Graph of Linux Vs. Windows System Calls

cgrayson recommends Richard Stiennon's blog on ZDNet — a post titled Why Windows is less secure than Linux shows a compelling graphical comparison between system calls on the two operating systems. The blogger tips Sana Security for the images. Quoting: "In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

Linux developers should take note....

[StressGuy]

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time.

Unavoidable.

[Kadin2048]

I think you'd have to resort to a lot of trickery, like stacking vertices on top of each other with zero-length edges, to make the Windows graph appear less complicated than the Linux one. Provided that you model them in the same way, it ought to be pretty apparent that one just has a lot more vertices and edges than the other, even if you did it in a multidimensional space.

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task. If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

More importantly these graphs show how Linux

[Master of Transhuman]

- or at least a Web server - is more efficient than Windows.

This explains why Linux server editions tested in the past tend to outperform Windows Server versions by a factor of two in number of users they can handle linearly.

They obviously are calling a hell of a lot less than Windows is.

And it's not clear that those Windows calls are really necessary. I suspect they are mostly redundant calls to multiple versions of the same code from multiple calling modules. This is a result of the size of the Microsoft development teams re-inventing each others code regularly with every new release of the OS. This is pretty clearly what is going on based on Jim Allchin's remarks two years ago about how Vista would "never" be done if they didn't change their development practices.

And it's the only thing that explains the millions of new lines of code in each new release of the OS, without a concomitant increase in OS capability. Vista has what, twenty million new lines of code? For what capability over XP - DRM? I doubt it.

Re:FUD?

[jgrahn]

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do.

OK, but shouldn't that make a Unix syscall interface even more messy? After all, it was created thirty-five years ago.

On the other hand, you might want to count each ioctl and each read(2) or write(2) of different character devices as separate system calls ...

Re:Linux developers should take note....

[nwhitehorn]

This actually makes a very good point. Some arguably secure coding styles (microkernels, for instance) involve a fantastic number of syscalls, as operations trampoline through kernel space.

On the other end of things, the way to get the fewest possible number of syscalls is to implement the entire web server in the kernel (in a single function, as the OP wrote). Then you just call the handle_http_request() syscall and walk away. This is, of course, the least secure and most dangerous possible way to implement a web server.

The only thing with which number of system calls actually correlates is request handling speed -- barring other performance issues, context switches take some amount of time, which is why microkernels typically have poor performance. Given the massively different software architectures involved, however, I would imagine that any important performance differences lie elsewhere.

IIS is more secure than is Apache

[I'm Don Giovanni]

Accept that IIS6 is more secure than Apache 2.x. Go to secunia.com and compare the two security records since 2003 (when IIS6 was released). IIS6 has had only three vulnerabilities since then, all minor, and all patch. During the same time period, Apache 2.x has had over 30 vunlerabilities, multiple them rated as "critical", and some are still unpatched today, and others are only partially patched.

So, not only does the article fail at attempting to say why Linux is more secure than windows, the example they use doesn't even show that apache is more secure than IIS.

Re:A *truly* inconvenient truth

[Anonymous Coward]

More of the latter, but sans the snot. It's equally easy to tell the leeches that are paid by grant money or by big enviros. What's difficult is to look objectively at the evidence and form ones own opinion. It's apparently a foreign concept in the area of environmentalism, since any look at the other side results in endless ad hominem attacks and not one rebuttal of the FACTS.