Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 1
YNQ™: A Portable SMB Solution for
Embedded Systems
A Visuality Systems Whitepaper
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 2
Table of Contents
Embedded Market Overview 3
Challenges 4
The Solution 5
Customer Case Studies 6
YNQ™ Architecture 8
Using YNQ™ 10
Functionality 11
Compliance and Connectivity 122
Summary 133
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 3
Embedded Market Overview
The world of embedded systems is large and diverse. The worldwide embedded market
by most estimates is valued at $140 billion, and is growing at rates between 5% and 8%
annually.
Embedded software is a critical component of an overarching embedded system
architecture for devices, which run on a low footprint, and low RAM, RTOS, etc. From
home appliances to on-board aircraft networks, robotics to medical equipment,
automotive to smart watches, ATMs to printers, there are many types of embedded
software applications running on different hardware, each with its own size, shape and
custom requirements.
There is something, however, that unites most of them, and that is the need for network
connectivity. This is because, nowadays, devices are not isolated anymore. For instance,
they may need to save their jobs on a remote server or may want to expose their files to
the outer world.
Figure 1: YNQ™ possible connectivity
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 4
Remote file access and print services are two common embedded software firmware
requirements. Some use cases of these are as follows:
MFPs (multifunctional printers) save scan jobs over the network
Routers share flash drives to the network
Robots read jobs from a network server
Medical equipment writes test results to the hospital server
Aircraft console clients retrieve maps from the on-board map server
Since a large percentage of devices are communicating with back-end Windows systems,
the Server Message Block or SMB protocol, the default standard in Microsoft-based
systems, is typically used for this remote connectivity. SMB has been widely adopted in
heterogeneous environments involving Linux, MacOS, UNIX, different RTOSes, iOS,
Android and other environments.
Challenges
Lack of a portable and standard embedded system SMB
solution
Embedded systems typically lack a native SMB solution.
Linux and UNIX can use the open source Samba solution,
but it is limited due to its support model, large footprint and
restrictive licensing requirements. RTOS platforms do not
include the SMB protocol solution.
Figure 2: Challenges
Limited resources
Embedded systems are facing the same challenges as computers, one example being the
latest security threats. Contrary to computers, however, embedded systems are much
more limited in resources.
Consider the following scenarios:
Devices are still using old, unsecured SMB1, exposing files externally
Vendors cannot adhere to Samba licensing changes
The solution’s high footprint narrows the market to only high-end devices
The firmware is not truly portable, thus limiting customers to more expensive
or less efficient environments
Existing file transfer solutions must read/write entire files, thus limiting
performance
The overall embedded market therefore requires a comprehensive, secure, standards
based SMB Server and Client solutions with favorable licensing that is easy to
implement, reliable, and carries a low resource footprint and low RAM usage.
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 5
The Solution
Why SMB?
The SMB protocol, formally referred to as CIFS, is a file and printer sharing protocol,
which serves as the basis for Microsoft's Distributed File System implementation.
Contrary to FTP and HTTP, the SMB protocol allows not only copying an entire file, but
also grants access to files over the network. File editing, for example, can be executed
over SMB without a change in its location. The latest dialect - SMB 3.1.1 - enjoys the
highest levels of built-in security, including pre-authentication and encryption for all file
operations.
While desktop computers and servers such as Windows and Macintosh natively benefit
from SMB connectivity, the situation in the embedded world is more complicated. A
device may be developed on top Linux/Unix or an RTOS that lacks an SMB solution
such as VxWorks, ThreadX, Integrity, Itron, or any other of a great variety of RTOS or
operating systems such as iOS, Windows CE, etc.
Visuality Systems YNQ™: Comprehensive SMB Client and Server
YNQ™ is a portable SMB Server and Client solutions that can be used with any
environment operating system (OS), device, CPU or compiler. It enables devices to
connect with a network through SMB. Being a highly portable library, YNQ™ can be
integrated into virtually any hardware or software platform and fully complies with
Microsoft SMB/SMB2/SMB3 specifications. YNQ™ stays current with the latest
releases of the SMB protocol, including critical, built-in connectivity and file encryption
standards that protect your environment from security intrusions and other malicious
activity.
YNQ™ is the flagship product of Visuality Systems Ltd. At its launch in 1999, it was
called CIFS NQ™ and was subsequently renamed to NQE™ in 2014. YNQ™ is the new
generation of the NQ product family, released in 2019 and was developed under the
Agile methodology.
YNQ™ has 3 levels of modularity (Figure 6):
High: API/Protocol level – APIs (NQ), server, client, NetBIOS
Medium: Service level – Authentication, common, network
Low: OS level – System, user defined, driver
Each level utilizes the level below. The API level utilizes both the Service level and
OS levels, whilst the Service level utilizes the OS level. The High level is named
Frontend, and the Low level is named Backend.
The YNQ™ modern software structure allows the Visuality Systems customer to
know which module the fix/patch/update is related to at any given time.
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 6
By knowing which modules the changes have been carried out on integration and
testing time is naturally decrease as the focus required is for the specific modules.
This utilization allows to separate the YNQ™ implementation into four separate
products:
Standalone Client – full SMB client functionality
Corporate Client – full SMB client functionality with the ability to register
the machine to the corporate Active Directory
Standalone Server – full SMB server functionality
Corporate Server – full SMB server functionality with the ability to register
the server to the corporate Active Directory and has the pass=through
authentication ability.
Customer Case Studies
Scan to Folder
The YNQ™ Client is today a de facto SMB solution for MFPs (Multi-Functional
Printers). It is running in numerous models of MFPs, granting to end users a seamless and
secure way of saving scanned documents.
YNQ™, when built into an MFP, connects it to the network, so that the printer can save
scan jobs directly to a network folder. The entire transaction happens completely from the
MFP, thus eliminating hopping between the MFP and a PC, for e.g., between campuses.
The Visuality Systems’ SMB functionality grants the scanner the ability to browse the
network, locate available computers or servers, view shared folders and deliver
documents to the accessible destinations in a desired format, quickly, reliably,
conveniently and securely.
Since the YNQ™ Client fully supports SMB3, scan jobs are securely transferred under
end-to-end encryption.
Figure 3: Scan to folder
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 7
Automotive Manufacturing Floor
A high-end European automotive manufacturer
embeds Visuality Systems’ YNQ™ in their
custom factory test “data acquisition” system to
record and distribute extensive equipment
environment data for each test run.
The configuration data to drive all tests is
updated by an automated controller system with
YNQ™ over SMB protocol. The recorded data
for each test run is then transferred using SMB
to be loaded into a massive data warehouse for
ad-hoc analysis.
Figure 4: Auto manufacturing automation
Adopting YNQ™ with the SMB3’s encryption guarantees all data in transit is secured
and helps close remaining critical security holes. They have found SMB connectivity to
be faster, more consistent and more reliable than FTP.
On Board Navigation Embedded Systems
A defense customer embeds Visuality Systems
YNQ™ client and server into their real-time,
onboard navigation system to speed up file
processing and save precious time that can help
save lives in critical situations.
Audio and GEO map files, which are updated
frequently, can also be accessed directly using the
SMB protocol. This provides a much faster end-
to-end solution than one based on FTP, which
requires a full file download to the cockpit client
navigation system.
Figure 5: Aircraft use case
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 8
YNQ™ Architecture
YNQ™ is a pure C, highly portable library which can be integrated into virtually any
platform. It is important to distinguish between two levels of YNQ™ adaptation - Porting
and Integration.
Porting
The Porting process occurs when YNQ™ is about to be used on yet another platform, be
it an Operating System (OS), another CPU or any other system. Porting YNQ™ involves
implementing its low layer by means of the most common platform services. This process
is seamless and requires minimum efforts.
Integration
For selected platforms (Linux/UNIX, VxWorks, Nucleus, iOS and Windows), off-the-
shelf solutions are available. Integration occurs when YNQ™ is incorporated into a new
solution on a platform for which Porting has being already done. In most cases, this does
not require any significant efforts besides fine tuning of a couple of parameters.
The model for using YNQ™ is illustrated in Figure 6. The components shown in blue are
fully portable, while those in green may be modified during either Porting or Integration.
The YNQ™ Level 1 here is the central component of the entire architecture. It is
responsible for the SMB Server and SMB Client functionality. The Level 3 (Environment
abstraction component) maps an abstract system API on the exact operating system calls.
There is a distinction between Project-Dependent or User-Defined (UD) and System-
Dependent (SY) layers. With reference to the difference between Porting and Integration,
SY corresponds to Porting, while UD corresponds to Integration.
Figure 6: YNQ™ Architecture Layers
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 9
From a functional perspective, YNQ™ may be seen as an SMB Server, SMB Client and
NetBIOS Daemon (see Figure 7). Since the SMB Server is an application, using it is
seamless and requires minimum efforts, only for fine tuning. The SMB Client is a
software library available through its API. To benefit from the SMB Client, a YNQ™
customer should develop an application (or a set of applications). The SMB Corporate
Server also uses SMB Client to achieve Domain Authentication (also called Active
Directory Authentication). Another component (not shown in Figure 7) is the File System
(FS) Driver. This feature is system dependent, and the Driver is currently available on
VxWorks and Linux/UNIX (through FUSE). The Driver option allows developing client
applications on top of the native API instead of Client API. The NetBIOS Daemon
component is shared between the Server and Client to provide NetBIOS services, mostly
name resolution.
Figure 7: YNQ™ Components
The YNQ™ architecture was designed for the embedded world archetype, for which the
following techniques can be used:
• Pre-allocated memory: YNQ™ uses fixed-size tables, which are either allocated
statically or pre-allocated on startup. Though it applies some restrictions in terms
of maximum connections, open files, etc., it perfectly fits the main constants of
an embedded system.
• Multi-threading: This technique applies to the SMB Client, which complies
with a fully thread-safe library. SMB Server of YNQ™ is single-threaded, which
guarantees the most stable and reliable behavior.
• Zero-copy: YNQ™ avoids copying payload of read and write operations.
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 10
Using YNQ™
The existence of two major components may confuse a user not familiar with the SMB
protocol. The following use cases will thus aid in selecting the right component:
• Scan to folder: An MFP (multi-functional printer) transfers a scan result onto a
PC on the corporate network. This is a client case. The MFP must run an
application on top of NQ Client API to achieve this functionality.
• Home NAS: A SOHO router with USB slots allows plugging a flash drive,
converting the router into a SOHO NAS. This case assumes a server.
In a client case, the YNQ™ user can choose between either an NQ Client API or
an FS Driver (available on selected platforms). The table in
Figure 8 compares the two methods of using the SMB Client.
NQ Client API FS Driver
Performance Best Significantly less
Development efforts Significant Low
Compliance to “native”
API (for e.g., POSIX) None Almost full
Examples:
ccAddMount(…);
ccCreateFile(…);
ccWriteFile(…);
ccCloseHandle(…);
mount(…);
fopen(…);
fwrite(…);
fclose(…);
Figure 8: YNQ™ Client Methods
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 11
Functionality
YNQ™ SMB Server features
• SMB dialect support from NTLM0.12 (SMB1) to SMB 3.1.1
• Various methods of authentication:
• Active Directory integration (or Domain Authentication) (Corporate)
• Local users
• From LM to NTLMV2, either “naked” or wrapped into SPNEGO
• Kerberos
• Message signing
• SMB encryption
• Optional ACL integration
• DNS, LLMNR and NetBIOS
• DCERPC over SMB:
• Basic – SRVSVC, WKSSVS, WINREG and more
• Authentication – SAMR, NetLogon and LSA
• Printing – SPOOLSS
• IPv4 and IPv6 support
YNQ™ SMB Client features
• SMB dialect support from NTLM0.12 (SMB1) to SMB 3.1.1
• Reach set of calls:
• Full set of file data operations
• Full set of file meta-data calls
• Network discovery calls
• Run-time fine-tuning
• Asynchronous reads and writes (optional)
• Host resolution through DNS, LLMNR and NetBIOS
• Multi-threading
• Various methods of authentication:
• From LM to NTLMV2, either “naked” or wrapped into SPNEGO
• Message signing
• SMB encryption
• Durability
• DCERPC over SMB:
• Basic - SRVSVC, WKSSVS and more
• Authentication – SAMR, NetLogon and LSA (Corporate)
• LDAP
• IPv4 and IPv6 support
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 12
Compliance and Connectivity
YNQ™ fully complies with Microsoft SMB/SMB2/SMB3 specifications. YNQ™
supports all SMB dialects, from NTLM 0.12 to 3.1.1. This grants connectivity from all
client versions of Microsoft, Apple Macintosh and Samba.
Figure 9: YNQ™ Connectivity
The table in Figure 9 demonstrates connectivity between the most common SMB
implementations. In all cases, YNQ™ negotiates the latest SMB dialect.
YNQ™ Whitepaper © 2019 Visuality Systems Ltd 13
Summary
Current embedded systems may still lack an optimized SMB solution. These could be an
RTOS with no available SMB solution, or an embedded version of Linux/UNIX that
refrains from utilizing open source Samba due to its support pattern, large footprint or
licensing. The embedded market therefore needs an SMB solution which is reliable,
effective, portable (to any RTOS), and which carries lower resource consumption.
With over 20 years of experience in the SMB/CIFS market, Visuality Systems offers its
Embedded SMB solution, YNQ™, which is portable and can be integrated into any
environment, thus bringing SMB/SMB2/SMB3 client and server capabilities to any
embedded device under a commercial license.
YNQ™ version 1.2.0 is now available for integration as a source code.