Graph of Linux Vs. Windows System Calls

cgrayson recommends Richard Stiennon's blog on ZDNet — a post titled Why Windows is less secure than Linux shows a compelling graphical comparison between system calls on the two operating systems. The blogger tips Sana Security for the images. Quoting: "In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

Looks good.

[bradsenff]

Those pictures look great.

Suddenly I am hungry for spaghetti.

mmmMmm Food.

Damn. Windows *is* evil. It is making me fat!

Re:Looks good.

[HomelessInLaJolla]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled, or refactor the Linux graph to make it look more tangled? Imagine the graphs in 3-D space and being able to rotate around them or even view them from inside looking out in different directions. The concept is similar to adjusting the axes in the same manner as logarithmic paper can make some plots look like straight lines (once that concept is recognized then the math can become infinitely complex for defining the axes).

To be perfectly fair: How do we know that the researcher who created the graphs optimized both for clean and concise 2-D layout?

In response to my own question: No matter how you want to change the visualization the Linux graph looks to have far fewer multiple source intersection points and a larger prevalence of straight line heirarchical structure.

Re:Looks good.

[nberardi]

This shouldn't be titled why Windows is less secure than Linux. If the author actually had an integrity or an understanding of what he was writing about it should be title why IIS is less secure than Apache. Because I bet Apache running on Windows looks very close to the Apache running on Linux. Mostly because the Apache team has an excellent set of developers.

This blogger should be shunned out of the internet world as a worthless hack.

Re:Looks good.

[Thrip]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled ...? Yes. The easiest way would be to throw out the Windows code base and start over with a set of competent programmers, then regenerate the graph.

nice pics

what can I say? I'm impressed, you can click on the larger images and still not see a god damn thing

Re:FUD?

[ejdmoo]

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

Another quality article from Slashdot.

Old and Pointless News

[garcia]

The article is dated April 14th, 2006. Nice.

The photos are completely unreadable and mean absolutely nothing. Let's see the entire graph with labels so that we can know exactly what's going on during the calls. From that graph, for all we know, we could be looking at more than what they claim.

I call FUD

[LighterShadeOfBlack]

Comparing the complexity of system calls made by two different programs on two different OSes and then using that solely to judge the two differing OSes seems like an astoundingly flawed comparison. Seeing as Apache runs on Linux and Windows it seems pretty obvious that they should've used at least used the same program to make this comparison even slightly relevant.

I'm not saying Windows isn't worse than Linux in this respect, just that this article proves nothing.

Re:Pudding graph

[j00r0m4nc3r]

Well, not only that, but it has nothing to do with Windows and Linux. More like, Apache and IIS. You could run Apache on your Windows box, which I'm sure LOTS of people do.

Very suspicious of what "syscall" means here.

[Nevyn]

The normal usage of syscall is something that has to transfer control to the system, from your program. Things like accept(), write() and sbrk() but not strcpy() or malloc(). While I haven't done an strace on Apache-httpd I have done it on my own webserver and I find it hard to believe that Apache-httpd is as bad as the graph in the article implies. And given there's no text in the graph it's hard to check.

At it's simplest a HTTP response is: accept(); read(); open(); fstat(); write(); sendfile(); close(); close();. A lot of servers will set options like: FD_CLOEXEC, O_NONBLOCK, TCP_CORK and call shutdown() at the end. You can also easily blow a few more syscalls on config. options which don't do anything for the simplest case, but the graph implies 50-100.

The confusing thing, to me, is that if by "syscall" they meant something like "library calls" then I'd expect much more for Apache-httpd (as large bits of code are in libapr etc.) ... but the comparison is worthless then anyway.

I'm so confused

Windows is less sucure because more blimps are firing more laser beams at other blimps in its picture than in linux's picture. ??? Wouldn't the larger swarm of blimbs with more lasers make it more secure it has the better army?

Re:FUD?

[ajs]

It's good that Slashdot is covering it, though. I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web.

Taken completely out of its original context, the graphs are a useful way to compare real-world examples of C and C++ calling models, though. You'll notice that IIS (C++) has these "clusters" of activity where one routine acts as a nexus for calls into many others. This is fairly standard practice in C++ where you might have an accessor that triggers lots of behavior. In the C version, there's a much more visually procedural pattern where a function calls a few others, and then returns to a function that calls its tree of functions, but might overlap with a few calls to the previous function's utility functions, etc.

Re:Linux developers should take note....

[Fred+Ferrigno]

Obviously, the solution is to code everything as a single function. Then the graph will look very nice and tidy.

Re:Pudding graph

[Malc]

Twaddle. The report comes from a company that makes money selling security software for Windows. Scaremongering is good for their sales.

What would be interesting is an analysis of the types of system calls. What about a comparison of the functionality of IIS vs. Apache? Perhaps Windows provides some calls that Apache has had to implement in it's own application code. How many of those so called system calls trap in to the kernel?

This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures.

Re:Interesting

[0xABADC0DA]

It's not hand drawn. They obviously used dot from graphviz. You can't mistake that layout once you've seen it.

Unavoidable.

[Kadin2048]

I think you'd have to resort to a lot of trickery, like stacking vertices on top of each other with zero-length edges, to make the Windows graph appear less complicated than the Linux one. Provided that you model them in the same way, it ought to be pretty apparent that one just has a lot more vertices and edges than the other, even if you did it in a multidimensional space.

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task. If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

Re:Unavoidable.

[jpmattia]

If you assume that each system call is a potential vulnerability, and that less calls are inherently better

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

Re:Unavoidable.

[51mon]

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

I thought Alan Cox had already done a kernel module for serving http?

But no rewriting the system to more specifically do the task in a more focused way would almost certainly result in a lot less bugs, of course the system would be less "generally useful".

Clearly it is a simple argument, less is more.

Backwards compatibility has huge costs, one of them is security. Supporting those apps with 8.3 filename limits, and 3 or 4 different ways of accessing the file system, all mean there is a lot more around to go wrong.

If you are actively using large chunks of "more" you probably don't care, as your system is more flexible, or more featured.

But I'm really not interested in the performance hits the more bizarre features of SMB gives to my webservers, but I daren't switch it off, as I know I'd be running an IIS configuration that is practically unique in the world, and it is flaky enough as it is. Similarly I don't care about that 8.3 compatibility, I know I could switch it off, but I'd worry something obscure might break. So I'm stuck with the "more" even when I want "less". Where as my Linux webservers don't have a GUI, most don't have SMB (or NFS), I lost all that network filesystem junk with the last update on most of them (scp (or http) will do fine for most things).

Guess it comes down to design - the secret of elegance is about what you take out, not what you put in.

And if you want (or are unsure if you need) binary backward compatibility to DOS 1 (or whatever level is provided), you can take out very little.

Re:Pudding graph

[Rycross]

Quote from the article:

This second image is of a Windows Server running IIS.

You are wrong.

Plethora of issues

[DLG]

#1. Old news
#2. Apples and Oranges (IIS on Windows versus Apache on Linux? Which are we comparing?)
#3. Lack of detail: You can't see what system calls are really involved. No indication of configuration. No version numbers.

So that puts it in the realm of FUD, although the blogger does explain that its just a blog.

From my experience with Linux and Windows, the philosophical difference has to do with what is doing most of the work. In Windows a great deal of functionality is granted by the Windows API. As most programmers throughout the 90's know, Microsoft created their API around the functionality they needed for their own development, and then the rest of us had to buy the 'Secret' API manual with all the treats.

In Linux the Kernel where all those system calls go, is pretty limited compared to Windows. Where most functionality is added for developers is in shared libraries. Windows of course has the too, but its more a matter of where the real action is running. Is it in the kernel or in userspace. With Linux mostly its userspace, so there is less issues with software errors being capable of interfering with the machine itself. Still there are ways developers, especially of servers requiring some superuser priveleges (listening to ports under 1024) have provided security holes in basic interfaces (Sendmail and Bind for example). Still thats not reserved to Linux. Beyond that, we talk about the fact that Linux users don't run as root, but I have seen alot of irc session where the username of root is in the GID. So SOME folks do run as root. Whether the distributions now make that less necessary, that is also how Vista is going.

Apache is a bad project to compare other software too. It has been remarkably well developed both for stability and resisting sneaky security issues. Obviously one can muck up their configuration to reduce their security, but Apache itself (despite its initial moniker of being A patchy webserver) is a terrific example of well run coding projects.

IIS on the other hand is one of the posterchildren of security problems, with early versions not checking for navigation of parent directories, along with other trivial insecurites, based in some ways on permitting the developer to easily integrate IIS with other Microsoft tools.

So yes, IIS on Windows is more insecure than Apache on Linux. And Apache on Linux has always kicked IIS's ass in market share. I wonder if we compared Apache on Linux to Apache on Windows what we would find.

Re:Poster?

[letxa2000]

Not defending Windows security, but it's entirely possible that the graphical depiction is not "optimized" so that it intentionally looks like spaghetti. It's hard to see what's going on with the resolution given, but some of the call "bubbles" seem to be unnecessarily placed far away from whatever called them with a long strand of spaghetti between them. This isn't necessarily an indication of spaghetti or bad design, but a bad graphical depiction. Also, just because lots of places make a call to the same API (which causes the graph to look like spaghetti) does not mean bad design--to the contrary, it can be very good design.

I hate Windows as much as the next guy, but I'm not sure this is really a good case for why.

Re:Pudding graph

[hangareighteen]

He said 'syscall' right?

[ pasted from http://en.wikipedia.org/wiki/Syscall ]
System calls often use a special CPU instruction which causes the processor to transfer control to more privileged code, as previously specified by the more privileged code. This allows the more privileged code to specify where it will be entered as well as important processor state at the time of entry.
When the system call is invoked, the program which invoked it is interrupted, and information needed to continue its execution later is saved. The processor then begins executing the higher privileged code, which, by examining processor state set by the less privileged code and/or its stack, determines what is being requested. When it is finished, it returns to the program, restoring the saved state, and the program continues executing.
[ end paste ]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS? Seems like you'd have to make the same calls regardless of the language that you use, or more to the point, that the calls represent the facilities that the OS has made available to you. Seems pretty language independent from my readings.

that's the path of chairs at a MS board meeting

[swschrad]

write to steveb@microsoft.com, I'm sure he'll let you have the video ;)

Bad protocol w/ Good encryption

[Zarf]

Good protocol can secure bad encryption more easily than good encryption can help bad protocol.

The Sana Security diagrams show us just how bad the windows internal protocols really are. There is no securing this system with Digital Rights management or any other encryption scheme. Any security method placed on top of a such bad messaging protocols will fail miserably because even if the encryption or other security suite is perfect... windows isn't. And the system will be compromised by drilling down through windows... not through the security system.

What good is a bullet-proof pad lock if you put the combination on a yellow sticky note next to the lock itself?

Re:FUD?

[timeOday]

The graphs are a useful way to compare real-world examples of C and C++ calling models, though.

No, because they're only counting system calls. There's no inherent reason for C++ code to make more numerous or more varied system calls. The difference between C and C++ is purely user-mode. The summary's assertion is correct - the Windows server is simply making many more system calls to serve a page.

Is that a surprise? Those of you who doubt the general claims made using these graphs, why don't you find a more compelling statistic to the contrary? Show us how the XP (or better yet, Vista) kernel API is NOT a sprawling mess. Good luck, since even Microsoft has admitted Vista is nearly unmaintainable, and years of schedule slippage proves it no matter what they say.

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do. But don't kid yourself that the costs avoided by not refactoring all that old code come free. Complexity does impact security.

Re:Vista

[Fnord666]

Where is the Vista version?

They're waiting for additional funding for the ink.

Re:Pudding graph

[imroy]

These graphs show the different calling models of C++ and C.
That is *all* they show.

No they don't. They show *system calls*, into the kernel, not method or function calls within the user-space program. The language shouldn't make much difference at that level.

Re:Pudding graph

[Chris+Burke]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS?

No, you're right, it has nothing to do with C/C++. The GP was just another example on /. of "I'm going to seem smart by discrediting the article, and the easiest way to do so is make something up without reading the article".

Re:IIS is more secure than is Apache

[dbIII]

Remember that your are comparing public results about a peer reviewed application against a development black box we cannot see into. Personally I don't think that is a very good comparison. Also I think they should have compared apache on both platforms.