internet. In this article we will discuss the application of the Web paradigm to the home automation market, an arena currently composed of hundreds of products with proprietary interfaces, all of which are totally insecure and not Web-enabled. What if we could bring order to this mish-mash so that every device in your home had a URL with some amount of functionality behind it? Better yet, what if you could script applications using HTML that allowed you to do important things, like shut down lights, without running around to every room?

Process control

The process control industry, which, broadly speaking, focuses on the construction of plants that in turn make things like cereal, cars, paper, and so on, can save millions of dollars by replacing its custom protocols with Web-enabled devices. Virtually every plant in the world has its own set of unique protocols for communicating with devices, which adds to cost and complexity. Dallas Semiconductor has developed a product that implements a small TCP/IP stack with Web application support on a very small, low-cost board (see Resources for more information). Some of this technology will be presented in greater detail this coming November at IEEECON. If I were designing a new factory, I would use a Web-based architecture that requires that all devices communicate via Jini or HTTP protocols on the main interconnection network, and support all of the legacy devices with proxy services that convert the specific device protocols into a URL protocol. The only architecture that fits this description is UPI. For example, to read conveyor belt status you might see something like this:

http://papercompany.plant5.building6.flr3.conveyor1/Status.html

Once you've read the status, you could use the following URL to change a conveyor belt's realtime routing:

http://papercompany.plant5.building6.flr3.conveyor1/Route?close=down&ope

Building such a system with Java will produce a software system that is more secure and easier to maintain than current approaches. If you instead chose to use typical current technologies, you would encounter a host of difficulties, including:

  • Custom protocols
  • Languages that have potential security flaws, such as direct access to the stack, private members using pointers, or no type safety
  • Out-of-band facility for updating code
  • No direct platform support for the Web and URL

The above problems have arisen in my real-life experiences developing just the sort of system under consideration. My goal was to allow remote corporate locations to participate more in the day-to-day operation of a plant. I spent several years creating applications for the pulp and paper industry, and in this particular project we developed a packet-switched network that cost several million dollars. It let users view the status of the paper winders and calendaring machines in plants distributed throughout the world. Winders roll up the paper, and calendars make the paper surface glossy. Today, I could base a solution to this problem on UPI and a low-cost, off-the-shelf, single-board computer that runs Java or Embedded Java; forty such boards would have been all that was necessary, and this would cost less than 0,000 -- significantly less than the old multimillion dollar solution. We will discuss this in more detail later.

One of the challenges and areas requiring further interface is the lack of state on the Web. For example, it is not acceptable to have to reload a Web page in order to get accurate up-to-date data on it. Java solves this problem quite easily by allowing Web applications to have state.

Remote corporate locations

Corporations possess widely distributed enterprises and could benefit from being able to offer services -- energy control, maintenance, and alarm services, for example -- to remote locations. Integrating these services will reduce costs significantly. In 1979, while working for GTE, I installed the first networked electronic cash registers for McDonald's. These registers would call up corporate headquarters and report on daily transactions, and this information was used to schedule the shipping of product. Today, you can easily install a network in a store and query the store's various devices, including fryers, filters, thermostats, alarm and fire control systems, and so on. Corporations can reduce costs by centralizing administration. As with home automation, security is extremely important to remote corporate applications. If you have a thousand stores on the Internet, how do you control access easily?

UPI Interface to devices

Sun Labs has developed three prototypes that demonstrate how the UPI can be used to support the following specific devices. With a little imagination, this implementation can be abstracted to conveyor belts, sensors, and so on.

  • Smart card/Java Card technology: Java Card technology provides the cornerstone for building secure Web-enabled applications that can provide security while relying on a little more than a password. Java Card also provides a secure storage location for confidential profiling data. See the Resources section for a list of articles on Java Card technology.
  • The X10 home automation device: X10 is an ancient protocol for controlling devices over the Web using the power line network. There have been many new efforts in the area of home automation; however the most widely deployed technology is still the venerable X10. You can buy various devices that support the X10 protocol, which are then controllable from a computer or controller. Some X10 devices include modules that turn lights and appliances on and off. Sun Labs has used the UPI to put an X10-enabled house on the Internet with secure access using Java Card.
  • Weather stations: A weather station is primarily a read-only device, in that you read the temperature, wind speed and direction, barometric pressure, rainfall, and so on. There are some parameters you might want to set, like calibration of the weather vane or altitude above sea level. Think of this device as representing a broad range of devices that provide information.

The solution

This article will demonstrate how, from anywhere on the Internet, you can access your home, office, and/or factory -- or give others the privilege of accessing the same -- through an authentication process. Once you are authenticated, you are presented with a Web interface to the device. Many products out there in the Windows world do this kind of thing, but they do it using different languages and interfaces, resulting in expensive, complicated products and a security architecture that can be hard to understand. This article describes a solution in which the UPI is used to provide authentication, device control, and realtime telemetry.

Let's look at how the UPI solves the problem of interfacing to Java Card-compliant smart cards first, since these cards will be the cornerstone of our authentication system. As time goes on, security schemes that only require a PIN will probably lose out to architectures that implement security schemes based on both something you physically posses -- a Java Card -- and something you know -- a PIN. Please note that in discussing the UPI for Java Card technology, we will discuss some aspects that go far beyond our needs for the remote access requirements mentioned above. The Java Card UPI interface on its own will get a future article providing more detail on how the UPI can be used to deploy Java Card applications with several million users.

Architecture overview

The home, factory, store, or other location must protect itself (in a strange way) from malicious and unauthorized users. This section will look at our three domain-specific examples: applications requiring authentication, control of X10 devices, and access to a weather station. As mentioned earlier, authentication and controlled access is key to this type of architecture. The UPI technology does this by providing an HTTP stack that decodes all URLs from a client and determines if the client is authorized to access this URL. Once the user supplies the proper cryptographic credentials, he or she is granted access. At that point, the user can issue commands to the specific device via the proxy. Examples of the sorts of commands sent follow:

1 2 3 Page 1
Page 1 of 3