YNQ : a Portable SMB Solution for Embedded Systems

YNQ™: A Portable SMB Solution for Embedded Systems

A Visuality Systems Whitepaper

Table of Contents

Embedded Market Overview 3

Challenges 4

The Solution 5

Customer Case Studies 6

YNQ™ Architecture 8

Using YNQ™ 10

Functionality 11

Compliance and Connectivity 122

Summary 133

Embedded Market Overview

The world of embedded systems is large and diverse. The worldwide embedded market by most estimates is valued at $140 billion, and is growing at rates between 5% and 8% annually.

Embedded software is a critical component of an overarching embedded system architecture for devices, which run on a low footprint, and low RAM, RTOS, etc. From home appliances to on-board aircraft networks, robotics to medical equipment, automotive to smart watches, ATMs to printers, there are many types of embedded software applications running on different hardware, each with its own size, shape and custom requirements.

There is something, however, that unites most of them, and that is the need for network connectivity. This is because, nowadays, devices are not isolated anymore. For instance, they may need to save their jobs on a remote server or may want to expose their files to the outer world.

Figure 1: YNQ™ possible connectivity

Remote file access and print services are two common embedded software firmware requirements. Some use cases of these are as follows:

 MFPs (multifunctional printers) save scan jobs over the network  Routers share flash drives to the network  Robots read jobs from a network server  Medical equipment writes test results to the hospital server  Aircraft console clients retrieve maps from the on-board map server

Since a large percentage of devices are communicating with back-end Windows systems, the Server Message Block or SMB protocol, the default standard in Microsoft-based systems, is typically used for this remote connectivity. SMB has been widely adopted in heterogeneous environments involving Linux, MacOS, UNIX, different RTOSes, iOS, Android and other environments.

Challenges Lack of a portable and standard embedded system SMB solution Embedded systems typically lack a native SMB solution. Linux and UNIX can use the open source Samba solution, but it is limited due to its support model, large footprint and restrictive licensing requirements. RTOS platforms do not include the SMB protocol solution. Figure 2: Challenges

Limited resources Embedded systems are facing the same challenges as computers, one example being the latest security threats. Contrary to computers, however, embedded systems are much more limited in resources.

Consider the following scenarios:  Devices are still using old, unsecured SMB1, exposing files externally  Vendors cannot adhere to Samba licensing changes  The solution’s high footprint narrows the market to only high-end devices  The firmware is not truly portable, thus limiting customers to more expensive or less efficient environments  Existing file transfer solutions must read/write entire files, thus limiting performance

The overall embedded market therefore requires a comprehensive, secure, standards based SMB Server and Client solutions with favorable licensing that is easy to implement, reliable, and carries a low resource footprint and low RAM usage.

The Solution Why SMB? The SMB protocol, formally referred to as CIFS, is a file and printer sharing protocol, which serves as the basis for Microsoft's Distributed File System implementation. Contrary to FTP and HTTP, the SMB protocol allows not only copying an entire file, but also grants access to files over the network. File editing, for example, can be executed over SMB without a change in its location. The latest dialect - SMB 3.1.1 - enjoys the highest levels of built-in security, including pre-authentication and encryption for all file operations.

While desktop computers and servers such as Windows and Macintosh natively benefit from SMB connectivity, the situation in the embedded world is more complicated. A device may be developed on top Linux/Unix or an RTOS that lacks an SMB solution such as VxWorks, ThreadX, Integrity, Itron, or any other of a great variety of RTOS or operating systems such as iOS, Windows CE, etc.

Visuality Systems YNQ™: Comprehensive SMB Client and Server YNQ™ is a portable SMB Server and Client solutions that can be used with any environment operating system (OS), device, CPU or compiler. It enables devices to connect with a network through SMB. Being a highly portable library, YNQ™ can be integrated into virtually any hardware or software platform and fully complies with Microsoft SMB/SMB2/SMB3 specifications. YNQ™ stays current with the latest releases of the SMB protocol, including critical, built-in connectivity and file encryption standards that protect your environment from security intrusions and other malicious activity.

YNQ™ is the flagship product of Visuality Systems Ltd. At its launch in 1999, it was called CIFS NQ™ and was subsequently renamed to NQE™ in 2014. YNQ™ is the new generation of the NQ product family, released in 2019 and was developed under the Agile methodology.

YNQ™ has 3 levels of modularity (Figure 6):

 High: API/Protocol level – APIs (NQ), server, client, NetBIOS  Medium: Service level – Authentication, common, network  Low: OS level – System, user defined, driver

Each level utilizes the level below. The API level utilizes both the Service level and OS levels, whilst the Service level utilizes the OS level. The High level is named Frontend, and the Low level is named Backend.

The YNQ™ modern software structure allows the Visuality Systems customer to know which module the fix/patch/update is related to at any given time.

By knowing which modules the changes have been carried out on integration and testing time is naturally decrease as the focus required is for the specific modules.

This utilization allows to separate the YNQ™ implementation into four separate products:

 Standalone Client – full SMB client functionality  Corporate Client – full SMB client functionality with the ability to register the machine to the corporate Active Directory  Standalone Server – full SMB server functionality  Corporate Server – full SMB server functionality with the ability to register the server to the corporate Active Directory and has the pass=through authentication ability.

Customer Case Studies

Scan to Folder The YNQ™ Client is today a de facto SMB solution for MFPs (Multi-Functional Printers). It is running in numerous models of MFPs, granting to end users a seamless and secure way of saving scanned documents.

YNQ™, when built into an MFP, connects it to the network, so that the printer can save scan jobs directly to a network folder. The entire transaction happens completely from the MFP, thus eliminating hopping between the MFP and a PC, for e.g., between campuses. The Visuality Systems’ SMB functionality grants the scanner the ability to browse the network, locate available computers or servers, view shared folders and deliver documents to the accessible destinations in a desired format, quickly, reliably, conveniently and securely.

Since the YNQ™ Client fully supports SMB3, scan jobs are securely transferred under end-to-end encryption.

Figure 3: Scan to folder

Automotive Manufacturing Floor A high-end European automotive manufacturer embeds Visuality Systems’ YNQ™ in their custom factory test “data acquisition” system to record and distribute extensive equipment environment data for each test run.

The configuration data to drive all tests is updated by an automated controller system with YNQ™ over SMB protocol. The recorded data for each test run is then transferred using SMB to be loaded into a massive data warehouse for ad-hoc analysis. Figure 4: Auto manufacturing automation

Adopting YNQ™ with the SMB3’s encryption guarantees all data in transit is secured and helps close remaining critical security holes. They have found SMB connectivity to be faster, more consistent and more reliable than FTP.

On Board Navigation Embedded Systems A defense customer embeds Visuality Systems YNQ™ client and server into their real-time, onboard navigation system to speed up file processing and save precious time that can help save lives in critical situations.

Audio and GEO map files, which are updated frequently, can also be accessed directly using the SMB protocol. This provides a much faster end- to-end solution than one based on FTP, which requires a full file download to the cockpit client navigation system. Figure 5: Aircraft use case

YNQ™ Architecture

YNQ™ is a pure C, highly portable library which can be integrated into virtually any platform. It is important to distinguish between two levels of YNQ™ adaptation - Porting and Integration.

Porting The Porting process occurs when YNQ™ is about to be used on yet another platform, be it an Operating System (OS), another CPU or any other system. Porting YNQ™ involves implementing its low layer by means of the most common platform services. This process is seamless and requires minimum efforts.

Integration For selected platforms (Linux/UNIX, VxWorks, Nucleus, iOS and Windows), off-the- shelf solutions are available. Integration occurs when YNQ™ is incorporated into a new solution on a platform for which Porting has being already done. In most cases, this does not require any significant efforts besides fine tuning of a couple of parameters.

The model for using YNQ™ is illustrated in Figure 6. The components shown in blue are fully portable, while those in green may be modified during either Porting or Integration. The YNQ™ Level 1 here is the central component of the entire architecture. It is responsible for the SMB Server and SMB Client functionality. The Level 3 (Environment abstraction component) maps an abstract system API on the exact operating system calls. There is a distinction between Project-Dependent or User-Defined (UD) and System- Dependent (SY) layers. With reference to the difference between Porting and Integration, SY corresponds to Porting, while UD corresponds to Integration.

Figure 6: YNQ™ Architecture Layers

From a functional perspective, YNQ™ may be seen as an SMB Server, SMB Client and NetBIOS Daemon (see Figure 7). Since the SMB Server is an application, using it is seamless and requires minimum efforts, only for fine tuning. The SMB Client is a software library available through its API. To benefit from the SMB Client, a YNQ™ customer should develop an application (or a set of applications). The SMB Corporate Server also uses SMB Client to achieve Domain Authentication (also called Active Directory Authentication). Another component (not shown in Figure 7) is the File System (FS) Driver. This feature is system dependent, and the Driver is currently available on VxWorks and Linux/UNIX (through FUSE). The Driver option allows developing client applications on top of the native API instead of Client API. The NetBIOS Daemon component is shared between the Server and Client to provide NetBIOS services, mostly name resolution. Figure 7: YNQ™ Components

The YNQ™ architecture was designed for the embedded world archetype, for which the following techniques can be used:

• Pre-allocated memory: YNQ™ uses fixed-size tables, which are either allocated statically or pre-allocated on startup. Though it applies some restrictions in terms of maximum connections, open files, etc., it perfectly fits the main constants of an embedded system. • Multi-threading: This technique applies to the SMB Client, which complies with a fully thread-safe library. SMB Server of YNQ™ is single-threaded, which guarantees the most stable and reliable behavior. • Zero-copy: YNQ™ avoids copying payload of read and write operations.

Using YNQ™

The existence of two major components may confuse a user not familiar with the SMB protocol. The following use cases will thus aid in selecting the right component:

• Scan to folder: An MFP (multi-functional printer) transfers a scan result onto a PC on the corporate network. This is a client case. The MFP must run an application on top of NQ Client API to achieve this functionality.

• Home NAS: A SOHO router with USB slots allows plugging a flash drive, converting the router into a SOHO NAS. This case assumes a server.

In a client case, the YNQ™ user can choose between either an NQ Client API or an FS Driver (available on selected platforms). The table in Figure 8 compares the two methods of using the SMB Client.

NQ Client API FS Driver

Performance Best Significantly less

Development efforts Significant Low

Compliance to “native” None Almost full API (for e.g., POSIX)

ccAddMount(…); mount(…); ccCreateFile(…); fopen(…); Examples: ccWriteFile(…); fwrite(…); ccCloseHandle(…); fclose(…);

Figure 8: YNQ™ Client Methods

Functionality

YNQ™ SMB Server features

• SMB dialect support from NTLM0.12 (SMB1) to SMB 3.1.1 • Various methods of authentication: • Active Directory integration (or Domain Authentication) (Corporate) • Local users • From LM to NTLMV2, either “naked” or wrapped into SPNEGO • Kerberos • Message signing • SMB encryption • Optional ACL integration • DNS, LLMNR and NetBIOS • DCERPC over SMB: • Basic – SRVSVC, WKSSVS, WINREG and more • Authentication – SAMR, NetLogon and LSA • Printing – SPOOLSS • IPv4 and IPv6 support

YNQ™ SMB Client features

• SMB dialect support from NTLM0.12 (SMB1) to SMB 3.1.1 • Reach set of calls: • Full set of file data operations • Full set of file meta-data calls • Network discovery calls • Run-time fine-tuning • Asynchronous reads and writes (optional) • Host resolution through DNS, LLMNR and NetBIOS • Multi-threading • Various methods of authentication: • From LM to NTLMV2, either “naked” or wrapped into SPNEGO • Message signing • SMB encryption • Durability • DCERPC over SMB: • Basic - SRVSVC, WKSSVS and more • Authentication – SAMR, NetLogon and LSA (Corporate) • LDAP • IPv4 and IPv6 support

Compliance and Connectivity

YNQ™ fully complies with Microsoft SMB/SMB2/SMB3 specifications. YNQ™ supports all SMB dialects, from NTLM 0.12 to 3.1.1. This grants connectivity from all client versions of Microsoft, Apple Macintosh and Samba.

Figure 9: YNQ™ Connectivity

The table in Figure 9 demonstrates connectivity between the most common SMB implementations. In all cases, YNQ™ negotiates the latest SMB dialect.

Summary

Current embedded systems may still lack an optimized SMB solution. These could be an RTOS with no available SMB solution, or an embedded version of Linux/UNIX that refrains from utilizing open source Samba due to its support pattern, large footprint or licensing. The embedded market therefore needs an SMB solution which is reliable, effective, portable (to any RTOS), and which carries lower resource consumption.

With over 20 years of experience in the SMB/CIFS market, Visuality Systems offers its Embedded SMB solution, YNQ™, which is portable and can be integrated into any environment, thus bringing SMB/SMB2/SMB3 client and server capabilities to any embedded device under a commercial license.

YNQ™ version 1.2.0 is now available for integration as a source code.