Graph of Linux Vs. Windows System Calls

cgrayson recommends Richard Stiennon's blog on ZDNet — a post titled Why Windows is less secure than Linux shows a compelling graphical comparison between system calls on the two operating systems. The blogger tips Sana Security for the images. Quoting: "In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

Poster?

Where can I get a high res version of that image to print out poster size? That's great!

Re:Poster?

If you had read digg about 10 months ago you would already have your poster hanging on the wall.

http://digg.com/linux_unix/%C2%BB_Why_Windows_is_l ess_secure_than_Linux_

Re:Poster?

[letxa2000]

Not defending Windows security, but it's entirely possible that the graphical depiction is not "optimized" so that it intentionally looks like spaghetti. It's hard to see what's going on with the resolution given, but some of the call "bubbles" seem to be unnecessarily placed far away from whatever called them with a long strand of spaghetti between them. This isn't necessarily an indication of spaghetti or bad design, but a bad graphical depiction. Also, just because lots of places make a call to the same API (which causes the graph to look like spaghetti) does not mean bad design--to the contrary, it can be very good design.

I hate Windows as much as the next guy, but I'm not sure this is really a good case for why.

Re:Poster?

[HTH+NE1]

Where can I get a high res version of that image to print out poster size? That's great!

Posters? Nah, I think they would be much more interesting as mobile sculptures. Just not over a crib.

Re:Poster?

[EsbenMoseHansen]

It looks as is if it was made by graphViz, which draws diagrams based on a textfile containing the dependencies. So it's probably fair enough in that sense, but the posting the number of edges and the number of nodes would probably be nice as well. Though I'd prefer the source for those 2 images :D

Re:Poster?

[speculatrix]

there are graphviz viewers which allow some interaction, so you could drag nodes about a bit to make it less messy.

Re:Poster?

[B.+Pascal]

Hi Ietxa2000:

I agree with your post.

I like to further question the implicit assumption made by the author of this article: that simplicity is always equal to better security. Yes, a system with a simpler, more elegant design feels better to work with. Yet, it doesn't necessarily means better security.

Rather than looking at a system's design, I think a more meaningful measurement of a system's security is to look at: 1) the number of people looking for new security flaws, and 2) the time it takes for patches to be released given an exploit. (1) measures how much effort is put into finding not-yet-discovered exploits. If there are not enough people who are looking for new security flaws, then at best, the system is secured by obscurity. (2) measures the responsiveness and effort to fix known exploits. Naturally, if an exploit is found, a user wants that exploit fixed ASAP.

Looking a system's design (graph), then drawing conclusions about the system's security, is like saying that a system can be done right in the first cut. If the design is done well, then it necessarily results in a good implementation. (Granted, if design is poor, then it's harder to make the implementation good...)

Cheers.

B. Pascal

Re:Poster?

[electrosoccertux]

it can be very good design.

I would think that the more links between different processes, the more responsive of a system you'd have. While the Linux design may be more clean, if you have to traverse multiple processes to do what you want then this could lead to performance degredation.

Maybe this is why Windows XP has _always_ felt faster than Linux to me (no matter the Window manager). I remember before we had the pre-empt kernel option. The terminal felt much, much slower then.

Re:Poster?

[RazzleDazzle]

Yeah, spaghetti... obey your noodly master.

Next thing you'll be talking about is global warming, then pirates, and the love of Him that is noodly.

Re:Poster?

Sorry Stiennon, this is the weak sauce. Where did IT-Harvest.com go, btw? Regardless of your position on this topic, why would anyone take security advice from a guy who ran his start-up company into the ground in six months?

Re:Poster?

[rshimizu12]

As much as I dislike Microsoft it's unfair to publish some unreadable graph that gives no indication what data there is. The graph needs to at least identify what API calls are being made to have any credibility.

Re:Poster?

[_7miracles]

I think the point of the whole article is missed then. All we need is to make sure that it compares apples with apples, and not oranges, and it does. Some API calls are not totally identical, nevertherless.

Looks good.

[bradsenff]

Those pictures look great.

Suddenly I am hungry for spaghetti.

mmmMmm Food.

Damn. Windows *is* evil. It is making me fat!

Re:Looks good.

[HomelessInLaJolla]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled, or refactor the Linux graph to make it look more tangled? Imagine the graphs in 3-D space and being able to rotate around them or even view them from inside looking out in different directions. The concept is similar to adjusting the axes in the same manner as logarithmic paper can make some plots look like straight lines (once that concept is recognized then the math can become infinitely complex for defining the axes).

To be perfectly fair: How do we know that the researcher who created the graphs optimized both for clean and concise 2-D layout?

In response to my own question: No matter how you want to change the visualization the Linux graph looks to have far fewer multiple source intersection points and a larger prevalence of straight line heirarchical structure.

Re:Looks good.

[dctoastman]

You beat me to it.

I was about to say that myself about the Linux picture having less entry points. It looks like the Windows picture relies on some system calls that are called by just about everything. It seems that you could do a lot for security by first focusing on these central points.

Re:Looks good.

rAmen! May the FSM be with you!

Re:Looks good.

[Atmchicago]

I agree with your question. I was thinking of a few ways to analyze the graphs:

• Count the total number of nodes
• Count the average number of edges coming out of each node

The first gives us an idea of the total number of calls involved. The second gives us some idea of how many interactions each call is involved with - more branches would indicate more complexity.

Re:Looks good.

[nberardi]

This shouldn't be titled why Windows is less secure than Linux. If the author actually had an integrity or an understanding of what he was writing about it should be title why IIS is less secure than Apache. Because I bet Apache running on Windows looks very close to the Apache running on Linux. Mostly because the Apache team has an excellent set of developers.

This blogger should be shunned out of the internet world as a worthless hack.

Re:Looks good.

[Thrip]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled ...? Yes. The easiest way would be to throw out the Windows code base and start over with a set of competent programmers, then regenerate the graph.

Re:Looks good.

[bradsenff]

And may his noodly appendage brush you with sweet buttery goodness.

Or something.

Re:Looks good.

Point taken. Apache being more secure than IIS- if the function calls looking less complicated even means that- doesn't mean Linux is more secure than Windows, but it's probably meant to just be an example of open-source versus closed-source. It's up to the reader to decide whether it applies to everything else open- or closed-source. And it probably doesn't.
I'm a Linux user who's used Windows before (for about the same amount of time), and I've had about the same number of crashes on each. Windows' crashes were just more spectacular (not as in "shiny", as in "pyrrhic").

Re:Looks good.

[NekoXP]

Looking at them both I notice the Linux one has a lot of empty space and draws the graph longer, and has a wider pixel size.

The Windows one is shorter and thinner.

Those simple differences make the Linux one look less messy, even if they ARE that simple.

I'm sure you could easily refactor the Windows one to look less messy. The real details though are in what those system calls are; and the two images provided are too small to SEE the names and routes of the system calls where relevant. Just looking at the tangle and counting lines is NOT a security audit.

Re:Looks good.

This blog is from some self proclaimed security specialist who is now a marketing guy, but from his blog post he obviously has no idea what he is talking about. The two graphs he generated tells you nothing. He says they are system calls, which again tells you nothing. The Linux/Apache graph appears more organized, while the Windows/IIS graph appears messier, but I bet you could shuffle things around and have the two graphs look nearly identical. But there's no labels on anything, we have no idea what the calls are, they could all be "strcmp" calls for all we know. And the assumption that a more complex graph means poor programming also implies that having everything done in one function (thus a super clean graph) means good programming, which is obvious fallacy.

So the script kiddies and know-nothing geeks on Slashdot all get excited about this graph and write things like "nah-nah M$ sux!" and "this explains everything, I am the smartest kid in the world."

And a very small number dismiss the blog for what it is, absolutely worthless.

Re:Looks good.

[B.+Pascal]

Hi fellow slashdoters:

I like to question the implicit assumption made by the author of this article: that simplicity is always equal to better security. Yes, a system with a simpler, more elegant design feels better to work with. Yet, it doesn't necessarily means better security.

Rather than looking at a system's design, I think a more meaningful measurement of a system's security is to look at: 1) the number of people looking for new security flaws, and 2) the time it takes for patches to be released given an exploit. (1) measures how much effort is put into finding not-yet-discovered exploits. If there are not enough people who are looking for new security flaws, then at best, the system is secured by obscurity. (2) measures the responsiveness and effort to fix known exploits. Naturally, if an exploit is found, a user wants that exploit fixed ASAP.

Looking a system's design (graph), then drawing conclusions about the system's security, is like saying that a system can be done right in the first cut. If the design is done well, then it necessarily results in a good implementation. (Granted, if design is poor, then it's harder to make the implementation good...)

Cheers.

B. Pascal

Re:Looks good.

[shawb]

The reason the Linux version has a lot of empty space and wider pixel size is because... there are so many fewer connections between nodes. There is more room to represent them. If appears that while Linux does have nearly as many nodes, many more of the calls are in a linear fashion. This is good security-wise as you can get a better idea of what data should be passed through a particular chunk of code and can better plan for exception checking and out of bounds conditions so malformed data will be handled gracefully.

Re:Looks good.

[Kwiik]

Or possibly more branches may indicate a cleaner or more modular kernel.
You would have to time a million of each system call for each platform, comparing the amount of time the system calls for required operation A takes in one platform to the other.

Re:Looks good.

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled

Yes, but you need Vista for seeing that

Re:Looks good.

[NekoXP]

Absolute bullshit.

How do you call code in a "linear fashion" on Linux but supposedly not in Windows? It follows a line, in both cases, from a first function call to the end of the function call. None of the diagrams show what data is going through (even as an example) or what the intent of the function call is apart from the backtrace. It doesn't show anything but that every call trace goes back through a certain set of functions. Windows will have more for a lot of reasons - the fact that it is fundamentally a microkernel, it has a much more engaged message passing subsystem and set of HALs and interaction with "kernel-mode" drivers (especially the IIS acceleration features which are NOT implemented the same way as Linux's kernel http acceleration in the same way that neither are FreeBSD's HTTP accept filter).

That doesn't mean it's fundamentally worse, it just means it is architectured a little differently. As I said for each call there is no trace of how much code is executed nor it's data. For all you know from the diagram a lot of it is passing through DLL interfaces to other DLLs, kernel interfaces and driver subsystems. You can't just count the code back and say "well, it passed through more wrappers so it's harder to secure". Which of those functions are simply passing the data back onto the stack and calling the same principle function in another DLL?

http://radio.weblogs.com/0105852/stories/2003/01/2 5/takingBufferOverrunsSeriously.html

The VisualC++ libc runtime has a crapload of "security checks" wrestled into it if you use the right compiler flags, which pass it through many more layers than in glibc.. at the expense of slowing it down. On Linux, it's not in the C runtime, it's in stuff like SELinux and PAX. Stack checking and canaries and suchlike. You think that makes the code LESS secure that it is in the C runtime?

Starting with Windows Server 2003 (and XP SP2 and obviously a shitload more in Vista), even more is done on the OS side of things, built into NX bit handling and a ton of other checks. All of these run through all kinds of little calls. Is it less secure if you have 1 bug in 10,000 massively interlinked calls on Windows than if you have the same bug in only 1000 calls in Linux?

This is also just the STARTUP of Apache and IIS. Does IIS create more buffers, caches, spawn processes earlier, do any configuration details, doesn't registry access take a lot longer to do, isn't pulling configuration data out of Active Directory a very heavy process compared to parsing an Apache config file? How do these relatively innocuous things affect the security? It is just as easy for Apache to have a maliciously encoded line in a config file which is NOT going to affect a fixed, due to a parser bug or somesuch, which simply cannot be gained from accessing a fixed, structured LDAP database with significantly more strict rules (a lot of the data you'd want to exploit by mangling directives and arguments, you couldn't put in the Active Directory anyway - other parts of the OS that IIS doesn't even consider, is at work here).

The diagrams mean absolutely nothing. However of one thing I am sure; this guy earned ZDnet a lot of banner impressions today.

Re:Looks good.

[(Score.5,+Interestin]

In fact, the graphs are pretty much meaningless as a measure of either complexity or security. The Unix philosophy is to pile a large amount of functionality into a single call (the infinite flexibility of ioctl() being a good example) while the Windows philosophy is to have lots of special-case functions for different applications. Trying to compare "security" based on call-graph complexity is meaningless. To take one extreme example, I've seen a COM interface that was handled via a single function, DoIt(). In theory I could claim that this was vastly more secure than the Unix alternative, because the call graph is a single straight line from A to B. Now, would you say that DCOM is more secure than a Unix equivalent?

Re:Looks good.

[mgiuca]

While this is true - it's not strictly a valid comparison between Linux and Windows (and therefore should be discounted) - we can still salvage most of its meaning. Now I'm assuming that each node is a system function, not a function of Apache or IIS - if I'm wrong in this assumption then may we all be horribly crushed from above somehow.

If you look at it, there are only a couple of "entry point" looking nodes, and the rest is the system calling itself internally. So you could say that the program making these calls is irrelevant, if internally, Linux is making far fewer / more organised syscalls than Windows.

Having said that, it's all quite speculative on my part, from looking at a black and white graph with resolution not high enough to make out any nodes properly... so... grain of salt.

Re:Looks good.

[ebichete]

ioctl is absolutely not part of the Unix philosophy. It was created for a small limited case and subsequently abused until it became the beast it is today.

The guys at Bell Labs didn't like it much and in the next system they built (Plan 9) totally eliminated it.

The senior Linux devs don't like it much either. Google search the kernel mailing list archives and you'll come up with several rants against inappropriate use of ioctl.

Re:Looks good.

[malfunct]

So long as your graph were directional so that calls leaving a node were representative of the number of calls being made by the function represented by the node and that the number of calls entering the node were calls to the function being represented you could easily measure both the level of modularity and reuse and from that determine complexity. That said simpler API's sometimes require more calls and not less. I could make a single function that contained the entire windows API which would be no more or less complex than the windows API as it is now. It would just be a difference of calling many different functions with fewer parameters or calling a single function with lots and lots of parameters. Is there a measure in the graph of the complexity of the calls in addtion to the raw number of calls? I still think linux might be simpler I'm just saying that it is not necessarily so based purely on the number of methods called.

OLD news

[sproketboy]

Posted in last year sometime on zdnet. Is slashdot that out of touch?

Re:OLD news

You mean it *wasn't* posted 5 minutes ago?! The scandle! Was it posted on slashdot a year ago? Is it on a subject stupidly out of date? No? Then is it conceivable that the slashdot crowd might not have seen this yet and that it might be interesting to some of them? I'm going with yes.

Re:OLD news

[peragrin]

It is a dupe i just don't feel like going back through april and may's articles to find it.

damn.

nice pics

what can I say? I'm impressed, you can click on the larger images and still not see a god damn thing

Wow

[lavid]

I just checked out those pictures and all I have to say is wow. Unfortunately, from the given images, it's really impossible to follow any of those lines. It's amazing IIS even works....

FUD?

[EveryNickIsTaken]

Can anyone verify the accuracy of the "graphs"?

Re:FUD?

[ejdmoo]

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

Another quality article from Slashdot.

Re:FUD?

[Nos.]

That's just it, without methodology and at least higher resolution pictures where things could be traced, this could be a complete farce. Without more documentation to back it up, I can't really call this news (as the blogger notes in his posting).

Re:FUD?

IIS, Just like using one pointer to an object that does all the work.

Re:FUD?

[hotdiggitydawg]

My thoughts exactly. From TFA:

A picture is worth millions of words Not when it is supposedly a map of system calls and there isn't a single friggin' word anywhere on either of the pictures. In fact, the only way to tell which system is which is by the filename of the image! How can anyone even begin to verify that it is not complete bollocks?

Re:FUD?

[ajs]

It's good that Slashdot is covering it, though. I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web.

Taken completely out of its original context, the graphs are a useful way to compare real-world examples of C and C++ calling models, though. You'll notice that IIS (C++) has these "clusters" of activity where one routine acts as a nexus for calls into many others. This is fairly standard practice in C++ where you might have an accessor that triggers lots of behavior. In the C version, there's a much more visually procedural pattern where a function calls a few others, and then returns to a function that calls its tree of functions, but might overlap with a few calls to the previous function's utility functions, etc.

Re:FUD?

[HomelessInLaJolla]

> there isn't a single friggin' word anywhere on either of the pictures

If you read the article then you would understand that the intersection points are memory locations, not words. The author explains that each memory location is a point of possible failure.

Re:FUD?

[YellowElf]

But these are system calls, and should not be part of the IIS application itself. Of course, Microsoft loooves to say everything is part of the OS, and we can't see the actual calls that are being made, but whatever is being called should be outside of IIS in order for the article to make sense.

--dv

Re:FUD?

[Red+Flayer]

Another quality article from Slashdot.

Have you done your part with firehose?

You've got the power to make a difference in the story selection process, why don't you use it instead of complaining meaninglessly? Especially since it'd already been pointed out by several posters?

Re:FUD?

[SheeEttin]

I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web

Is that what you call it?

Re:FUD?

[flakier]

Impossible to tell with the small pictures, though it's certainly believable. The graphs look similar to others I've seen. It would be nice to see instructions on how to create the graphs rather than the graphs themselves.

Re:FUD?

[hotdiggitydawg]

You missed my point. I read the article. I know what his claims are, but I want verifiable proof. The pictures as they stand are entirely meaningless, except to the gullible.

Re:FUD?

[HomelessInLaJolla]

> are entirely meaningless

Which is entirely wrong

> except to the gullible

Unless you're prone to extremist knee-jerk overreaction.

The graphs are not entirely meaningless. They demonstrate trends which have real world interpretable value.

Re:FUD?

[gmack]

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

More to the point it conveys no useful info on how complex the calls are. Are they single function calls that pass off the core of the work to others or are they complicated calls that try to do too many things in one place?

I'm actually surprised the Apache graph was less cluttered than the IIS graph given that Microsoft tends to prefer functions that do as many things as possible so code can be better reused while apache is more UNIX like in that they tend to prefer smaller functions that are easier to debug. Of course a lot of that could just be the efficiency of the compiler

Re:FUD?

[Spazmania]

An attacker doesn't care -why- there are a bunch of system calls. Its all machihe language at that point. That those calls happen presents an opportunity to inject malicious code.

If your basic claim about C/C++ is right then the consequence is that code written per "standard practice" in C++ is inherently harder to secure than code written in C.

Re:FUD?

[convolvatron]

no, they dont really. as much as i love the dot project, its really not the
worlds best general purpose graph drawer. it also turns out to be very subjective
depending on the planarization approximation to generate something that looks
clean or messy.

so if you just build a dynamic call graph and run it through dot (having done this
before many times myself), you cant really say that the overall visual impression
leaves you any more informed than you were before.

put it this way, do you really know anything more about the respective implementations
from looking at these pictures aside from the false generalization that windows
is 'messier' than linux? no, you dont.

Re:FUD?

[betterunixthanunix]

The fact that Microsoft function do so much is probably the cause of the clutter. The more a function does, the more system calls it will wind up making.

Personally, though, I would question whether or not such drawings are accurate. It is easy to make a graph with 50 nodes look more complex than a graph with 200 nodes by arranging things oddly. and forcing more lines to cross each other at more locations.

Re:FUD?

[hotdiggitydawg]

Rubbish. They were produced by a company that has a vested commercial interest in security software for Windows. As they stand, they show you can use black lines to make a pretty little spaghetti diagram, and that is all. Real OSS advocates will get nothing out of this as MS shills will counter with this exact argument.

Even simply adding the name of each syscall means someone else can start trying to prove their claims aren't a fabrication.

Re:FUD?

[brianosaurus]

Read it again... (I'll wait ;)

The article doesn't say what the intersection points are. While it does say that "A system call is an opportunity to address memory", it doesn't explain how that relates to the images, just "Both images are a complete map of the system calls that occur when..."

I was hoping the "larger image" would clarify things, but its almost as useless as the inlined image. In the bigger picture, the horizontal line at each intersection kind of looks like it would be a word, perhaps the name of a system call. Its simply not clear that the images support the claim, since it is not at all clear what the images actually represent.

Re:FUD?

[nuzak]

> You've got the power to make a difference in the story selection process

The link does nothing more than redirect to the front page. Was it supposed to do something else?

There already is a submission queue, a big one. What the editors choose to post, and the color commentary in both the submission and by the editors, is what we all complain about. Meaninglessly, I might add, since all our complaints do is verify that the advertisers are still getting eyeballs.

Re:FUD?

[JebusIsLord]

Not necessarily, Object oriented code is in a sense more complex, but also easier to understand (so the programmer makes fewer mistakes).

Re:FUD?

[timeOday]

The graphs are a useful way to compare real-world examples of C and C++ calling models, though.

No, because they're only counting system calls. There's no inherent reason for C++ code to make more numerous or more varied system calls. The difference between C and C++ is purely user-mode. The summary's assertion is correct - the Windows server is simply making many more system calls to serve a page.

Is that a surprise? Those of you who doubt the general claims made using these graphs, why don't you find a more compelling statistic to the contrary? Show us how the XP (or better yet, Vista) kernel API is NOT a sprawling mess. Good luck, since even Microsoft has admitted Vista is nearly unmaintainable, and years of schedule slippage proves it no matter what they say.

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do. But don't kid yourself that the costs avoided by not refactoring all that old code come free. Complexity does impact security.

Re:FUD?

[Red+Flayer]

The link does nothing more than redirect to the front page. Was it supposed to do something else?

I checked the link, it goes to firehose. Maybe you don't have access to firehose (it's in Beta, maybe it's karma-dependent for access)? Or maybe you just need to look a little closer, since FireHose does look a little like the main page.

FYI, FireHose lets users affect submission acceptance by rating the submissions before (and after) they get approved -- this allows for pre-emptive action, and also feedback.

Re:FUD?

[plalonde2]

That's a completely bogus statement. In straight C you know your call graph. You know which function is called where and when. In C++ any method call might be virtual and you have no way to know at the call site. Or the function call might be a non-virtual override. No way to tell at the call site. It is much easier to mis-use (unintentionally) a C++ OO library than a straight C library. I see many more errors in C++ code than I do in straight C.

Re:FUD?

Another quality article from Slashdot.

Excellent point. All articles posted to Slashdot should never be less than 100% perfectly accurate without any extraneous information and all logical paths fully explored.

Hmmm... maybe if those were the submitting criteria then not a damn thing would get posted. Perhaps it's actually useful for us to view material from the "common people" and validate their ideas based on their technical merit.

Or we could just throw all of it out the window everytime someone makes a misstep.

Re:FUD?

[YetAnotherLogin]

Well, I get the front page too (the url goes back to http://slashdot.org/). I guess I'll have to wait until it goes out of beta!

Re:FUD?

Oh get off your high horse you w ** & n ke eer

Re:FUD?

[swillden]

That's a completely bogus statement. In straight C you know your call graph. You know which function is called where and when. In C++ any method call might be virtual and you have no way to know at the call site.

The Linux kernel is written in C but makes very heavy use of virtual function calls. If you need abstraction, you have to pay the price in reduced predictability. It's a tradeoff between transparency and simplicity.

It is much easier to mis-use (unintentionally) a C++ OO library than a straight C library.

My experience is exactly the reverse. Straight C libraries often require you to carefully set up complex data structures before making the library calls.

I see many more errors in C++ code than I do in straight C.

... when the C++ code is written by C programmers. In my experience, when C++, is used by people who know the language well (admittedly, that's a tough hill to climb), the result is smaller, has less bugs, and gets done faster.

Re:FUD?

[taniwha]

part of the issue here is that Windows puts more stuff in the kernel (bad IMHO, harder to verify security) and, more importantly Windows kernel routines make system calls themselves while in the Linux world the system call interface is largely a one-way boundary making it easier to verify (signals are an example of something that sort of breaks the 1-way thing)

Re:FUD?

[jgrahn]

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do.

OK, but shouldn't that make a Unix syscall interface even more messy? After all, it was created thirty-five years ago.

On the other hand, you might want to count each ioctl and each read(2) or write(2) of different character devices as separate system calls ...

Re:FUD?

[Haeleth]

In straight C you know your call graph. You know which function is called where and when.

Right up until the first function pointer slips in - which is pretty much inevitable for anything that has a non-linear interface.

Or until someone who isn't quite as smart as he thinks starts doing "clever" things with macros, in a header file included by another header file that includes itself recursively.

Or until someone relies on undefined behaviour, like the order of evaluation of function arguments, that suddenly introduces subtle bugs when you add an unrelated line of code and your compiler decides to change its optimisation strategy...

(Of course, these issues are all just as present in C++; my only point is that things aren't as rosy in C as you might think from your description, and the greater abstraction capabilities of C++'s classes and templates might make people less inclined to try to be clever in that sort of way.)

Re:FUD?

[timeOday]

OK, but shouldn't that make a Unix syscall interface even more messy? After all, it was created thirty-five years ago.

How much backwards compatibility does it really retain though? I realize some basic concepts and even the names of some basic functions (e.g. "read") have actually been around that long, but how many binaries from back then would run on Linux? I doubt you could find one. And that's what I mean by maintaining backwards compatibility on a feature-rich platform.

Re:FUD?

[maxume]

I'm not sure it will do anything, but try something like:

reload, reload, metamoderate, reload(I have a feeling it is somewhat activity based).

Re:FUD?

[Foolhardy]

Here's an exhaustive list of Windows NT syscalls in every service pack since NT4 SP3. NT 3.1 (not listed) has 180, NT 4.0 has 248, XP has 284, Vista has 394 (the greatest increase in a single version), mostly for transaction support, a new IPC mechanism and configuring the new boot loader. I'm not familiar with most of Vista's new functions, but I know that all the functions in XP are necessary. BTW, Linux 2.6.20 has 319 syscalls (according to arch/i386/kernel/syscall_table.S). Several of the Linux syscalls have become placeholders, obselete. Show me a single obsolete/compatibility driven NT kernel syscall.

Applications interface with Win32, not the syscall API (also known as the NTAPI or the native API). Win32 is where all the compatibility hacks are, and it is indeed more ugly because of it. NTAPI is insulated from apps and contains no compatibility hacks or baggage. Even so, the NTAPI is very stable; I'm not aware of a single function that was implemented and has changed or become obsolete or depreciated.

All the mess of Vista development is in user-mode, especially in Win32 and the shell. All of the features planned for the kernel in Vista have shipped and were ready long before release, AFAICT. It's most of the user-mode stuff that's been scrapped or scaled down and is a mess.

If they're showing syscalls, then what are all the lines connecting them? Syscalls don't call each other; they're an array of functions called from user to kernel mode, in that direction only. How does one show relationships between syscalls exactly? It's awfully convenient that the graphs are too blurry to actually read the bubble text or we might be able divine what they're talking about.

Re:FUD?

[ajs]

An attacker doesn't care -why- there are a bunch of system calls. Its all machihe language at that point. That those calls happen presents an opportunity to inject malicious code. Explain that in concrete terms. Explain exactly how making a system call allows one ot inject malicious code. Please.

I don't buy it, and moreso, I don't buy that you can boil complexity (which certainly has security implications) down to a one dimensional analysis based on the number of nodes in the call tree.

Re:FUD?

[Spazmania]

Explain that in concrete terms. Explain exactly how making a system call allows one ot inject malicious code. Please.

The math is straightforward.

Every line of code (or programming command if you prefer) has some probability of containing a mistake exploitable by a hacker. That applies not just to the code you write, but also to the code in every library called by every library that you call. The probability of an exploitable mistake in your program overall is the sum of the probabilities for each line.

More system calls implies more code implies a larger sum.

Interesting

[theqmann]

Interesting, they look hand drawn. I wonder if arbitrary complexity could be visually added by using a suboptimal drawing pattern.

Re:Interesting

[0xABADC0DA]

It's not hand drawn. They obviously used dot from graphviz. You can't mistake that layout once you've seen it.

Vista

[IflyRC]

Where is the Vista version?

Re:Vista

[dreamlax]

Windows Vista Home Graph Edition? Or Windows Vista Maths Centre Edition? Just keep in mind that only Maths Centre comes with Aero.

Re:Vista

[nschubach]

I think he means Windows Vista Ultimate Home Graphs Edition, thought I could have thought that option was only available on the more expensive Vista Ultimate Professional Home Office Graphs Edition.

Re:Vista

[UnknowingFool]

Where is the Vista version?

You'll need to upgrade your hardware if you want to see it. [ducks]

Re:Vista

[Cygfrydd]

The Vista graph will have to wait for web browsers capable of rendering the graphs in 5-space.

Re:Vista

[Fnord666]

Where is the Vista version?

They're waiting for additional funding for the ink.

A slice off the dll block.

""In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture.""

Fine grained vs coarse grained. Whoo-pee.

Old and Pointless News

[garcia]

The article is dated April 14th, 2006. Nice.

The photos are completely unreadable and mean absolutely nothing. Let's see the entire graph with labels so that we can know exactly what's going on during the calls. From that graph, for all we know, we could be looking at more than what they claim.

Re:Old and Pointless News

[*weasel]

Not to mention that we should be looking at Apache-on-Windows vs Apache-on-Linux.

Why mix up the comparison of Linux/Windows with Apache/IIS with C/C++ if you don't have to?

An actual apples-to-apples comparison would be interesting.

Just one case ...

[dsojourner]

I'm pretty "anti-microsoft", but I still know it's pretty dangerous to deduce much from a single example. For example, are there any situations where the complexity is reversed? I'd guess not (or not as many), but you can't really tell ...

They both look a mess

Clearly, the windows example is a bigger bowl of spaghetti, but the Linux version is also a mess of complexity.

Operating systems are complex beasts. This is all this non-scientific blog proves.

A single page with a single picture?

[fireman+sam]

and I thought goatse was taken down.

Linux developers should take note....

[StressGuy]

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time.

Re:Linux developers should take note....

[Fred+Ferrigno]

Obviously, the solution is to code everything as a single function. Then the graph will look very nice and tidy.

Re:Linux developers should take note....

[Tumbleweed]

Isn't called 'Functional Programming'? I thought that was the hot new trend these days...

Re:Linux developers should take note....

[sploxx]

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time. More functionality is better, as long as the software is integrated in a sane way. The problem is functionality in the wrong places, not functionality itself. I think everyone here knows what harm the will to reduce functionality did to GNOME... (awaiting flames already :)

Re:Linux developers should take note....

[jeffasselin]

One Function to rule them all, One Function to grep them,
One Functione to call them all and in Windows compile them.

Re:Linux developers should take note....

[nwhitehorn]

This actually makes a very good point. Some arguably secure coding styles (microkernels, for instance) involve a fantastic number of syscalls, as operations trampoline through kernel space.

On the other end of things, the way to get the fewest possible number of syscalls is to implement the entire web server in the kernel (in a single function, as the OP wrote). Then you just call the handle_http_request() syscall and walk away. This is, of course, the least secure and most dangerous possible way to implement a web server.

The only thing with which number of system calls actually correlates is request handling speed -- barring other performance issues, context switches take some amount of time, which is why microkernels typically have poor performance. Given the massively different software architectures involved, however, I would imagine that any important performance differences lie elsewhere.

Re:Pudding graph

[ajs]

NO! This is a terrible, terrible misuse of information. The person who came up with those graphs should be forced to read "The Visual Display of Quantitative Information" Edward R Tufte until their eyes fall out!

IIS is written in C++.

Apache is written in C.

These graphs show the different calling models of C++ and C.

That is *all* they show.

Complete FUD

[DrDitto]

Never have I seen papers or research that implies the number of system calls correlates to security. What's next, implying MS-DOS is more secure than Linux based on numbers of system calls and lines of code?

Re:Complete FUD

[Foofoobar]

No but it has everything to do with speed and use of resources. A couple hundred system cals (including redundant ones) in IIS verses maybe 70 in Apache would correlate to Apache using fewer resources, booting faster ad having a faster response time.

Also as I pointed out, IIS has loads of redundant system calls making for a bloated system.

This is what the graphs show. Not security, bloat, poor performance and bad development.

Re:Complete FUD

[flyingfsck]

Of course DOS is more secure than Linux. It doesn't do networking...

Re:Complete FUD

[A+beautiful+mind]

"MS-DOS - without a remote hole in the default installation for 26 years."

Re:Complete FUD

[hyfe]

What's next, implying MS-DOS is more secure than Linux based on numbers of system calls and lines of code?

... but it is!

Name one remote security exploit in any DOS implementation?
Regardless of whether it's a fair comparison or not, DOS is more secure than Linux by just about any reasonably sane metric you can come up with it.

Re:Complete FUD

[ak_hepcat]

"DOS is more secure than Linux by just about any reasonably sane metric you can come up with [it]."

Except that when you boot *DOS, you're automagically the superuser. Or Joe is. Or grandma. Or whomever.

Or maybe user privleges aren't a sane metric to judge security by?

How about just overwriting the interrupt vector table with a quick .COM program? That'll certainly bring any system to its knees. But I suppose that kmem security is really just an issue with user privlege escalation. And we've covered that.

But there are certainly any number of virus and trojan type exploits for *DOS. Or perhaps these aren't sane metrics either?

Re:Complete FUD

[EvanED]

Name one remote security exploit in any DOS implementation?
Regardless of whether it's a fair comparison or not, DOS is more secure than Linux by just about any reasonably sane metric you can come up with it.

Not all of security is remote. Let's see you take out an entire filesystem as non-root under Linux.

Your point mostly stands, but being more susceptible to trojans IS a perfectly sane metric that DOS fails.

Re:Complete FUD

[hyfe]

Or maybe user privleges aren't a sane metric to judge security by?

Yeah, sure:

Given physical access / Local user account

DOS: Owned
Linux: Owned (start shell instead of startup-script if bootloader isn't locked down, which it isn't on any standard distribution I know of)

Given normal remote user access
DOS: No such thing as remote user access.
Linux: Arguable how insecure this is (on most standard installs, it certainly can be safe).

Either way, the risk is larger than non-exist, so still win for DOS.

Given Superuser access
Silly, but:
DOS: Owned
Linux: Owned

But there are certainly any number of virus and trojan type exploits for *DOS. Or perhaps these aren't sane metrics either?

No, merely counting number of exploits/bugs without ensuring they actually are comparable isn't a sane metric. Take a look at some Microsoft Propaganda if you want to know how misleading it can get.

Re:Complete FUD

[Darby]

Let's see you take out an entire filesystem as non-root under Linux.

OK:

From /etc/fstab: /dev/hda7 /home/darby/winshare vfat user,uid=1000 1 2

$ whoami
darby

$ rm -rf winshare
$

Done ;-)

I call FUD

[LighterShadeOfBlack]

Comparing the complexity of system calls made by two different programs on two different OSes and then using that solely to judge the two differing OSes seems like an astoundingly flawed comparison. Seeing as Apache runs on Linux and Windows it seems pretty obvious that they should've used at least used the same program to make this comparison even slightly relevant.

I'm not saying Windows isn't worse than Linux in this respect, just that this article proves nothing.

Re:I call FUD

not if you are comparing "stacks."

the term windows is vague - in this case it obviously means "the windows way of doing things = iis + windows xp.

linux = "the linux way of doing things" = linux and apache.

the title should be more clear, though. there is lots of room for confusion.

This is more a comparison of efficiency to me.

[Ariastis]

Sure, it shows that Windows is harder to secure on the system calls front because it makes so many more of them (with IIS). But to me, if the graphs aren't factise, it just confirms that Windows/IIS is way too bloated to be an efficient webserver. Same task, similar results, but Windows requires nearly twice the computing power to do it in the same time. No wonder Unix|Linux webservers can run on older/cheaper hardware and give satisfying results...

Re:This is more a comparison of efficiency to me.

[IflyRC]

For all we know, the IIS sample used was executing ASP.NET pages that used some COM objects via COM Interop and Runtime Callable Wrappers. To handle the conversion between COM and managed code I could see there being that much inefficiency. However, the images are just too small to tell whats happening.

Re:This is more a comparison of efficiency to me.

[SatanicPuppy]

Except for the whole: "[T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

RTFS: Read The Fucking Summary.

Re:This is more a comparison of efficiency to me.

I think it would be a much more *INTERESTING* example if apache was used on both sides.

IIS is a different beast to Apache. They both do basic things the same. But get outside of basic web pages and each one is a WAY different beast to configure, manage, and code for.

OT: Is google working at the mo?

www.google.com seems to not work. Neither is www.gmail.com. I'm in the UK. It's been like this for about an hour - never had this problem before.

Not true - pure FUD

[A+Friendly+Troll]

Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.

(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)

IIS 6
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)

Apache 1.3.x
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)

Apache 2.0.x
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)

Apache 2.2.x
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories)

Re:Not true - pure FUD

[Watson+Azfor]

Hmmm. Maybe I'm not seeing this correctly, but by your logic of unpatched advisories, there appears to be a mistake in the IIS 6 category. 0 Unpatched of 3 Secunia advisories would be 100% unpatched, making IIS 6 the worst of the bunch.

Re:Not true - pure FUD

So you're only going to compare the latest? What happens to your IIS->Apache 2.2 comparison if you don't include optional modules that are disabled by default?

What happens if you don't include configurations that the documentation recommends against specifically because they are insecure?

What happens if you don't include issues that have no impact on the server?

Re:Not true - pure FUD

[csplinter]

Quote from Secunia.com

"Please Note: The statistics provided should not be used to compare the overall security of products against one another."

Re:Not true - pure FUD

[A+Friendly+Troll]

What happens when you write a blog post which includes two images of gray spaghetti and claim that one web server is more (in)secure than another?

Judging security by Secunia's advisories is the same as judging security by pictures that don't make sense at all. You can spread FUD either way, which is what I just did, in accordance with my nickname (which isn't really meant to be taken literally, but hey, I have to live up to it sometimes). Even Secunia says "Please Note: The statistics provided should not be used to compare the overall security of products against one another."

My post is the equivalent of the linked blog entry. Crappy FUD.

Now, for our favourite car analogy (we like those, don't we?): a car cheap made in 1970 doesn't make any system calls (obviously). Is it more secure when driving than the latest 2007 top-end BMW or Toyota, both of which include very complex computer systems? ;)

Re:Not true - pure FUD

Also notice that the unpatched apache 2.2 bug only occurs on Windows (unless you happen to use a FAT or NTFS filesystem on your non-windows apache server).

Re:Not true - pure FUD

[jetpeach]

"Now, for our favourite car analogy (we like those, don't we?): a car cheap made in 1970 doesn't make any system calls (obviously). Is it more secure when driving than the latest 2007 top-end BMW or Toyota, both of which include very complex computer systems? ;) " Well, since the crappy 1970s car drives like ass and nobody would want to steal it, and the new fangled BMWs have been getting stolen all over Europe and sold in Russia because of a flaw in the keyless entry and proximity start mechanism... Yes, your PoS car is more secure!

Re:Pudding graph

[HomelessInLaJolla]

> That is *all* they show

According to the blog author the graphs are maps of calls to memory locations which would also include calls made from the web server to the underlying OS (eg. calls from apache to glibc).

Re:Pudding graph

[j00r0m4nc3r]

Well, not only that, but it has nothing to do with Windows and Linux. More like, Apache and IIS. You could run Apache on your Windows box, which I'm sure LOTS of people do.

Very suspicious of what "syscall" means here.

[Nevyn]

The normal usage of syscall is something that has to transfer control to the system, from your program. Things like accept(), write() and sbrk() but not strcpy() or malloc(). While I haven't done an strace on Apache-httpd I have done it on my own webserver and I find it hard to believe that Apache-httpd is as bad as the graph in the article implies. And given there's no text in the graph it's hard to check.

At it's simplest a HTTP response is: accept(); read(); open(); fstat(); write(); sendfile(); close(); close();. A lot of servers will set options like: FD_CLOEXEC, O_NONBLOCK, TCP_CORK and call shutdown() at the end. You can also easily blow a few more syscalls on config. options which don't do anything for the simplest case, but the graph implies 50-100.

The confusing thing, to me, is that if by "syscall" they meant something like "library calls" then I'd expect much more for Apache-httpd (as large bits of code are in libapr etc.) ... but the comparison is worthless then anyway.

Re:Very suspicious of what "syscall" means here.

Next time you might want to actually try the strace before commenting. Apache isn't some weekend coder's "I made my own s3rv3r d00d!" project. A request does more than just get some data and send it. It's checking configuration options, security, etc. All of which usually require some amount of system calls.

Re:Very suspicious of what "syscall" means here.

[daviddennis]

My reaction is that this seems like a lot of complexity for something that should be really, really simple.

Why do we need to have such a complex program as a web server, anyway, when most of us don't use 1% of its features?

I'm wondering if the weekend project might actually wind up being a better web server than Apache, for the average application where there is no private information in the web document tree and therefore no need to check internal security. (You would, of course, have to check the URL for ../ and the like).

D

Re:Very suspicious of what "syscall" means here.

[Cheesey]

There are a few small webservers already in existence: thttpd and dhttpd to name two. thttpd is faster than Apache at serving static pages as its feature set is very small. It is also a useful power tool - you can instantly set up a webserver to serve any directory you want.

Someone could probably make a tidy piece of cash by making an instant webserver for Windows users. It's an easy way of distributing files that doesn't require any special software or configuration on the client side. thttpd + GUI + shell integration would do the trick nicely.

Re:Very suspicious of what "syscall" means here.

Try to beat HFS (Htttp File Server) featurewise and pricewise (free as in beer). I don't think theres money to be made here.
http://www.rejetto.com/hfs/

Re:Very suspicious of what "syscall" means here.

[Cheesey]

Try to beat HFS (Htttp File Server) featurewise and pricewise (free as in beer). I don't think theres money to be made here.

I thought something like that might already exist, and now I know. Thanks for pointing it out!

Re:Very suspicious of what "syscall" means here.

[Siker]

Why do we need to have such a complex program as a web server, anyway, when most of us don't use 1% of its features?

There's a computer science idiom for that. It basically says that while any one user rarely uses more than say 20% of the functions of your program, most users use a different 20% of the program.

I'm so confused

Windows is less sucure because more blimps are firing more laser beams at other blimps in its picture than in linux's picture. ??? Wouldn't the larger swarm of blimbs with more lasers make it more secure it has the better army?

Re:I'm so confused

you win teh internets

Re:I'm so confused

Yes, but the Windows blimps are filled with HYDROGEN, whereas the Linux blimps are filled with safe, effective helium.

Well, kind of right

[varmittang]

Yeah, its Apache on Linux and IIS on Windows, but what about Apache on Windows. What are the system calls there. If they are about the same from Linux to Windows for Apache, then all this proves is that MS wrote a crappy Web server. But if there are more calls to be made with Apache on Windows, then I would say that Windows makes its programs do more system calls and possibly makes all programs more likely to be cracked into. But its not fair to put one program against another on different OSs, then say the OS is the problem.

Re:Well, kind of right

Yeah, its Apache on Linux and IIS on Windows, but what about Apache on Windows. What are the system calls there. If they are about the same from Linux to Windows for Apache, then all this proves is that MS wrote a crappy Web server.

Do you supose the complexity results from the shoddy coding of the windows kernel? In which case, the graphs of apache and IIS on windows would both end up looking more similarly like spaghetti. Nah, I mean yah, the IIS would still be worse. They're working from the same style and practices guide as the kernel folks, right?

Re:Pudding graph

[Malc]

Twaddle. The report comes from a company that makes money selling security software for Windows. Scaremongering is good for their sales.

What would be interesting is an analysis of the types of system calls. What about a comparison of the functionality of IIS vs. Apache? Perhaps Windows provides some calls that Apache has had to implement in it's own application code. How many of those so called system calls trap in to the kernel?

This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures.

Good point..

[d_jedi]

Assuming the graphs generated are, in fact, accurate and not just a bunch of scribbles on a page (it would be nice if there was an expanded version that showed the whole thing, legibly..).

One of the principles of secure programming is to keep it simple (stupid). Simpler interfaces have fewer potential areas for exploitation. That said, the picture doesn't tell the whole story. For one, the blog title saying Windows is less secure, is possibly inaccurate (at least, it cannot be derived from that picture) - the additional complexity may make it HARDER for MS to secure Windows, but that says nothing really of the intrinsic security of either platform.

Re:Good point..

[Thundersnatch]

Simpler interfaces can also be far more exploitable. For example, system() has a really simple interface. But it is has terrible security implications if it is ever used in conjuction with user input.

A great many SQL injection, script injection, and other security issues arise from the "simple" interfaces of JDBC, ADO.net, Response.Write(), and the like.

OMG! It's the Spaghetti Monster

Microsoft *is* His Noodlyness!

more calls could just as easily mean more security

[harlows_monkeys]

This is kind of ridiculous. More calls could indicate that some things are being broken down into more fine-grained, simpler, subproblems, or that more use is being made of existing libraries as opposed to writing new code. Both of those would tend to lead to better security.

In other words, number of system calls tells us nothing useful about security.

Some points

[thousandinone]

Two pretty pictures. Two pretty, interesting looking pictures. Two pretty, interesting looking, but completely unlabeled printers. This is the sort of thing an IS representative would show at a meeting with non tech-savvy personnel. All it shows is two messes of lines, one more tangled at the top, the other the bottom. It would be more helpful if there was some indication of what was causing the different calls. On another note: How is this windows vs. linux? The article would indicate it was a comparison of windows and linux in general, but its actually comparing two types of web server, and last I checked Apache can be run on a windows machine...

Re:Pudding graph

[A+beautiful+mind]

I know both of them!

Or is it the other way?

[edmicman]

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Not that I necessarily disagree with the point of the article, but couldn't you argue that if a hacker has to "investigate each memory access to see if it is vulnerable", then by having more entry points it would be MORE secure? If I have 10 possible vulnerable points to look through versus 1000 possible vulnerable points, wouldn't I want to tackle the smaller job?

Re:Or is it the other way?

[ja]

No. It is like getting 10 lottery tickets vs 1000 lottery tickets. Chances of finding a vulnerability are better the more opportunities you get.

Re:Or is it the other way?

[Slightly+Askew]

If I have 10 possible vulnerable points to look through versus 1000 possible vulnerable points, wouldn't I want to tackle the smaller job?

BadAnalogy(TM) time. If I want to invade a foreign country, one which has 10 bridges leading to it, and one which has 1000, I'm going to assume (rightly so) that the defending nation is going to have a harder time securing those 1000 bridges than the one securing 10 bridges. Yes, it is easier for me to determine which are undefended in the 10 bridge scenario...it is also far more likely that nation has in-depth knowledge of the defensibility of those bridges. As the defender, I'm much more likely to catch a guard napping when I only have 10 bridges to monitor.

Re:Or is it the other way?

[gbjbaanb]

or is it like getting 10 lottery tickets vs 1000 scratchcards. Apache could easily have 10 big calls to make into the kernel, the rest statically linked and inlined, whereas IIS is using loads of system dlls. In short, its a nonsense comparison, a nonsense graph (though I like how the Windows one is spread out making it look way more complex, and the Apache calls are laid out at the top making it look a lot tidier).

And its over a year old, isn't there any interesting to talk about?

Re:Or is it the other way?

[ja]

It would still be only 10 calls for the Apache team to analyze and prove innocent, where the actual difference is much smaller than the somewhat excaggerated 10 vs 1000 example.

Throw a scripting language into the mix, _then_ watch the calling graph to go thru the roof :-D

Unavoidable.

[Kadin2048]

I think you'd have to resort to a lot of trickery, like stacking vertices on top of each other with zero-length edges, to make the Windows graph appear less complicated than the Linux one. Provided that you model them in the same way, it ought to be pretty apparent that one just has a lot more vertices and edges than the other, even if you did it in a multidimensional space.

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task. If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

Re:Unavoidable.

[jpmattia]

If you assume that each system call is a potential vulnerability, and that less calls are inherently better

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

Re:Unavoidable.

[Kadin2048]

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

And I'm not arguing with you in the slightest. However, in TFA, that's pretty much exactly the assumption that the author makes, in order to start off with the diagrams of system calls, and from there get to the conclusion that IIS/Windows Server is "more secure" than Apache/Linux.

I wasn't really making any commentary on that premise, because I'm hardly qualified to, except that if you wanted to undermine the article's conclusions, the premises seem like a good place to start...

Re:Unavoidable.

[raddan]

If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

You're right, the number of required calls is not necessarily an indicator of more vulnerabilities. But if you accept the standard metric that one bug happens, on average, for every twenty lines of code (that is, a 5% bug rate), then more calls implies more code, which implies more potential security vulnerabilities.

My understanding is that Microsoft's test suites are extremely vigorous, and I think it is for the above reason. Their defect rate may even be lower than the industry norm. But as someone who works with and writes software for a living, Microsoft's chart makes me uneasy. That's because the number of tests required as the number of entry points increases is not linear. There's a point at which Microsoft may not even have enough time to test for all of their bugs given the size of the codebase. So even if their bug rate is lower, they most likely have more code, and they thus have more bugs.

Apache works well for me and has had a much better security record than IIS. That's good enough for me.

Re:Unavoidable.

[Score+Whore]

The thing to consider however is that they are not accomplishing the same task. At a high level, sure they are talking HTTP. But at a low level IIS in it's default state does a lot more that Apache does in it's basic state. Another thing to consider is the different architectures of the two web servers. They're completely different.

This is a stupid way to compare Window's security against Linux' security.

Re:Unavoidable.

[Fred+Ferrigno]

But if you accept the standard metric that one bug happens, on average, for every twenty lines of code (that is, a 5% bug rate), then more calls implies more code, which implies more potential security vulnerabilities. That's also a particularly vulnerable assumption. It's not necessarily true that more calls mean more code. It seems likely that Microsoft has more developers working in parallel than Apache, so they may value more modular code. That is, Microsoft's code between calls may be more sparse, passing off to another layer functionality that Apache would implement in line.

It was also pointed out in the comments to the original article (way back in April) that IIS implements a lot more functionality out of the box. Some of those system calls may relate to setting up the environment for CGI or other things that aren't really needed when serving up a single static page. Add in a few Apache modules to do something interesting and the graphs may end up looking very similar.

I'm not really saying Windows & IIS are more secure than Linux & Apache, just that using these graphs to come to any kind of meaningful conclusion is impossible.

Re:Unavoidable.

[SL+Baur]

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task That's what it looks like and I hate to say this, but who cares and what has this to do with security? The average Unix program doesn't make its own system calls and the most exploited misfeatures were in the standard C library like sprintf, strcpy, and gets, none of which involve system calls.

Re:Unavoidable.

[maxume]

Couldn't more calls imply less code, i.e. more reuse?

I don't really see that the article says anything at all.

Re:Unavoidable.

[wellingj]

t was also pointed out in the comments to the original article (way back in April) that IIS implements a lot more functionality out of the box. Some of those system calls may relate to setting up the environment for CGI or other things that aren't really needed when serving up a single static page.

Then why do those system calls need to be called for a static page?
If that is the case it would seem like one more area that could be exploited if vulnerabilities existed in those calls.

Re:Unavoidable.

[51mon]

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

I thought Alan Cox had already done a kernel module for serving http?

But no rewriting the system to more specifically do the task in a more focused way would almost certainly result in a lot less bugs, of course the system would be less "generally useful".

Clearly it is a simple argument, less is more.

Backwards compatibility has huge costs, one of them is security. Supporting those apps with 8.3 filename limits, and 3 or 4 different ways of accessing the file system, all mean there is a lot more around to go wrong.

If you are actively using large chunks of "more" you probably don't care, as your system is more flexible, or more featured.

But I'm really not interested in the performance hits the more bizarre features of SMB gives to my webservers, but I daren't switch it off, as I know I'd be running an IIS configuration that is practically unique in the world, and it is flaky enough as it is. Similarly I don't care about that 8.3 compatibility, I know I could switch it off, but I'd worry something obscure might break. So I'm stuck with the "more" even when I want "less". Where as my Linux webservers don't have a GUI, most don't have SMB (or NFS), I lost all that network filesystem junk with the last update on most of them (scp (or http) will do fine for most things).

Guess it comes down to design - the secret of elegance is about what you take out, not what you put in.

And if you want (or are unsure if you need) binary backward compatibility to DOS 1 (or whatever level is provided), you can take out very little.

Re:Unavoidable.

[Fred+Ferrigno]

They don't, but IIS has no way of knowing. Even if the features are never used, a certain amount of initialization is required in order to make them available. Apache doesn't have a lot of that functionality by default, so it's favored by the very limited example here. Since most websites aren't single static pages, actual Apache usage may not be that different than IIS.

Re:Unavoidable.

[newt0311]

The thing to consider however is that they are not accomplishing the same task. At a high level, sure they are talking HTTP. But at a low level IIS in it's default state does a lot more that Apache does in it's basic state. Another thing to consider is the different architectures of the two web servers. They're completely different. Unnecessary complexity is a bad thing you know. Does IIS re-init everything for every page? If so, it should be redesigned. If not, your argument falls apart. The fact that their architectures are different is one of the basic facts that is being relied upon. If the core architecture was the same, security characteristics would be a lot similar. Besides, the defect pointed out is primarily a design defect, namely that IIS has a much more complicated design. Such a statement assumes different architectures.

Re:Unavoidable.

[CCFreak2K]

Secure, fast, cheap: pick any two.

Re:Unavoidable.

[gr8dude]

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

Exactly. Also, it is always emphasized that a program should be split into re-usable chunks (functions); which is much better than writing the whole thing in your main-function (difficult to reuse, a lot of redundancy, etc)

So, my question is, why does 'a graph with less vertices' mean 'a better system'?

Re:Unavoidable.

[cant_get_a_good_nick]

Backwards compatibility has huge costs, one of them is security. Supporting those apps with 8.3 filename limits, and 3 or 4 different ways of accessing the file system, all mean there is a lot more around to go wrong.

As someone who followed the Apache 1.2 line (the one where someone contributed some code to let it compile on Windows) i remember the huge amount of security bugs due to 8.3 and LongFileName issues (e.g. you block something based on a longfilename, but someone requests its 8.3 equivalent, and it goes through).. The entire 1.2 lifecycle was unusable on Windows because of the security bugs, though it provided great insight into Windows for 1.3 and more importantly the 2.0 line.

Re:Unavoidable.

[cant_get_a_good_nick]

Hmm?

The average Unix program doesn't make its own system calls

I'ma UNIX programmer, i find it hard to write a program that doesn't. T least for anything useful. remember all I/O uses syscalls.

misfeatures were in the standard C library like sprintf, strcpy, and gets, none of which involve system calls.

sprintf: calls syscall write()
gets: calls syscall read()

Yes, this "number of syscalls is proportional to number of possible exploits" is false, but your reasoning is flawed as well.

One thing i haven't seen people say is that syscalls don't go through a normal parameter passing mechanism. No stack overflows because there is no stack, at least not shared between user and kernel space.

Re:Unavoidable.

[raddan]

It could, yes. It's impossible to know without being able to see the names in the bubbles on the graph.

Re:Unavoidable.

[SL+Baur]

You miss my point. In the case of gets(3), it is the standard C library making the system call, not the application. How often do you use a naked read(2) in a program?

I would hope that sprintf does not make a system call because it is a strictly user-land operation. Even if it did, sprintf is a chapter 3 function, not chapter 2.

From the Solaris FM:

The sprintf() function places output, followed by the null byte (\0), in consecutive bytes starting at s; it is the user's responsibility to ensure that enough storage is available.

One thing i haven't seen people say is that syscalls don't go through a normal parameter passing mechanism. No stack overflows because there is no stack, at least not shared between user and kernel space. The kernel uses its own stack and that is exploitable sometimes with carefully crafted symbolic links to name one example. Another example that used to be exploitable before MMUs became standard was the ability to use certain pointers to the first page of .data to read memory that the process shouldn't have access to (this is described in Bach, and it "worked" on both of my first M68K Unix systems).

Re:Unavoidable.

[yulek]

as i see this the graphs show without a doubt that IIS makes more system calls than Apache. And that's it. I don't understand how this proves anything regarding Linux or Windows if you're running two different applications. Last I heard Apache runs on windows. Why not use the same version of apache instead?

Hey, I have an idea. Lets see how many system calls it takes to "serve up" a page of text. We'll use notepad on windows, and Open Office on Linux. Lets check out those system calls!

0 Unpatched = 100% Patched

[mythosaz]

Uh... Zero unpatched means all patched; or if you like the percentages, means 100% patched. That's the best of the bunch.

Re:0 Unpatched = 100% Patched

[jabskeeterbug]

I think everyone else understood you, he just can't read.

Documented Evidence for the Spaghetti Monster

[geoffrobinson]

I'm sure the Microsoft folks have excellent debugging tools to work with.

Re:Pudding graph

[Rycross]

Quote from the article:

This second image is of a Windows Server running IIS.

You are wrong.

More system calls could very well mean LESS secure

This is a totally meaningless study. All you've shown is that for one relatively uncontrolled test, there were more system calls under Windows than under Linux. This could mean lots of things, and none of us can possibly know which:

1) MAYBE it means that Linux system calls tend to jam lots of diverse functionality into a single system call, with complex parameters to select which is desired. This would mean Windows has far more system calls than Linux. But this is also a horrible and insecure programming practice, implying Windows is better.

2) MAYBE it means that Windows did a better job of factoring common subroutines out into their own functions, which is a good programming practice and would imply Windows is better.

3) Or, MAYBE it means what you seem to be asserting, that if the average number of lines of code per system call is the same in both Windows and Linux, then Windows requires more lines of codes to be correct per task, so Linux is better.

Besides, when was the last time that you saw a web-server based bug that was a kernel vulnerability, in either Windows *or* Linux? The vast majority of remotely exploitable bugs are found in user-code, making this study yet more meaningless. Maybe next time show us a graph of user-level library calls for the two OSs. But then it's still meaningless because of the 3 points above.

Now, I'm not saying Windows is better, OR that Linux is better. I use both every day. What I am saying is that, being a rational systems researcher who really likes to know how these OSs might be measured, this piece of information adds nothing to the debate either way. It's just a sound bite.

Quick Summary

[bendodge]

A quick summary:

http://blogs.zdnet.com/images/SysCallApache.jpg
http://blogs.zdnet.com/images/SysCallIIS.jpg 1. These are old
2. They have nothing to do with Linux vs Windows; they are Apache vs IIS
3. They are unlabeled, so they are only good for showing the difference between C (Apache) and C++ (IIS)

So this tells you that Apache is simpler than IIS, and C is simpler than C++.

Re:Quick Summary

[Tet]

They are unlabeled, so they are only good for showing the difference between C (Apache) and C++ (IIS)

Rubbish. Language choice has no bearing on system call usage, only on library calls. You might claim that the libraries chosen (for example, the STL) might make more system calls (although few libraries should be heavy system call users anyway), but that's the extent of it. I'd be interested to see a comparison on Apache on Linux and Apache on Windows.

Re:Pudding graph

[0xdeadbeef]

Why are people modding a joke insightful? You're making a joke, right?

Re:Pudding graph

Which means absolutely nothing without having the server configuration information. FUD, and it got you hook, line and sinker.

Recalling fundamental differences

Not surprising.

The greatest difference between the Windows and Linux traditions is that the Windows tradition is "be everything to everyone" while the Unix tradition is "do one job, but do it well".

There are problems/benefits associated with both approaches, and the charts illustrate just one example problem for the Windows approach.

Re:Pudding graph

[jimstapleton]

the funny thing is, had you not said something as retarded as "home slice", I wouldn't have verified from TFA:

This second image is of a Windows Server running IIS.

Go back to your cave Mr Troll.

Why is Windows less secure?

[night_flyer]

Because you have people who dont know what they are doing using their computer like they would use a toaster oven or VCR! (and they STILL cant get the clocks set right!)
People who use Linux are tech savvy enough to realize you cant just plug a machine into a wall socket and expect it to be secure.
Windows owners who are wise to this fact have secure machines.

its a dumb argument.

If Joe Sixpack ever got ahold of Linux he would be logged in as ROOT!

What are they actually measuring?

[argent]

What are they actually measuring, though? They look like a subroutine call tree, very little to do with system calls at all, really.

Re:Pudding graph

[iusty]

The article says syscalls, not function calls. The difference between calling models has no relation to syscalls, which are between userland and kernel space.

More likely, the article shows the difference between Apache and IIS, on one side, and the glibc and however-it's-called windows' base library, on the other side.

No, it was IIS on Win vs Apache on Linux.

[Kadin2048]

I don't know what you're talking about. In TFA it's quite clear that the top graph is Apache on Linux, and the bottom is IIS on Windows, both serving the same page. So there are two factors (at least) between them, a different OS and a different webserver. It's not fair, as much as I'd like to, to attribute the increase in calls purely to the design of Windows -- that would only be possible if it was Apache vs. Apache (and even then, there would be other things to control for).

If you accept that more system calls are inherently bad, than the graphs might indicate that "IIS on Windows" is less secure than "Apache on Linux," but it says nothing about Apache on Windows, or Windows as a platform inherently.

In the boardroom:

[rehtonAesoohC]

Corporate Linux Fanboy: "As you can see here Gentlemen, the Linux web server has far less tubes going everywhere, which means the information travels a shorter distance through these tubes."
Board: "Oooohhh. Ahhhhh. Tubes..." *nod nod*
Corporate Linux Fanboy: "Now as we look at the Microsoft version of the same exact thing, you can see that the tubes snake every which way with no sense of order. Chaos ensues, and the tubes are tangled every which way. Obviously, less tubes means better."
Corporate Microsoft Fanboy: "Your Mom has more tubes!"

Re:In the boardroom:

When you have more tubes, they are less likely to get clogged up. My software, Mackpatche, doesn't have any of these complicated "tubes," it's just a big truck that you dump your web pages on.

Re:Pudding graph

[HomelessInLaJolla]

> This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures

So your assertion is that an overhead road map of cities, such as New York, NY vs. Kalamazoo, MI, would be entirely useless in generalizing points of traffic congestion and points of traffic collisions?

Maybe you don't design operating systems (computer or civil), or, if you do, maybe you shouldn't.

dupe

[goarilla]

this obviously is a dupe
but why would i believe any of it if i can't even read the names of the
function-calls, for all we know this could be as much fiction as scientology

Re:dupe

for all we know this could be as much fiction as scientology

Scientology is no less fictional than Christianity.

Re:dupe

[jtev]

Yeah, but at least with Chritianity the source material is out there for people to read. And to belive or not. For the most part Bibles are not considered to be some strange and wonderous thing that one must train for years and years to be able to understand. While this was not always the case, it is the case currently. Now, for Scientology there is a great deal of the source material that is kept secret, so that the lay public cannot study it and determine it's applicability to their lives and souls. Ergo Christianity is actualy MORE scientific that Scientology, as well as being more able to reach those who seek spiritual guidance. (Disclaimer, I'm an agnostic, with leanings toward the teachings of Jesus of Nazerus, with a bit of the teacings of Lau Tsu mixed in)

His Noodly Goodness Does Not Approve

[sehlat]

I have prayed to the Flying Spaghetti Monster for guidance about these graphs, and yea, verily did He appear before me and said "What? No sauce?" Then he Frowned his Terrible Frown, and did drown my monitor in Parmesan, bellowing "Away, demons!" and vanished.

Doesn't prove much

[dtfinch]

The more modular a program, the more its call graph will look like spaghetti. The function nodes don't indicate the complexity of the functions. I'm assuming these graphs cover all function calls. It looks too deeply nested to just be system calls.

Imagine if the call graph was much much simpler, like just one central node with branches to each system call. Anyone responsible for such a monolithic blob of spaghetti code would have trouble finding a new job.

I've seen these graphs several times already. With a date like "April 14th, 2006", I'm almost sure this is a dupe, but I don't feel like searching to prove it.

Re:Doesn't prove much

[dtfinch]

On the other hand, I'd expect many more nodes if this was all function calls. It still looks like more than system calls, but much less than all calls. Maybe it includes all .dll and shared library calls. I imagine this isn't an apples-oranges comparison. Static linking could make one appear simpler than the other.

So you admit you're full of shite

You didn't like the FUD in this article, so you posted more (and by your own admission) equally bad FUD to this site.

How's that an improvement?

Plethora of issues

[DLG]

#1. Old news
#2. Apples and Oranges (IIS on Windows versus Apache on Linux? Which are we comparing?)
#3. Lack of detail: You can't see what system calls are really involved. No indication of configuration. No version numbers.

So that puts it in the realm of FUD, although the blogger does explain that its just a blog.

From my experience with Linux and Windows, the philosophical difference has to do with what is doing most of the work. In Windows a great deal of functionality is granted by the Windows API. As most programmers throughout the 90's know, Microsoft created their API around the functionality they needed for their own development, and then the rest of us had to buy the 'Secret' API manual with all the treats.

In Linux the Kernel where all those system calls go, is pretty limited compared to Windows. Where most functionality is added for developers is in shared libraries. Windows of course has the too, but its more a matter of where the real action is running. Is it in the kernel or in userspace. With Linux mostly its userspace, so there is less issues with software errors being capable of interfering with the machine itself. Still there are ways developers, especially of servers requiring some superuser priveleges (listening to ports under 1024) have provided security holes in basic interfaces (Sendmail and Bind for example). Still thats not reserved to Linux. Beyond that, we talk about the fact that Linux users don't run as root, but I have seen alot of irc session where the username of root is in the GID. So SOME folks do run as root. Whether the distributions now make that less necessary, that is also how Vista is going.

Apache is a bad project to compare other software too. It has been remarkably well developed both for stability and resisting sneaky security issues. Obviously one can muck up their configuration to reduce their security, but Apache itself (despite its initial moniker of being A patchy webserver) is a terrific example of well run coding projects.

IIS on the other hand is one of the posterchildren of security problems, with early versions not checking for navigation of parent directories, along with other trivial insecurites, based in some ways on permitting the developer to easily integrate IIS with other Microsoft tools.

So yes, IIS on Windows is more insecure than Apache on Linux. And Apache on Linux has always kicked IIS's ass in market share. I wonder if we compared Apache on Linux to Apache on Windows what we would find.

Re:Plethora of issues

[Dr.+Manhattan]

In Linux the Kernel where all those system calls go, is pretty limited compared to Windows. Where most functionality is added for developers is in shared libraries.

One reason is that the basic API (generally POSIX with a few libraries and extensions) is objectively simpler, and in my opinion more elegant and orthogonal, than the Windows API. The Windows API has grown exponentially and haphazardly in many ways, and is now a monster that almost no one fully understands: Does Visual Studio Rot The Mind?

"Tabulating only MSCORLIB.DLL and those assemblies that begin with word System, we have over 5,000 public classes that include over 45,000 public methods and 15,000 public properties, not counting those methods and properties that are inherited and not overridden... If you wrote each of those 60,000 properties and methods on a 3-by-5 index card with a little description of what it did, you'd have a stack that totaled 40 feet."

Now, we have a printed copy of the POSIX standard here. In a set of 13 binders, it's about two and a half feet across. Only 7 of those binders actually cover the system interfaces (the equivalent of the System API above), and the other 6 are introductions, rationales, and descriptions of standard shell utilities. Note that this is the full documentation suitable for reimplementing it, not just notes on a 3x5 card. I'd call that objectively simpler.

Re:Plethora of issues

[toadlife]

"So yes, IIS on Windows is more insecure than Apache on Linux. "

And what do you base that on? Are you basing that off of IIS6 or previous versions which contained the trivial insecurities you described?

Re:Plethora of issues

[PsychicX]

I don't know if you intended this or not, but there's sort of a veiled implication in your post that the Win32 API lives in the kernel. It does not. In fact, the Win32 API is a pure userland API, and calls through to a much smaller set of kernel syscalls when necessary. So a Win32 API call does not equate to a 'syscall' in the normal sense, as such a call may make 0 or more calls to the kernel depending on what needs to be done.

Re:Plethora of issues

[Carnildo]

#1. Old news
#2. Apples and Oranges (IIS on Windows versus Apache on Linux? Which are we comparing?)
#3. Lack of detail: You can't see what system calls are really involved. No indication of configuration. No version numbers.

So that puts it in the realm of FUD, although the blogger does explain that its just a blog.

You can still get useful information out of it. For example, you can see that the IIS graph shows ten entry points, one of which calls a dispatcher function that leads into a godawful mess of spaghetti code (the bulk of the graph). The Apache example, on the other hand, has a single entry point leading into a set of about four dispatcher functions, with the program flow reasonably well-modularized. If you were to combine each chain of function calls in the Apache example into a single node, it would be a very clean graph.

Re:Plethora of issues

[earache]

What does .NET have to do with Win32 API? Other than .NET thunking out to it?

Your comparison of POSIX with the Win32 API is a miss as well, considering the number of "systems" represented in the windows api is significantly larger than POSIX.

There is nothing objective or simple or valid about your comparisons.

Re:Plethora of issues

[Dr.+Manhattan]

What does .NET have to do with Win32 API? Other than .NET thunking out to it?

I didn't say "Win32 API", I said "Windows API". The current, recommended, heavily-promoted way to program Windows - .NET and so forth - is hideously complex, as I and others have pointed out.

But okay, let's limit things to just the Win32 API. I agree, you're right - it's not several orders of magnitude more complex than POSIX. However, it is more complicated. Let's consider, say, shared libraries/DLLs. On Unix, there's four functions - dlopen, dlsym, dlerror, and dlclose. Well, okay, glibc adds two extensions - dladdr and dlvsym. On Windows, there's 13 functions plus an obsolete one. (Hey... actually, that is an order of magnitude more complicated...) It's a similar story with shared memory, it's pretty easy with Unix and just much harder with Windows.

It just seems like every time I have to do something with the Windows API, it takes more code, and it takes longer to figure out which function I actually need to use, and figure out how to sort out errors, and which parameters are actually important and which ones are always NULL in any real-world case, and...

Re:Pudding graph

[jimstapleton]

it the CRT/CRTD.dlls if I remember correctly in Windows, when using Visual Studios.

A "grand unified coding function"...

[StressGuy]

Brilliant!!!

Re:Pudding graph

[HomelessInLaJolla]

I agree that there are hundreds of considerations which may affect the visual pattern of the graphs. I still feel that there is some useful information to be gained by this particular visualization.

Nobody is claiming that this is a quantitative, tit-for-tat, comparison. What is being suggested is that this is qualitative evidence in the security debate.

Apparently this article touched off some pretty severe nerves, though, because both the posters and the mods are going hog-wild with the flamebait.

Not to jump to Microsoft's defense...

[HerculesMO]

But IIS is probably one of their best products, and most secure as far as security bulletins go.

I think the rest has been covered ad nauseum, as far as C versus C++ procedure calls.

Is this in response to Netcraft's February survey?

[sheldon]

The latest web survey showed further erosion of Apache compared to IIS? Do we need to spread a little marketing over at OSDL to try to turn that around?

It's kind of an old article, and the assertion made is pretty stupid. I don't see any other purpose.

Err... Mod Parent Up

[argent]

that was my first reaction as well... what the hell do they mean by "system calls", 'cos that looks like a library call graph...

Sod off

[linvir]

That image is as old as the internets.

Re:Pudding graph

[WhoBeDaPlaya]

Yes, I'm guilty of blasphemy. Send me to hell now :P

Just what we always heard ... now visualised

[golodh]

One of the main architectural security problems with MS Windows that we keep hearing about is that even ordinary application such as email clients, browsers, etc. tie in so intimately with the Windows OS, that once your application is compromised, your OS is compromised.

These pictures seem to show that IIS is much more tied in with the Windows OS than Apache is with the Linux OS.

I think that's credible, and that it illustrates that in case of Windows, the wider (and much more complicated) interface between applications and OS is real. I have no difficulty believing that this offers many more opportunities to compromise the OS, and hence is less secure.

Total crap

[Shippy]

This has to be the shittest, most uninformative article yet I've seen on Slashdot. I certainly won't be getting another subscription.

Re:Total crap

This has to be the shittest, most uninformative article yet I've seen on Slashdot.

The best counter-example I could think of.

Re:Pudding graph

So your assertion is that an overhead road map of cities, such as New York, NY vs. Kalamazoo, MI, would be entirely useless in generalizing points of traffic congestion and points of traffic collisions? The poster made no such assertion. They were not talking about roads, or congestion, or collisions, or anything analogous. The discussion is about system calls and security.

Maybe you don't design operating systems (computer or civil), or, if you do, maybe you shouldn't. Maybe you don't design roadways. If you do, maybe you shouldn't.

say what you want

[circletimessquare]

but i think windows is clearly a more artistic operating system than linux

Re:Pudding graph

[hangareighteen]

He said 'syscall' right?

[ pasted from http://en.wikipedia.org/wiki/Syscall ]
System calls often use a special CPU instruction which causes the processor to transfer control to more privileged code, as previously specified by the more privileged code. This allows the more privileged code to specify where it will be entered as well as important processor state at the time of entry.
When the system call is invoked, the program which invoked it is interrupted, and information needed to continue its execution later is saved. The processor then begins executing the higher privileged code, which, by examining processor state set by the less privileged code and/or its stack, determines what is being requested. When it is finished, it returns to the program, restoring the saved state, and the program continues executing.
[ end paste ]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS? Seems like you'd have to make the same calls regardless of the language that you use, or more to the point, that the calls represent the facilities that the OS has made available to you. Seems pretty language independent from my readings.

that's the path of chairs at a MS board meeting

[swschrad]

write to steveb@microsoft.com, I'm sure he'll let you have the video ;)

Re:that's the path of chairs at a MS board meeting

[sheepweevil]

a web server serves up [the same] single page of [HTML] with a single picture.

Of course, the picture that was called up was This one, so I can see why it generated so many system calls.

Re:Linux is less secure than Windows

[DaveG,+the+Quantum+P]

If it were that unsecure, why would it have zealots in the first place? Why would anyone stick with it? What about all those secure apache servers out there?

Bad protocol w/ Good encryption

[Zarf]

Good protocol can secure bad encryption more easily than good encryption can help bad protocol.

The Sana Security diagrams show us just how bad the windows internal protocols really are. There is no securing this system with Digital Rights management or any other encryption scheme. Any security method placed on top of a such bad messaging protocols will fail miserably because even if the encryption or other security suite is perfect... windows isn't. And the system will be compromised by drilling down through windows... not through the security system.

What good is a bullet-proof pad lock if you put the combination on a yellow sticky note next to the lock itself?

Re:Bad protocol w/ Good encryption

[E++99]

Good protocol can secure bad encryption more easily than good encryption can help bad protocol.

The Sana Security diagrams show us just how bad the windows internal protocols really are. There is no securing this system with Digital Rights management or any other encryption scheme. Any security method placed on top of a such bad messaging protocols will fail miserably because even if the encryption or other security suite is perfect... windows isn't. And the system will be compromised by drilling down through windows... not through the security system.

'the heck are you talking about??? They're using the exact same protocols: IP, TCP, HTTP, and SSL if the page is encrypted! And what does DRM have to do with serving up a web page??? And most importantly, what exactly do you think these charts have to do with protocols, and how do you figure you would tell a good one from a bad one, especially seeing how they are just a bunch of lines with no labels or other information???

Re:Bad protocol w/ Good encryption

[Zarf]

the heck are you talking about??? They're using the exact same protocols: IP, TCP, HTTP, and SSL if the page is encrypted! And what does DRM have to do with serving up a web page??? And most importantly, what exactly do you think these charts have to do with protocols, and how do you figure you would tell a good one from a bad one, especially seeing how they are just a bunch of lines with no labels or other information???

Remember 3CPO was a protocol droid do you think that meant he handled HTTP traffic? I am speaking of protocol in the cryptographic or algorithmic sense. IP, TCP, HTTP, and SSL are all specifically network communications protocols. The flow diagrams show that the windows internal messaging protocols... in this sense of the word these are the lines that connect the blocks that represent the internal communications end points of the windows sub-systems... are not disciplined like the linux internal messaging is shown to be.

In computer science a communications end point can be another computer over the network or another program on the same system. We will also refer to programs that use other programs as users. TCP/IP is a protocol, but so is the MFC and the windows internal GDI in a theoretical sense. Users of the GDI... that is programs that call GDI methods... for example send messages to the graphics device interface to draw things on your screen. The way you message the GDI is governed strictly.

For example these methods:

Graphics::DrawLine(Pen*,Point&,Point&)
Graphics:: DrawLine(Pen*,PointF&,Point&)
Graphics::DrawLine( Pen*,REAL,REAL,REAL,REAL)
Graphics::DrawLine(Pen* ,INT,INT,INT,INT)

Describe the four different ways I can draw a line using the GDI. If I want a line drawn I must use one of these four methods. C++ will interpret my call to one of these DrawLine methods as a message to a graphics object. The message will be sent to the Graphics object and the object will probably send messages to other objects it knows. These API embody messaging protocols that occur inside the computer's memory. So whether we are talking about networks that span continents or networks that span your motherboard networks all have protocols driven by the software that is running them.

The protocol of the operating system's intercommunicating components becomes important when you are talking about enforcing an access restriction of some kind on data in the OS. Remember these messages are traversing memory on one system. The same memory may hold your DRM protected AVI file. If the protocols of the operating system are poorly implemented even a perfect DRM program will not prevent me from subverting the DRM system by use of a faulty protocol in the graphics system. Perhaps a hacker will subvert the GDI to grab the decrypted pixels before they reach their designated windows canvas.

The diagram of the windows internal messaging shows that the API are allowing messages, not along linear paths (as a defined and enforced by a master messaging queue) but cutting almost randomly through the architecture. I don't need to know what is being messaged to see that the messaging follows virtually no internal order. The network would be messy if it was built with Cat5 or with C++.

If you haven't heard the joke:
A procedural programmer writes a function: screwIn(lightBulb) but an Object Orient Programmer messages the light-bulb to screw itself.

Re:Bad protocol w/ Good encryption

[mpe]

And what does DRM have to do with serving up a web page???

No doubt with Vista Server (when it comes out) the DRM "rootkit" will want perform some checks on the content you might want your webserver to serve up...

ZDNet

[DaveM753]

I've said it before and I'll say it again: the minute I see a link pointing to ZDNet, I immediately dismiss it. They're all about getting people to see advertisements on their website. Anything that gets them there is AOK, no matter how ridiculous it is.

Just my opinion.

Apache on Windows

Exactly what I was thinking. WAMP vs. WIMP.
http://www.devside.net/

Re:Pudding graph

[Duhavid]

I dont know I would say it has *nothing* to do with Windows vs Linux.

It is a map of OS calls required to accomplish a task.

Your point is good, though, a better test would be apache on windows
versus apache on linux.

Re:Linux is less secure than Windows

[ashridah]

"If it were that unsecure, why would it have zealots in the first place?"

it's called money, as in, people make money from what they know about it, and lets face it, ms was just lucky, followed by having smart (for them) marketing practices, and finally, having good strong-arm tactics.

Are you joking?

[Eric+Damron]

Or just an idiot?

Re:Pudding graph

[imroy]

These graphs show the different calling models of C++ and C.
That is *all* they show.

No they don't. They show *system calls*, into the kernel, not method or function calls within the user-space program. The language shouldn't make much difference at that level.

Re:Pudding graph

[Chris+Burke]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS?

No, you're right, it has nothing to do with C/C++. The GP was just another example on /. of "I'm going to seem smart by discrediting the article, and the easiest way to do so is make something up without reading the article".

Stupidity

This is confusing what's important for security.

To give an example, I work in a company where we have some legacy code in Tcl we're porting to Java. The nice new fully unit tested, input checked, security aware Java code has an order of magnitude more lines of code than the old procedural 10-year-old Tcl it's replacing. And, frankly, it probably has many more system calls. But to assume that means it's less secure than what it's replacing is idiocy.

And, no, this isn't Java advocacy. It's simply one of many obvious counterexamples to a stupid premise being presented as obvious and knowledgable information about security.

Nice security metric!

[Afecks]

Wow cool, I'm glad we are measuring security by how many subroutines the OS has. This is great news because we can make the most secure OS ever, simply by having it do everything from a single main() call.

Wait...what?

Excuse me?

In its long evolution, Windows has grown so complicated that it is harder to secure...

Long evolution? Correct me if I am wrong, but, tracing its roots back to Unix, doesn't Linux have an even longer evolutionary timeframe? I don't belive that Windows complexity is due only to the amount of time it has been around. And I don't think any relative simplicity in Linux vis-a-vis Windows is due to being around a shorter time.

Re:Excuse me?

[botik32]

Maybe if you consider that Microsoft is forced to be compliant with software that is 10 year old, then perhaps you would find the grandparent post at least logical, no?

I would point you to Microsoft programmer blogs where they state the very fact, but I am too lazy to do that. You can google it yourself. Microsoft has an entire department concerned with backwards compatibility.

In fact, Vista has a vulnerability inuser32.dll caused by some old code that used to work but does not work anymore, code that was probably written in the 3.1 era. Just try the following code:

char bug [] = "\\??\\C:\\";
for(int i = 0; i 10; i ++)
{ ::MessageBox(0, bug, bug, MB_SERVICE_NOTIFICATION);
}

This causes system instability to the point of crashes or just erratic behaviour. It is caused by some legacy code that checks for magic header in the message and does a strcpy with overlapping memory if it matches. Probably this code is no longer used, but can still be exploited. You'd think this kind of bug would have been found by now...

The point is, old code, cruft, compatibility code is at least potentially unsafe. And such code exists in Windows.

Cheers.

The more stupid use...

[corpsmoderne]

These graphics were obviously generated by "dot" of the http://www.graphviz.org/ suite...
I were using those softwares to draw Myspace social networks.
I was convinced it was the more stupid use of Graphviz possible.
This guy demonstrates that I was wrong...

What IS very clear from these images

[Master+of+Transhuman]

is the degree of lack of modularity in Windows.

Look at the Linux shot. Regardless of anything, the "top-down" nature of the calls is obvious.

Look at the Windows shot - everything is tangled up in several clear bottlenecks, with multiple calls on several levels, indicating "sideways" calls that are a no-no in proper programming.

This also seems to indicate that Microsoft code tends to be redundant. I suspect a lot of those "sideways" calls and apparent "bottlenecks" are actually calls to similar code in several different modules called from multiple places, with multiple entry points. All of which is bad news for program efficiency, security, reliability and testing.

No matter how you interpret the shots with regard to security, the Microsoft version does not look good.

Duh! Big surprise...

The Microsoft policy of hiring 24-year-olds out of college without a clue about proper program code design clearly reflects in their code.

Re:What IS very clear from these images

The Microsoft policy of hiring 24-year-olds out of college without a clue about proper program code design clearly reflects in their code.

If you hired people with more computer experience they'd never be able to get them to follow the Microsoft party line. It's this monoculture of thought that's killing them.

Good question!

[Cheesey]

As well as wanting to know what the nodes represent (system calls or procedure calls?), I'd like to know what the edges represent. Control flow? Data flow? What are they supposed to be?

This article is unbelievable, apparently presenting a conclusion that the writer doesn't understand, using meaningless data.

Dupe - from about a year ago

[ValiantSoul]

Dupe - from about a year ago...

Re:Pudding graph

[EvanED]

It is a map of OS calls required to accomplish a task.

And the task is being deliberately misrepresented to indicate that it's a good test of Linux vs. Windows as opposed to Apache/Linux and IIS/Windows. In fact, if I had to make a guess, I'd say that the choice of Apache and IIS would have more to do with the difference.

More importantly these graphs show how Linux

[Master+of+Transhuman]

- or at least a Web server - is more efficient than Windows.

This explains why Linux server editions tested in the past tend to outperform Windows Server versions by a factor of two in number of users they can handle linearly.

They obviously are calling a hell of a lot less than Windows is.

And it's not clear that those Windows calls are really necessary. I suspect they are mostly redundant calls to multiple versions of the same code from multiple calling modules. This is a result of the size of the Microsoft development teams re-inventing each others code regularly with every new release of the OS. This is pretty clearly what is going on based on Jim Allchin's remarks two years ago about how Vista would "never" be done if they didn't change their development practices.

And it's the only thing that explains the millions of new lines of code in each new release of the OS, without a concomitant increase in OS capability. Vista has what, twenty million new lines of code? For what capability over XP - DRM? I doubt it.

Re:More importantly these graphs show how Linux

[mwvdlee]

Any facts to backup your assumptions?

For all we know, based on the graphs, Apache is calling highly inefficient and gigantic system calls whereas Windows is doing a lot of fast and short calls. One might be just as inclined to assume ISS/Windows is making better use of time-tested system calls instead of trying to duplicate functionality itself.

The notion that these graphs demonstrate something about security is dubious but defendable (afterall, ISS/Windows apparently has more attack vectors to try), the idea that is proves efficiency it certainly does not. Unless, ofcourse, you're willing to state that a program that does virtually no system calls at all is most efficient.

Re:More importantly these graphs show how Linux

[Master+of+Transhuman]

"For all we know, based on the graphs, Apache is calling highly inefficient and gigantic system calls whereas Windows is doing a lot of fast and short calls."

In theory, you might be correct.

In reality, no fucking way. Microsoft is known for crap code and Apache is not - despite the origin of the Apache name as "a-patchy".

When you see a spaghetti call structure like this, Occam's Razor demands that you assume it IS spaghetti code until proven otherwise.

Re:More importantly these graphs show how Linux

[mwvdlee]

When you see a spaghetti call structure like this, Occam's Razor demands that you assume it IS spaghetti code until proven otherwise.

We're talking about system calls here, calls that perform basic tasks that most applications need to do regularly from all over the place.
It's similar with logging functions; if you use them, you'll probably find them "spaghetti-ing" all over the place.
This graph doesn't demonstrate any spaghetti code though; spaghetti code is code that has messy flow control. These graphs doesn't demonstrate such problems, all it does is show the amount of flow control, not how/if it's messy.

Re:More importantly these graphs show how Linux

[Master+of+Transhuman]

Nonetheless, the graphs demonstrate at the very least a massively larger number of calls.

One has to assume, despite the suggestions of others here, that they are NOT simply a large number of efficient calls to short routines, but multiple calls from multiple modules to the same system modules - which would imply poor modularity, i.e., spaghetti code. This is reinforced by the know abundance of Windows "features" in products that are never used or requested by anybody, but are present just to be able to sell them as "features". This, too, implies poor design and hence spaghetti code.

The bottom line is we may not know for sure because we can't see the source code - and that in itself is a point against Microsoft. In OSS, the issue can be cleared up quickly.

The onus is on anybody tending to dismiss the comparison to prove that Microsoft code is efficient - not the other way around. Speculating that it's all quite harmless and proves nothing itself proves nothing.

For God's Sake People

You guys sound like Clinton trying to redefine "is" or the Bush administration trying to justify Iraq. The graph shows system calls.

Why does the Linux graph look simpler? Because Linux is designed simpler! In Linux, you tell it to do a job and it does it. In Windows, you tell it to do a job, and it has the additional overhead of keeping the system top secret so nobody can reverse engineer it, obfuscating the hell out of everything so nobody can program it without an MSCE certificate, checking if it's being pirated, checking the DRM on the image, authorizing fair use for this instance, running the three spyware apps in the background, and popping up a dialog box in your face every two minutes to ask if you're "sure" you want anything to happen at all. Oh, yeah, and making everything sparkly-pretty to meet the market research panel's idea of a slick interface.

Linux (and any other free system) doesn't have to make all those pretensions. It's just a computer operating system, not a proprietary cash cow. Who'd think?

Re:Pudding graph

[Malc]

No, I didn't make that assertion. But yes I could, if it was just a load of lines with no context and didn't show other ways of getting around and various obstacles. If somebody told you how many millions of trips occurred in London everyday, a street map isn't going to be enough because a huge proportion of those trips occur on the tube, or are affected by the congestion charge tolls in key areas. So I stand by my assertion that those piccies of squiggly lines are useless and cannot be interpreted in any meaningful manner.

If for example these piccies showed a system call on Win32 for something that is done as a method within Apache's application code, it doesn't mean there are more memory copies (and thus risks) on Win32 because the same stuff could being done in Apache. A system call also doesn't necessarily mean a trap in to the kernel, and so such a memory copy is no more risky in the Win32 case than in the Apache case.

Re:Pudding graph

Is it possible that some intra-OS calls show up as "system calls" in the Windows call graph but similar calls are not shown in the Linux one? Linux is monolithic and Windows is partially micro-kernel.

Not that I doubt that Windows is horribly bloated and overly-complex... but if there were that many userspace to kernel calls in IIS, you'd expect huge performance problems.

Re:Pudding graph

[Duhavid]

I dont know if the representation is deliberate or not. It might
be naive. The point is not perfectly on the mark, but it is not
wholey off the mark either. A better test would be apache/windows
versus apache/linux.

As to apache and iis as the choices, they have bearing in that
apache will likely be the choice on linux, and iis will likely
be the choice on windows. And if iis has that much to do with
the chart, then why is the graph *that* much more involved?
Is it doing it's task inefficiently? Are the hooks for ASP or
other things that numerous?

More proof that Windows is the Chosen OS

[davevr]

It seems clear which OS is preferred by the Flying Spaghetti Monster. I feel safe knowing that my web server is doing homage to His Noodly Goodness every time I refresh a page. After all, what is really going to help secure your site: a bunch of fancy-smancy kernel programmers or the divine protection of His noodly appendage?

Real Life, meet Slashdot

[HomelessInLaJolla]

So really what you're trying to say is: "You should quit because, whatever it is you're trying to do, it's working."

Heh. You sound just like my former management. Are you scoring two promotions or blowing away quarterly expectations by working me over? You fit right in with the harassment which I fully expected to take. Congratulations on being such a good little dog. So easily trained. So predictable.

I don't make myself difficult to find. You're the one hiding behind AC (though the Slashdot mgmt. has your IP conveniently logged and I'm pretty certain that the IT overlords have their own special way of addressing people like you--maybe you could ask Pudge). If you really have such a large problem with me perhaps you could come and visit SoCal. You'll have to buy the coffee, though, since I don't have any cash. I can help you find peanut butter and jelly sandwiches and we can resolve our differences peacefully. For $500/hour I can even train you to wash your filthy mouth of the language you choose: language which wouldn't even be fit for the nation's worst rejects.

You do realize that the intersection between the Internet and real life (a topic of many of my journal entries) is soon going to be a major media topic (if the history of gossip means anything to you) and I fully intend to be helping to ensure that the arena remains as level and as clean as possible. Judging by the verbage in your post you've already been disqualified from play.

Those graphs would be easier to comprehend in 3D

[Timbo]

Using a tool such as (subtle plug) rtprof. It makes pretty call graph visualisations of programs as they're running. It's not very robust and probably doesn't even compile given that I haven't touched it for nearly 4 years, but there you go. Go open source! (And for the record I think making statements about security by comparing the call graphs of two competing products is, well, dumb).

I love spaghetti, that is why I say Windows FTW.

This message has been brought to you by the ayatollah of rock'n rolla in the Church of the Flying Spaghetti Monster.

Who will you god kill.

Re:Pudding graph

[EvanED]

The point is not perfectly on the mark, but it is not wholey off the mark either.

That's right. It's close enough to the mark that it looks like it's making a good point while masking the point that drawing any conclusions besides "this might be why Windows is less secure" is complete BS.

As to apache and iis as the choices, they have bearing in that apache will likely be the choice on linux, and iis will likely be the choice on windows.

Ahhhh, now might be a reasonable conclusion.

However, that's not what the article says. The article says "these graphs are why Windows is less secure", not "these graphs are why IIS/Windows is less secure than Apache/Linux" or even "this is why web servers on Windows are less secure than web servers on Linux."

And if iis has that much to do with the chart, then why is the graph *that* much more involved? Is it doing it's task inefficiently? Are the hooks for ASP or other things that numerous?

I don't know. It's not ASP, because they're serving the same page from both. At the same time, I can't imagine what all the additional system calls that Windows would need are either. Some investigation seems to indicate that the APIs are about the same, so why would you need more calls on one than the other?

The only other thing I can think of besides "IIS sucks" is that the Windows subsystem is making multiple syscalls for each library call. For instance, on a read or write the library hides the fact that sometimes not all the data is transfered by making multiple syscalls, while on Linux the kernel hides that fact. But this doesn't necessarily indicate a problem with Windows at all -- quite the contrary, it means that in that respect the Windows kernel is actually simpler because that logic moves to user space.

definition

[Mr+44]

Well, thats wikipedia's definition of a "system call", which is a nice straw-man. Who knows what the author's definition is? I have no idea, and neither do you.

If they are indeed using "ring zero transitions" as a definition of "system call" (which I really doubt), than all this graph would show is that linux rolls more functionality into a single kernel-mode call, while windows requires multiple kernel-mode transitions.

As others have said, without much more information, these graphs are meaningless.

Re:Pudding graph

[Duhavid]

"Windows subsystem is making multiple syscalls for each library call"

That may be, but I would expect the same for Linux. I could be wrong.

One thing your comment made me remember is there are some Windows calls
where you get back an array of items, you have to call the function
once with a null pointer and some other param changes, and you get back
the count of items, then you allocate the memory for the items, then
you call again. I would not expect that to make *that* much difference,
but it is there.

Re:Is this in response to Netcraft's February surv

[codepunk]

I do not think so, however we do know that any gains being made by IIS are related to microsoft purchasing them.

Not really a fair comparison.

[Orange+Crush]

Granted both are only serving static HTML, but that's all a base install of Apache does. IIS comes with ASP scripting and a whole heckuvalot more switched on by default. Toss in a comparable number of modules for Apache and then do a comparison. This also has little to do with security. (how often do web server exploits surface? It's almost always bad coding in the web application that's to blame.)

Re:Pudding graph

[jeremyp]

glibc is not part of the operating system

So...

So ultimately, the author's argument boils down to "a system with X lines of code is more insecure than a system with X/4 lines of code". If he tried to present some other argument based on something else, I've missed it in his article.

Personally I'd be more inclined to look at what that code does in order to try to quantify how secure it is.

Pass.

I don't eat your god...

[SporkLand]

... so why do you insist on eating mine?

Has his noodly appendage touched you?

Re:I don't eat your god...

[Joebert]

Because my god made itself poisonous & nasty tasting to thwart predators, whereas your god thought it would be funny to taste like chicken.

IIS is more secure than is Apache

[I'm+Don+Giovanni]

Accept that IIS6 is more secure than Apache 2.x. Go to secunia.com and compare the two security records since 2003 (when IIS6 was released). IIS6 has had only three vulnerabilities since then, all minor, and all patch. During the same time period, Apache 2.x has had over 30 vunlerabilities, multiple them rated as "critical", and some are still unpatched today, and others are only partially patched.

So, not only does the article fail at attempting to say why Linux is more secure than windows, the example they use doesn't even show that apache is more secure than IIS.

Re:IIS is more secure than is Apache

[dbIII]

Remember that your are comparing public results about a peer reviewed application against a development black box we cannot see into. Personally I don't think that is a very good comparison. Also I think they should have compared apache on both platforms.

Re:IIS is more secure than is Apache

[Hurricane78]

You're so right.

Grandparent is simply stupid. He does not even get, that he would have to introduce himself with "Hi, i'm I'm Don Giovanni...".

Re:Pudding graph

[EvanED]

That may be, but I would expect the same for Linux. I could be wrong.

I would be a little surprised if there were that big a difference too (the more I've learned about Windows architecture the more they look the same), but remember that there is a big difference between how Linux and Windows treat system calls. On Unix, I don't think it's terribly uncommon to make system calls directly even though the C library is available. If you call open() or read() from a C program on Unix, that's pretty much just a marshaling function. However, if you make a call to functions in the Windows API, they aren't going directly to the kernel; they go through the Windows subsystem first, and it's not uncommon that this does non-trivial work. The actual system calls in ntdll are largely undocumented, and it's very rare to call to them. Because of this, I could see the behavior that hides the fact that read() may not return enough being in the Windows subsystem in Windows and the kernel in Linux.

One thing your comment made me remember is there are some Windows calls where you get back an array of items, you have to call the function once with a null pointer and some other param changes, and you get back the count of items, then you allocate the memory for the items, then you call again. I would not expect that to make *that* much difference, but it is there.

Blah. Yeah, that sort of sucks. Though again, there's a (small) chance this is not reflect in the system call interface.

Compilcated Call Graphs versus Simple functions

[SporkLand]

I don't follow the argument that simple call graphs == simple functions. At the extremes you could argue that you can have a monster of a function that is a total of mess that doesn't call any other functions and has a simple call graph.

Knocking down straw men is fun.

My overall point is that a well factored program will more than likely have more function calls than a non-well factored one. If factoring a program better leads to better overall comprehensibility (and hence security according to a model), then these graphs might well imply the inverse.

My true belief is that call graphs won't provide a good data point for this type of analysis. I think program comprehensibility is tough analyze and requires a number of different metrics. Although Lisp is provably better than anything. Left as exercise to reader.

What?

[abshnasko]

This is not Windows vs Linux, it is IIS vs. Apache. Where's the test running Apache on Windows?

Re: Firehose and JavaScript

[some+guy+I+know]

Well, I got to the firehose page, and it looks a lot different to me than the front page.
Unfortunately, it requires that JavaScript be enabled in order to premoderate the articles.
For people like me (people who have all scripting disabled for security reasons), this make firehose pretty useless (except maybe to see articles and such that will later be rejected).

Re: Access to Firehose

[some+guy+I+know]

You may have to have "Willing To Moderate" turned on in order to get to the firehose page, or perhaps you need to have good kharma, or both.
I don't know; the GP's post is the first I've ever heard of Firehose, and it worked for me first time when I clicked on his link.

system calls?

[multi+io]

Well, I can't read the names on those graphs, but a system call is only ever entered and left, it never calls out to another system call, so there can't be a spaghettiesque graph of system calls calling each other.

Your wrong. IIS6 only does static by default also.

IIS6, all it does by default is static HTML pages. All that extra functionality like ASP or ASP.NET is disabled by default.

Other features you have to have the administrator turn on to use, just like you load modules into Apache.

IIS5 was different with everything activated by default and with numerious sample scripts and other junk enabled by default. The biggest security improvement with IIS6 is that they turned all that off by default.

Re:Linux is less secure than Windows

(I can't believe I'm feeding a troll, but I couldn't let this just slip by.)

All evidence shows that Linux is less secure than other operating systems, in particular Windows.

Wrong.

For one thing, this can be explained by the open nature of Linux where anybody has access to all of the encryption algorithms, sources and keys. In the computer world, just like in the human world, it is in environments where anything goes that the worst viruses come to existence.

Linux uses standard encryption algorithms, just like Windows. 3DES and DSA are the same everywhere. Private keys are still private (Linus didn't pack his GPG key into the latest kernel source, if that's what you're thinking), and public keys public.

Also, Linux distributions are filled with various backdoors since anyone, including ill-intended foreigners, can add anything to the kernel base and its surroundings. At some point, there was even a hacked version of a compiler that introduced backdoors in every program that it produced!

OSS isn't run on the Wiki model. All submissions to open-source projects are looked over and verified by the project maintainers. At least with OSS I don't have to worry about backdoors added by certain ill-intended Americans.

Finally, and probably most importantly, Linux growth happens through the actions of the low-key movement of techies that try to replace everything they can in their organisations with Linux. Apart from acting unprofessionally, these zealots let their feelings for the beloved OS trump any kind of common sense behavior, such as using the right tool for the job. Instead they carelessly introduce vulnerabilities in environments that were previously locked down.

Wow! Shocking! A valid point! Not exactly a problem with Linux itself, though...

Yes, this can be a problem. Linux is good, but not perfect for everything. There are some things Windows just does better. The proper response is to fire these idiots. They'd do just as much damage administrating a Windows server

In short, organisations who value computer security should stay away from Linux, and refrain from hiring those who mention Linux in their resume.

Really? You should let IBM know about this.

Talk about FUD

[ymenager]

So you accuse the post of being FUD and use FUD to prove your point ? Nice...

Next time you put some security statistics... Please do a full breakdown on the SEVERITY of those vulnerabilities...

Like for example a vulnerability that require you have console access to the machine itself, and that the stars are in the right alignment, might cause cause the server to crash, is *NOT* the same thing as a vulnerability that give root access to the box, just by making an HTTP call to it

Oh, and since you're at it, you could do a small statistical work on how many of the counted vulnerabilities have been found because people have access to the source code, just that you can make a guesstimation of how many lay hidden in the IE codebase.

Re:HomelessInLaJolla - Slashdot's village idiot

I feel I should warn you that your name here on Slashdot has become synonymous with idiotic posts. We all keep seeing it, sat above your feeble minded rants against Microsoft, like a rabid, AIDs riddled dog, slumped in a pool of its own diahorrea and vomit, and roll our eyes. I suggest you sign up under a new username to avoid further embarrassment. You must be enormously insecure.

Re:Pudding graph

[VE3MTM]

The GP was just another example on /. of "I'm going to seem smart by discrediting the article, and the easiest way to do so is make something up without reading the article".

Don't forget about "... and hopefully get moderated up in the process".

Re:Linux is less secure than Windows

[mdhoover]

Prove it. I dare you to put a freshly installed M$ system and a freshly installed linux box side by side outside your firewall and see which gets pwned first. My last attempt the XP box lasted precisely 24 seconds. Try it, it will be an eye opener...

It's a conspiracy theory

[devfsadm]

I think it's a Windows guy pretending to be a Linux guy spreading FUD so IIS looks bad and Apache looks good. This way it will make the Linux community look as if they are the ones spreading the FUD. "Sneaky little hobbitses." (Gullum)

old as dirt?

./ has really gone out of their way to not look at the actual content... I saw
those pics what, two years ago?? I recall reading them on a site and actually
seeing them printed out in the halls of a CS department some time back.

Completely Unsupportable

[E++99]

If these graphs are what the article says they are, i.e., system calls made by Apache on Linux vs those made by IIS on Windows, in the course of serving up a web page, then they are maps of logic flow of the Apache and IIS applications (together with the contents of the C and C++ library calls used), not of the OS, and probably reflect very little that is OS specific. So the argument of Windows being more complex than Linux (and therefore "harder to secure") is unsupported by this. It may imply that IIS is more complex than Apache, and I'm sure that that it in fact is. However, of course, the complexity of an application has no necessary correlation to its security.

spaghetti

Gives new life to term "spaghetti code"
ha

this is just wrong on so many levels

[jayp00001]

I would have written a long response about exactly why this is just bunk but this guy already said what needed to be said:

http://blogs.techrepublic.com.com/programming-and- development/?p=32

Bullshit, look at the images closer

I call bullshit. If you pay attention, you'll notice that most of the mess in the IIS graph is because there are several shared functions being called from all over the place. This makes for craploads of edges all around the graph. I don't know what those functions are since the images are too small to read the texts, but if those commonly used functions were nuked you'd have a damn lot simpler graph. This could happen inside a compiler through function inlining, so the graph would end up cleaner but the code would be the same. Imagine every memcpy having a separate function call there for example. Instead of just showing images and saying "look how messy the other one is", it'd make more sense to have an expert view into what causes the other one to be so messy.

Also, what the heck does he mean "system call"? Library calls counted in hierarchially, I assume, since it's a graph and not a list. So, what exactly is being listed for each platform and is this fairly chosen? I'm pretty damn sure the compiler settings favor apache in this case, and I'm claiming the images mean nothing at all. If the texts were visible, then I could make my own conclusions but they're not. They're just two fancy graphs with vaguely defined meaning. Complete and utter bullshit FUD.

Fundamentally flawed analysis

[cooldev]

It's hard to know where to begin and others have commented on many of the problems with this so-called analysis, but I want to take issue with one of the core statements in the article:

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Huh? This is perhaps the most oversimplified and outright incorrect statement about what it takes to create secure applications that I have ever seen.

Let's take one very simple counterexample. Let's imagine that in the Apache* scenario, all string operations use the legacy C APIs (strcpy, strcat, sprintf, etc.) and the developers were too lazy to even add the manual error-prone bounds checks, whereas in IIS6, all string operations use Microsoft's strsafe.h replacement APIs (StringCchCopy, StringCchCat, StringCchPrintf, etc.) with extra diligence to make sure they are correct and even protect against integer overflows. Now which application is more secure, regardless of whether one has more lines on a graph?

I'm guessing the author's intent was to talk about attack surface area and how it relates to securing applications, but this is an extremely poor way to do it.

* - For the pedants, I'm not saying this is really the case with Apache.

Upatched.... Right.

[Dante]

Most of the un-patched vulnerabilities listed are crap.
Starting with this one.
http://secunia.com/advisories/13925/

If Anyone here actually checked, it's a not a 2.0 bug but a 1.3 one. And it was fixed in Jan 2005!

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2 90974

Secunia seems suspect in general, So I would have to give as much credit for the graph as the vulnerabilities.

Re:Pudding graph

[the_womble]

I doubt that many people run Apache on Windows on production systems. The Apache 1.3 documentation says "Apache still performs best, and is most reliable on Unix platforms.". This does not apply to 2.0 but most people still seem to be using 1.3 because of PHP.

Richard Stallman

[UED++]

For a moment there I saw Richard Stiennon as Richrard Stallman, I was like WTH?!

There is a break-even point though...

[master_p]

...beyond which more calls means unmanageable complexity, which leads to security problems.

For example, if I had to code an algorithm with 1000 functions and one of them is 'strncpy', I could easily make a buffer overflow in that function and compromise security because my attention would be on taming the beast (the other 999 functions).

Other simple examples...

[octogen]

...of how NT-based Systems are misdesigned are the security design and implementation in general.

For example, to get the current SID (Security Identifier, "user id") of the current process on NT, one must:
* Open a handle to the current process
* With that handle, open a handle to the process token of the current process
* Call GetTokenInformation with a NULL pointer to query the length of the data it would return
* Allocate memory for a buffer receiving Token Information
* Call GetTokenInformation again with a pointer to that buffer
* Resolve a pointer in the data received to get the SID_AND_ATTRIBUTES structure
* Resolve a pointer in that structure to get the actual SID

The length of the SID is unknown, so to compare two ore more SIDs, one must use additional library functions

After using all that information, don't forget to close all the handles and to free the memory you've allocated.

NOW THE SAME THING ON UNIX:
uid_t myUID = getuid();

ONE line of code. Guess on what platform you can mess that up easier.

Or another example:
===================

As a privileged user, create a file in a certain directory.

On NT, you need SeTakeOwnership, SeRestore and SeBackup privileges.
You can't use existing applications, because CreateFile() / CreateFileEx() will fail, even when you have the privileges enabled. You have to write your own application, which uses the FILE_FLAG_BACKUP_SEMANTICS flag in these API calls, so the privileges will actually be used (well-designed operating systems use a unified method called privilege bracketing instead of different flags for every system call).
Now you could theoretically create the file regardless of the ACL, IF THE DIRECTORY ALREADY EXISTS.
If the directory does not exist, you have to create the directory first.
Unfortunately, CreateFile() / CreateFileEx() can OPEN directory handles, but you can't create directories using these APIs. But the API for creating directories does not have a FILE_FLAG_BACKUP_SEMANTICS flag, so the privileges are ignored, and you can't create the directory, if you don't have access because of the ACL of the parent directory.

So, what are you going to do?

One solution would be the following:
* Open a handle to the parent directory
* Backup the current security descriptor of the directory
* Initialize a new security descriptor for the directory
* Place your own SID into the security descriptor as owner (see above on how to get your SID, it's a lot of fun)
* Initialize a new empty discretionary access control list
* Initialize a new access control entry with your SID and a full-access permission
* Place the access control entry into the discretionary access control list
* Place the discretionary access control list into the security descriptor
* Write the new security descriptor to the directory
* Then CLOSE the handle and REOPEN the handle to the directory (with different access flags)

Now you can create the file. After you've done that, undo the operations above. If the program gets killed while you're doing that, you have messed up the ACL of the parent directory (because this method is not transaction-safe).

This is maybe the WORST API design I have ever seen.

If you want to do the exactly same thing on, for example, Solaris, you just enable file_dac_write and file_dac_search privileges (from the permitted privilege set into the effective privilege set), create the directory using mkdir() and the file using creat().
No need to write your own program, Solaris has utility programs to let you change the privileges of your shell. Even if you write your own program, privilege bracketing is much easier on Solaris than on NT, although the Solaris privilege model is much more powerful than the one of NT.

=============

There are numerous examples of that sort.

This is why I am totally convinced that NT is a poorly designed operating system. There is no unified API. One system call works c

Nodes and edges? What do they represent?

[Per+Abrahamsen]

If the nodes are syscalls, they should all be leaves on the graph. And graph consisting of only leaf nodes would be pretty uninteresting.

Re:A *truly* inconvenient truth

More of the latter, but sans the snot. It's equally easy to tell the leeches that are paid by grant money or by big enviros. What's difficult is to look objectively at the evidence and form ones own opinion. It's apparently a foreign concept in the area of environmentalism, since any look at the other side results in endless ad hominem attacks and not one rebuttal of the FACTS.

I like the pictures

Can I borrow for my String Theory report?

Re:A *truly* inconvenient truth

[Socguy]

You should be ashamed of yourself.

Re:Linux is less secure than Windows

[cant_get_a_good_nick]

1) Interestingly enough, the grandparent post was a Linux troll, and you responded about MS.

2) Whether or not you like MS (and i don't really, though i grudgingly call them useful at times) they weren't really lucky. They seized opportunities others didn't see, capitalized on other's mistakes, relentlessly focussed on how to usurp their competitors and steal their customers, saw the value of network effects and also leverage their dominance in one area to another. None of it was real luck. Though he likes to think of himself as a technical genius (which i don't really) Bill Gates really is a business genius, a true shark amongst techs without business acumen, and used it to amass a huge fortune.

MS strongarm tactics require them to have a market dominance in some field. At one time, MS was just another company, smaller than Lotus and others. Yet they grew to where they now can use strongarm tactics. They bought code from others, polished it, made it work together very well (to the exclusion of others) and make a lot of money from that.

As far as marketing, their consumer marketing really sucks. Seeing an ad saying "WOW" really isn't making me want to buy Vista. The dinosaur ads really don't make me want to buy Office.

If the Linux desktop is to succeed, they will need to take an honest look at how MS succeeded, and how to counter that. When MS saw a market dominated by a competitor (Lotus) they looked at every reason why someone would stay with Lotus and came up witha counter, when most Linux geeks look at MS market dominance, they say "luck" or "marketing" and just sit and wait for people to somehow realize Linux is technically better and then sit and wait until everybody switches.

Re:Is this in response to Netcraft's February surv

[sheldon]

Damn, if that's true. Why did it take 10 years for Microsoft to figure that out?

Re:A *truly* inconvenient truth

[vandan]

You're missing an important point. The oil lobby have massive funds to throw at propaganda, and all of their 'activists' are of the same type: the paid type. The environmental lobby, on the other hand, is largely grass-roots activists.

Sure there are some personalities who push the message a little further than the rest of us can, due to their fame. But I don't see where you think the ulterior motive is on the environmental side. It's not like being an environmental activist actually pays in monetary terms. At least I've never, ever, known anyone who is getting paid for it. As for people getting 'grant money', that's actually essential. You see, without public money going into scientific research, how is the public ever supposed to get any scientific knowledge that doesn't come to us through the corporate filter ( for example the oil lobby filter )? And I'm really not sure about the 'big enviros' that you talk about.

Anyway, whether 0.1% of the environmental movement is being paid for their work or not, I don't get paid, and don't have any ulterior motives ... apart from trying to help avoid the oncoming catastrophe that we're well on course for. This is the big FACT that the the oil ( and nuclear ) lobby refuse to admit. The only point that the energy lobby ever put forward is that sustainable living will cost money. But they fail to mention who's money ... it's not our money ... it's not even their money, it's their profits . And that's just too bad.

Older but more entertaining news

[jd]

A clickable map of the Linux kernel. Who says Linux is a rat's nest of calls? I can clearly see it's a dinner plate.

Re:A *truly* inconvenient truth

[darkonc]

People can get paid for doing environmentalist work, but it's rarely the kind of money that you can get for working for Big Oil. For example, one Oil lobbyist was offering $10K for someone willing to 'critique' the recent IPCC report on Global Warming. For many environmentalists, that $10K would pay for about 6-10months worth of work.
and as for the claim "... that sustainable living will cost money.", yes it will, but unsustainable living will cost even more -- it's just that the cost is delayed by a bit.

You can understand this more easily if you jump back to the arguments over deficit financing... because money i little more than a mathematical artifice, it's easy to see that running a deficit now will force our kids and/or grandchildren to pay for our high life. With things like global warming, overfishing, groundwater depletion etc. etc. we are running an ecological deficit. The difference is that it's easier for a group of PR weenies to convince people that Global Warming (and/or it's causes) are unproven, and harder to convince Mother nature that it's a bad idea to call in the loan.

Re:Pudding graph

[ajs]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS?

No, you're right, it has nothing to do with C/C++. The GP was just another example on /. of "I'm going to seem smart by discrediting the article, and the easiest way to do so is make something up without reading the article". You really should not take that kind of insulting tone unless you're sure you're right. The Windows API is C++ at a high level, but the calling model continues to be very much built around C++ even at the low level. This means that the call tree for "syscalls" (and the article isn't clear how they're defining that term) is going to be radically different on Windows than it is on Linux. but that's not going to be BAD per se.

What's more, the article is skimpy as heck, so the fact that I read it really doesn't help.

This is fluff, and bad statistics based on its own fluff to boot. Just ignore the article.