Graph of Linux Vs. Windows System Calls

cgrayson recommends Richard Stiennon's blog on ZDNet — a post titled Why Windows is less secure than Linux shows a compelling graphical comparison between system calls on the two operating systems. The blogger tips Sana Security for the images. Quoting: "In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

Poster?

[Anonymous Coward]

Where can I get a high res version of that image to print out poster size? That's great!

that's the path of chairs at a MS board meeting

[swschrad]

write to steveb@microsoft.com, I'm sure he'll let you have the video ;)

Re:Poster?

[letxa2000]

Not defending Windows security, but it's entirely possible that the graphical depiction is not "optimized" so that it intentionally looks like spaghetti. It's hard to see what's going on with the resolution given, but some of the call "bubbles" seem to be unnecessarily placed far away from whatever called them with a long strand of spaghetti between them. This isn't necessarily an indication of spaghetti or bad design, but a bad graphical depiction. Also, just because lots of places make a call to the same API (which causes the graph to look like spaghetti) does not mean bad design--to the contrary, it can be very good design.

I hate Windows as much as the next guy, but I'm not sure this is really a good case for why.

Re:Poster?

[EsbenMoseHansen]

It looks as is if it was made by graphViz, which draws diagrams based on a textfile containing the dependencies. So it's probably fair enough in that sense, but the posting the number of edges and the number of nodes would probably be nice as well. Though I'd prefer the source for those 2 images :D

Re:

[speculatrix]

there are graphviz viewers which allow some interaction, so you could drag nodes about a bit to make it less messy.

Re:Poster?

[RazzleDazzle]

Yeah, spaghetti... obey your noodly master.

Next thing you'll be talking about is global warming, then pirates, and the love of Him that is noodly.

Re:

[DaveG, the Quantum P]

If it were that unsecure, why would it have zealots in the first place? Why would anyone stick with it? What about all those secure apache servers out there?

Re:

[ashridah]

"If it were that unsecure, why would it have zealots in the first place?"

it's called money, as in, people make money from what they know about it, and lets face it, ms was just lucky, followed by having smart (for them) marketing practices, and finally, having good strong-arm tactics.

Re:Linux is less secure than Windows

[cant_get_a_good_nick]

1) Interestingly enough, the grandparent post was a Linux troll, and you responded about MS.

2) Whether or not you like MS (and i don't really, though i grudgingly call them useful at times) they weren't really lucky. They seized opportunities others didn't see, capitalized on other's mistakes, relentlessly focussed on how to usurp their competitors and steal their customers, saw the value of network effects and also leverage their dominance in one area to another. None of it was real luck. Though he likes to think of himself as a technical genius (which i don't really) Bill Gates really is a business genius, a true shark amongst techs without business acumen, and used it to amass a huge fortune.

MS strongarm tactics require them to have a market dominance in some field. At one time, MS was just another company, smaller than Lotus and others. Yet they grew to where they now can use strongarm tactics. They bought code from others, polished it, made it work together very well (to the exclusion of others) and make a lot of money from that.

As far as marketing, their consumer marketing really sucks. Seeing an ad saying "WOW" really isn't making me want to buy Vista. The dinosaur ads really don't make me want to buy Office.

If the Linux desktop is to succeed, they will need to take an honest look at how MS succeeded, and how to counter that. When MS saw a market dominated by a competitor (Lotus) they looked at every reason why someone would stay with Lotus and came up witha counter, when most Linux geeks look at MS market dominance, they say "luck" or "marketing" and just sit and wait for people to somehow realize Linux is technically better and then sit and wait until everybody switches.

Looks good.

[bradsenff]

Those pictures look great.

Suddenly I am hungry for spaghetti.

mmmMmm Food.

Damn. Windows *is* evil. It is making me fat!

Re:Looks good.

[HomelessInLaJolla]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled, or refactor the Linux graph to make it look more tangled? Imagine the graphs in 3-D space and being able to rotate around them or even view them from inside looking out in different directions. The concept is similar to adjusting the axes in the same manner as logarithmic paper can make some plots look like straight lines (once that concept is recognized then the math can become infinitely complex for defining the axes).

To be perfectly fair: How do we know that the researcher who created the graphs optimized both for clean and concise 2-D layout?

In response to my own question: No matter how you want to change the visualization the Linux graph looks to have far fewer multiple source intersection points and a larger prevalence of straight line heirarchical structure.

Re:

[dctoastman]

You beat me to it.

I was about to say that myself about the Linux picture having less entry points. It looks like the Windows picture relies on some system calls that are called by just about everything. It seems that you could do a lot for security by first focusing on these central points.

Unavoidable.

[Kadin2048]

I think you'd have to resort to a lot of trickery, like stacking vertices on top of each other with zero-length edges, to make the Windows graph appear less complicated than the Linux one. Provided that you model them in the same way, it ought to be pretty apparent that one just has a lot more vertices and edges than the other, even if you did it in a multidimensional space.

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task. If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

Re:Unavoidable.

[jpmattia]

If you assume that each system call is a potential vulnerability, and that less calls are inherently better

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

Re:Unavoidable.

[51mon]

I think that's severely oversimplifying, because rewriting the system to take only one system call would certainly result in more bugs, no?

I thought Alan Cox had already done a kernel module for serving http?

But no rewriting the system to more specifically do the task in a more focused way would almost certainly result in a lot less bugs, of course the system would be less "generally useful".

Clearly it is a simple argument, less is more.

Backwards compatibility has huge costs, one of them is security. Supporting those apps with 8.3 filename limits, and 3 or 4 different ways of accessing the file system, all mean there is a lot more around to go wrong.

If you are actively using large chunks of "more" you probably don't care, as your system is more flexible, or more featured.

But I'm really not interested in the performance hits the more bizarre features of SMB gives to my webservers, but I daren't switch it off, as I know I'd be running an IIS configuration that is practically unique in the world, and it is flaky enough as it is. Similarly I don't care about that 8.3 compatibility, I know I could switch it off, but I'd worry something obscure might break. So I'm stuck with the "more" even when I want "less". Where as my Linux webservers don't have a GUI, most don't have SMB (or NFS), I lost all that network filesystem junk with the last update on most of them (scp (or http) will do fine for most things).

Guess it comes down to design - the secret of elegance is about what you take out, not what you put in.

And if you want (or are unsure if you need) binary backward compatibility to DOS 1 (or whatever level is provided), you can take out very little.

Re:

[SL Baur]

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task

That's what it looks like and I hate to say this, but who cares and what has this to do with security? The average Unix program doesn't make its own system calls and the most exploited misfeatures were in the standard C library like sprintf, strcpy, and gets, none of which involve system calls.

Re:Looks good.

[Atmchicago]

I agree with your question. I was thinking of a few ways to analyze the graphs:

• Count the total number of nodes
• Count the average number of edges coming out of each node

The first gives us an idea of the total number of calls involved. The second gives us some idea of how many interactions each call is involved with - more branches would indicate more complexity.

Re:Looks good.

[Thrip]

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled ...?

Yes. The easiest way would be to throw out the Windows code base and start over with a set of competent programmers, then regenerate the graph.

Re:

[shawb]

The reason the Linux version has a lot of empty space and wider pixel size is because... there are so many fewer connections between nodes. There is more room to represent them. If appears that while Linux does have nearly as many nodes, many more of the calls are in a linear fashion. This is good security-wise as you can get a better idea of what data should be passed through a particular chunk of code and can better plan for exception checking and out of bounds conditions so malformed data will be hand

Re:Looks good.

[nberardi]

This shouldn't be titled why Windows is less secure than Linux. If the author actually had an integrity or an understanding of what he was writing about it should be title why IIS is less secure than Apache. Because I bet Apache running on Windows looks very close to the Apache running on Linux. Mostly because the Apache team has an excellent set of developers.

This blogger should be shunned out of the internet world as a worthless hack.

IIS is more secure than is Apache

[I'm Don Giovanni]

Accept that IIS6 is more secure than Apache 2.x. Go to secunia.com and compare the two security records since 2003 (when IIS6 was released). IIS6 has had only three vulnerabilities since then, all minor, and all patch. During the same time period, Apache 2.x has had over 30 vunlerabilities, multiple them rated as "critical", and some are still unpatched today, and others are only partially patched.

So, not only does the article fail at attempting to say why Linux is more secure than windows, the example t

Re:IIS is more secure than is Apache

[dbIII]

Remember that your are comparing public results about a peer reviewed application against a development black box we cannot see into. Personally I don't think that is a very good comparison. Also I think they should have compared apache on both platforms.

OLD news

[sproketboy]

Posted in last year sometime on zdnet. Is slashdot that out of touch?

nice pics

[Anonymous Coward]

what can I say? I'm impressed, you can click on the larger images and still not see a god damn thing

FUD?

[EveryNickIsTaken]

Can anyone verify the accuracy of the "graphs"?

Re:FUD?

[ejdmoo]

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

Another quality article from Slashdot.

Re:FUD?

[ajs]

It's good that Slashdot is covering it, though. I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web.

Taken completely out of its original context, the graphs are a useful way to compare real-world examples of C and C++ calling models, though. You'll notice that IIS (C++) has these "clusters" of activity where one routine acts as a nexus for calls into many others. This is fairly standard practice in C++ where you might have an accessor that triggers lots of behavior. In the C version, there's a much more visually procedural pattern where a function calls a few others, and then returns to a function that calls its tree of functions, but might overlap with a few calls to the previous function's utility functions, etc.

Re:

[YellowElf]

But these are system calls, and should not be part of the IIS application itself. Of course, Microsoft loooves to say everything is part of the OS, and we can't see the actual calls that are being made, but whatever is being called should be outside of IIS in order for the article to make sense.

--dv

Re:

[Spazmania]

An attacker doesn't care -why- there are a bunch of system calls. Its all machihe language at that point. That those calls happen presents an opportunity to inject malicious code.

If your basic claim about C/C++ is right then the consequence is that code written per "standard practice" in C++ is inherently harder to secure than code written in C.

Re:

[plalonde2]

That's a completely bogus statement. In straight C you know your call graph. You know which function is called where and when. In C++ any method call might be virtual and you have no way to know at the call site. Or the function call might be a non-virtual override. No way to tell at the call site. It is much easier to mis-use (unintentionally) a C++ OO library than a straight C library. I see many more errors in C++ code than I do in straight C.

Re:FUD?

[timeOday]

The graphs are a useful way to compare real-world examples of C and C++ calling models, though.

No, because they're only counting system calls. There's no inherent reason for C++ code to make more numerous or more varied system calls. The difference between C and C++ is purely user-mode. The summary's assertion is correct - the Windows server is simply making many more system calls to serve a page.

Is that a surprise? Those of you who doubt the general claims made using these graphs, why don't you find a more compelling statistic to the contrary? Show us how the XP (or better yet, Vista) kernel API is NOT a sprawling mess. Good luck, since even Microsoft has admitted Vista is nearly unmaintainable, and years of schedule slippage proves it no matter what they say.

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do. But don't kid yourself that the costs avoided by not refactoring all that old code come free. Complexity does impact security.

Re:FUD?

[jgrahn]

I don't even blame them. Feature-richness and backwards compatibility are key aspects of what Microsoft provides, and it inevitably results in a mess. These are practically requirements if you have a big expensive software infrastructure built over a long period of time, as many businesses do.

OK, but shouldn't that make a Unix syscall interface even more messy? After all, it was created thirty-five years ago.

On the other hand, you might want to count each ioctl and each read(2) or write(2) of different character devices as separate system calls ...

Re:

[timeOday]

OK, but shouldn't that make a Unix syscall interface even more messy? After all, it was created thirty-five years ago.

How much backwards compatibility does it really retain though? I realize some basic concepts and even the names of some basic functions (e.g. "read") have actually been around that long, but how many binaries from back then would run on Linux? I doubt you could find one. And that's what I mean by maintaining backwards compatibility on a feature-rich platform.

Re:

[Red Flayer]

Another quality article from Slashdot.

Have you done your part with firehose [slashdot.org]?

You've got the power to make a difference in the story selection process, why don't you use it instead of complaining meaninglessly? Especially since it'd already been pointed out by several posters?

Re:

[Red Flayer]

The link does nothing more than redirect to the front page. Was it supposed to do something else?

I checked the link, it goes to firehose. Maybe you don't have access to firehose (it's in Beta, maybe it's karma-dependent for access)? Or maybe you just need to look a little closer, since FireHose does look a little like the main page.

FYI, FireHose lets users affect submission acceptance by rating the submissions before (and after) they get approved -- this allows for pre-emptive action, and also feedback.

Re:

[gmack]

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

More to the point it conveys no useful info on how complex the calls are. Are they single function calls that pass off the core of the work to others or are they complicated calls that try to do too many things in one place?

I'm actually surprised the Apache graph was less cluttered than the IIS graph given that Microsoft tends to prefer functions that do as many things as possible so code can be better reus

Re:

[hotdiggitydawg]

My thoughts exactly. From TFA:

A picture is worth millions of words

Not when it is supposedly a map of system calls and there isn't a single friggin' word anywhere on either of the pictures. In fact, the only way to tell which system is which is by the filename of the image! How can anyone even begin to verify that it is not complete bollocks?

Re:

[HomelessInLaJolla]

> there isn't a single friggin' word anywhere on either of the pictures

If you read the article then you would understand that the intersection points are memory locations, not words. The author explains that each memory location is a point of possible failure.

Re:

[hotdiggitydawg]

You missed my point. I read the article. I know what his claims are, but I want verifiable proof. The pictures as they stand are entirely meaningless, except to the gullible.

Re:

[HomelessInLaJolla]

> are entirely meaningless

Which is entirely wrong

> except to the gullible

Unless you're prone to extremist knee-jerk overreaction.

The graphs are not entirely meaningless. They demonstrate trends which have real world interpretable value.

Re:

[convolvatron]

no, they dont really. as much as i love the dot project, its really not the
worlds best general purpose graph drawer. it also turns out to be very subjective
depending on the planarization approximation to generate something that looks
clean or messy.

so if you just build a dynamic call graph and run it through dot (having done this
before many times myself), you cant really say that the overall visual impression
leaves you any more informed than you were before.

put it this way, do you really know anything more a

Interesting

[theqmann]

Interesting, they look hand drawn. I wonder if arbitrary complexity could be visually added by using a suboptimal drawing pattern.

Re:Interesting

[0xABADC0DA]

It's not hand drawn. They obviously used dot from graphviz [graphviz.org]. You can't mistake that layout once you've seen it.

Vista

[IflyRC]

Where is the Vista version?

Re:

[dreamlax]

Windows Vista Home Graph Edition? Or Windows Vista Maths Centre Edition? Just keep in mind that only Maths Centre comes with Aero.

Re:Vista

[Fnord666]

Where is the Vista version?

They're waiting for additional funding for the ink.

Old and Pointless News

[garcia]

The article is dated April 14th, 2006. Nice.

The photos are completely unreadable and mean absolutely nothing. Let's see the entire graph with labels so that we can know exactly what's going on during the calls. From that graph, for all we know, we could be looking at more than what they claim.

Re:

[*weasel]

Not to mention that we should be looking at Apache-on-Windows vs Apache-on-Linux.

Why mix up the comparison of Linux/Windows with Apache/IIS with C/C++ if you don't have to?

An actual apples-to-apples comparison would be interesting.

A single page with a single picture?

[fireman sam]

and I thought goatse was taken down.

Linux developers should take note....

[StressGuy]

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time.

Re:Linux developers should take note....

[Fred Ferrigno]

Obviously, the solution is to code everything as a single function. Then the graph will look very nice and tidy.

A "grand unified coding function"...

[StressGuy]

Brilliant!!!

Re:

[sploxx]

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time.

More functionality is better, as long as the software is integrated in a sane way. The problem is functionality in the wrong places, not functionality itself. I think everyone here knows what harm the will to reduce functionality did to GNOME... (awaiting flames already :)

Complete FUD

[DrDitto]

Never have I seen papers or research that implies the number of system calls correlates to security. What's next, implying MS-DOS is more secure than Linux based on numbers of system calls and lines of code?

Re:

[Foofoobar]

No but it has everything to do with speed and use of resources. A couple hundred system cals (including redundant ones) in IIS verses maybe 70 in Apache would correlate to Apache using fewer resources, booting faster ad having a faster response time.

Also as I pointed out, IIS has loads of redundant system calls making for a bloated system.

This is what the graphs show. Not security, bloat, poor performance and bad development.

Re:Complete FUD

[flyingfsck]

Of course DOS is more secure than Linux. It doesn't do networking...

Re:

[A beautiful mind]

"MS-DOS - without a remote hole in the default installation for 26 years."

I call FUD

[LighterShadeOfBlack]

Comparing the complexity of system calls made by two different programs on two different OSes and then using that solely to judge the two differing OSes seems like an astoundingly flawed comparison. Seeing as Apache runs on Linux and Windows it seems pretty obvious that they should've used at least used the same program to make this comparison even slightly relevant.

I'm not saying Windows isn't worse than Linux in this respect, just that this article proves nothing.

Very suspicious of what "syscall" means here.

[Nevyn]

The normal usage of syscall is something that has to transfer control to the system, from your program. Things like accept(), write() and sbrk() but not strcpy() or malloc(). While I haven't done an strace on Apache-httpd I have done it on my own webserver and I find it hard to believe that Apache-httpd is as bad as the graph in the article implies. And given there's no text in the graph it's hard to check.

At it's simplest a HTTP response is: accept(); read(); open(); fstat(); write(); sendfile(); close(); close();. A lot of servers will set options like: FD_CLOEXEC, O_NONBLOCK, TCP_CORK and call shutdown() at the end. You can also easily blow a few more syscalls on config. options which don't do anything for the simplest case, but the graph implies 50-100.

The confusing thing, to me, is that if by "syscall" they meant something like "library calls" then I'd expect much more for Apache-httpd (as large bits of code are in libapr etc.) ... but the comparison is worthless then anyway.

Good question!

[Cheesey]

As well as wanting to know what the nodes represent (system calls or procedure calls?), I'd like to know what the edges represent. Control flow? Data flow? What are they supposed to be?

This article is unbelievable, apparently presenting a conclusion that the writer doesn't understand, using meaningless data.

I'm so confused

[Anonymous Coward]

Windows is less sucure because more blimps are firing more laser beams at other blimps in its picture than in linux's picture. ??? Wouldn't the larger swarm of blimbs with more lasers make it more secure it has the better army?

Well, kind of right

[varmittang]

Yeah, its Apache on Linux and IIS on Windows, but what about Apache on Windows. What are the system calls there. If they are about the same from Linux to Windows for Apache, then all this proves is that MS wrote a crappy Web server. But if there are more calls to be made with Apache on Windows, then I would say that Windows makes its programs do more system calls and possibly makes all programs more likely to be cracked into. But its not fair to put one program against another on different OSs, then say the OS is the problem.

Good point..

[d_jedi]

Assuming the graphs generated are, in fact, accurate and not just a bunch of scribbles on a page (it would be nice if there was an expanded version that showed the whole thing, legibly..).

One of the principles of secure programming is to keep it simple (stupid). Simpler interfaces have fewer potential areas for exploitation. That said, the picture doesn't tell the whole story. For one, the blog title saying Windows is less secure, is possibly inaccurate (at least, it cannot be derived from that picture)

more calls could just as easily mean more security

[harlows_monkeys]

This is kind of ridiculous. More calls could indicate that some things are being broken down into more fine-grained, simpler, subproblems, or that more use is being made of existing libraries as opposed to writing new code. Both of those would tend to lead to better security.

In other words, number of system calls tells us nothing useful about security.

Or is it the other way?

[edmicman]

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Not that I necessarily disagree with the point of the article, but couldn't you argue that if a hacker has to "investigate each memory access to see if it is vulnerable", then by having more

Re:

[Slightly Askew]

If I have 10 possible vulnerable points to look through versus 1000 possible vulnerable points, wouldn't I want to tackle the smaller job?

BadAnalogy(TM) time. If I want to invade a foreign country, one which has 10 bridges leading to it, and one which has 1000, I'm going to assume (rightly so) that the defending nation is going to have a harder time securing those 1000 bridges than the one securing 10 bridges. Yes, it is easier for me to determine which are undefended in the 10 bridge scenario...it is

Quick Summary

[bendodge]

A quick summary:

http://blogs.zdnet.com/images/SysCallApache.jpg [zdnet.com]
http://blogs.zdnet.com/images/SysCallIIS.jpg [zdnet.com]

1. These are old
2. They have nothing to do with Linux vs Windows; they are Apache vs IIS
3. They are unlabeled, so they are only good for showing the difference between C (Apache) and C++ (IIS)

So this tells you that Apache is simpler than IIS, and C is simpler than C++.

What are they actually measuring?

[argent]

What are they actually measuring, though? They look like a subroutine call tree, very little to do with system calls at all, really.

Why is Windows less secure?

[night_flyer]

Because you have people who dont know what they are doing using their computer like they would use a toaster oven or VCR! (and they STILL cant get the clocks set right!)
People who use Linux are tech savvy enough to realize you cant just plug a machine into a wall socket and expect it to be secure.
Windows owners who are wise to this fact have secure machines.

its a dumb argument.

If Joe Sixpack ever got ahold of Linux he would be logged in as ROOT!

In the boardroom:

[rehtonAesoohC]

Corporate Linux Fanboy: "As you can see here Gentlemen, the Linux web server has far less tubes going everywhere, which means the information travels a shorter distance through these tubes."
Board: "Oooohhh. Ahhhhh. Tubes..." *nod nod*
Corporate Linux Fanboy: "Now as we look at the Microsoft version of the same exact thing, you can see that the tubes snake every which way with no sense of order. Chaos ensues, and the tubes are tangled every which way. Obviously, less tubes means better."
Corporate Microsoft

His Noodly Goodness Does Not Approve

[sehlat]

I have prayed to the Flying Spaghetti Monster [venganza.org] for guidance about these graphs, and yea, verily did He appear before me and said "What? No sauce?" Then he Frowned his Terrible Frown, and did drown my monitor in Parmesan, bellowing "Away, demons!" and vanished.

Doesn't prove much

[dtfinch]

The more modular a program, the more its call graph will look like spaghetti. The function nodes don't indicate the complexity of the functions. I'm assuming these graphs cover all function calls. It looks too deeply nested to just be system calls.

Imagine if the call graph was much much simpler, like just one central node with branches to each system call. Anyone responsible for such a monolithic blob of spaghetti code would have trouble finding a new job.

I've seen these graphs several times already. With a

Plethora of issues

[DLG]

#1. Old news
#2. Apples and Oranges (IIS on Windows versus Apache on Linux? Which are we comparing?)
#3. Lack of detail: You can't see what system calls are really involved. No indication of configuration. No version numbers.

So that puts it in the realm of FUD, although the blogger does explain that its just a blog.

From my experience with Linux and Windows, the philosophical difference has to do with what is doing most of the work. In Windows a great deal of functionality is granted by the Windows API. As most programmers throughout the 90's know, Microsoft created their API around the functionality they needed for their own development, and then the rest of us had to buy the 'Secret' API manual with all the treats.

In Linux the Kernel where all those system calls go, is pretty limited compared to Windows. Where most functionality is added for developers is in shared libraries. Windows of course has the too, but its more a matter of where the real action is running. Is it in the kernel or in userspace. With Linux mostly its userspace, so there is less issues with software errors being capable of interfering with the machine itself. Still there are ways developers, especially of servers requiring some superuser priveleges (listening to ports under 1024) have provided security holes in basic interfaces (Sendmail and Bind for example). Still thats not reserved to Linux. Beyond that, we talk about the fact that Linux users don't run as root, but I have seen alot of irc session where the username of root is in the GID. So SOME folks do run as root. Whether the distributions now make that less necessary, that is also how Vista is going.

Apache is a bad project to compare other software too. It has been remarkably well developed both for stability and resisting sneaky security issues. Obviously one can muck up their configuration to reduce their security, but Apache itself (despite its initial moniker of being A patchy webserver) is a terrific example of well run coding projects.

IIS on the other hand is one of the posterchildren of security problems, with early versions not checking for navigation of parent directories, along with other trivial insecurites, based in some ways on permitting the developer to easily integrate IIS with other Microsoft tools.

So yes, IIS on Windows is more insecure than Apache on Linux. And Apache on Linux has always kicked IIS's ass in market share. I wonder if we compared Apache on Linux to Apache on Windows what we would find.

 

Re:

[PsychicX]

I don't know if you intended this or not, but there's sort of a veiled implication in your post that the Win32 API lives in the kernel. It does not. In fact, the Win32 API is a pure userland API, and calls through to a much smaller set of kernel syscalls when necessary. So a Win32 API call does not equate to a 'syscall' in the normal sense, as such a call may make 0 or more calls to the kernel depending on what needs to be done.

Not to jump to Microsoft's defense...

[HerculesMO]

But IIS is probably one of their best products, and most secure as far as security bulletins go.

I think the rest has been covered ad nauseum, as far as C versus C++ procedure calls.

Is this in response to Netcraft's February survey?

[sheldon]

The latest web survey showed further erosion of Apache compared to IIS? Do we need to spread a little marketing over at OSDL to try to turn that around?

It's kind of an old article, and the assertion made is pretty stupid. I don't see any other purpose.

Just what we always heard ... now visualised

[golodh]

One of the main architectural security problems with MS Windows that we keep hearing about is that even ordinary application such as email clients, browsers, etc. tie in so intimately with the Windows OS, that once your application is compromised, your OS is compromised.

These pictures seem to show that IIS is much more tied in with the Windows OS than Apache is with the Linux OS.

I think that's credible, and that it illustrates that in case of Windows, the wider (and much more complicated) interface between applications and OS is real. I have no difficulty believing that this offers many more opportunities to compromise the OS, and hence is less secure.

say what you want

[circletimessquare]

but i think windows is clearly a more artistic operating system than linux

Bad protocol w/ Good encryption

[Zarf]

Good protocol can secure bad encryption more easily than good encryption can help bad protocol.

The Sana Security diagrams show us just how bad the windows internal protocols really are. There is no securing this system with Digital Rights management or any other encryption scheme. Any security method placed on top of a such bad messaging protocols will fail miserably because even if the encryption or other security suite is perfect... windows isn't. And the system will be compromised by drilling down through windows... not through the security system.

What good is a bullet-proof pad lock if you put the combination on a yellow sticky note next to the lock itself?

More importantly these graphs show how Linux

[Master of Transhuman]

- or at least a Web server - is more efficient than Windows.

This explains why Linux server editions tested in the past tend to outperform Windows Server versions by a factor of two in number of users they can handle linearly.

They obviously are calling a hell of a lot less than Windows is.

And it's not clear that those Windows calls are really necessary. I suspect they are mostly redundant calls to multiple versions of the same code from multiple calling modules. This is a result of the size of the Microsoft development teams re-inventing each others code regularly with every new release of the OS. This is pretty clearly what is going on based on Jim Allchin's remarks two years ago about how Vista would "never" be done if they didn't change their development practices.

And it's the only thing that explains the millions of new lines of code in each new release of the OS, without a concomitant increase in OS capability. Vista has what, twenty million new lines of code? For what capability over XP - DRM? I doubt it.

More proof that Windows is the Chosen OS

[davevr]

It seems clear which OS is preferred by the Flying Spaghetti Monster. I feel safe knowing that my web server is doing homage to His Noodly Goodness every time I refresh a page. After all, what is really going to help secure your site: a bunch of fancy-smancy kernel programmers or the divine protection of His noodly appendage?

Re:

[ajs]

NO! This is a terrible, terrible misuse of information. The person who came up with those graphs should be forced to read "The Visual Display of Quantitative Information" Edward R Tufte until their eyes fall out!

IIS is written in C++.

Apache is written in C.

These graphs show the different calling models of C++ and C.

That is *all* they show.

Re:

[HomelessInLaJolla]

> That is *all* they show

According to the blog author the graphs are maps of calls to memory locations which would also include calls made from the web server to the underlying OS (eg. calls from apache to glibc).

Re:Pudding graph

[j00r0m4nc3r]

Well, not only that, but it has nothing to do with Windows and Linux. More like, Apache and IIS. You could run Apache on your Windows box, which I'm sure LOTS of people do.

Re:

[A beautiful mind]

I know both of them!

Re:Pudding graph

[Duhavid]

I dont know I would say it has *nothing* to do with Windows vs Linux.

It is a map of OS calls required to accomplish a task.

Your point is good, though, a better test would be apache on windows
versus apache on linux.

Re:

[iustinp]

The article says syscalls, not function calls. The difference between calling models has no relation to syscalls, which are between userland and kernel space.

More likely, the article shows the difference between Apache and IIS, on one side, and the glibc and however-it's-called windows' base library, on the other side.

Re:

[jimstapleton]

it the CRT/CRTD.dlls if I remember correctly in Windows, when using Visual Studios.

Re:

[HomelessInLaJolla]

I agree [slashdot.org] that there are hundreds of considerations which may affect the visual pattern of the graphs. I still feel that there is some useful information to be gained by this particular visualization.

Nobody is claiming that this is a quantitative, tit-for-tat, comparison. What is being suggested is that this is qualitative evidence in the security debate.

Apparently this article touched off some pretty severe nerves, though, because both the posters and the mods are going hog-wild with the flamebait.

Re:Pudding graph

[hangareighteen]

He said 'syscall' right?

[ pasted from http://en.wikipedia.org/wiki/Syscall [wikipedia.org] ]
System calls often use a special CPU instruction which causes the processor to transfer control to more privileged code, as previously specified by the more privileged code. This allows the more privileged code to specify where it will be entered as well as important processor state at the time of entry.
When the system call is invoked, the program which invoked it is interrupted, and information needed to continue its execution later is saved. The processor then begins executing the higher privileged code, which, by examining processor state set by the less privileged code and/or its stack, determines what is being requested. When it is finished, it returns to the program, restoring the saved state, and the program continues executing.
[ end paste ]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS? Seems like you'd have to make the same calls regardless of the language that you use, or more to the point, that the calls represent the facilities that the OS has made available to you. Seems pretty language independent from my readings.

Re:Pudding graph

[Chris Burke]

So, forgive me.. I could just be naive; but what does C or C++ calling semantics / methods have anything to do with calls into the OS?

No, you're right, it has nothing to do with C/C++. The GP was just another example on /. of "I'm going to seem smart by discrediting the article, and the easiest way to do so is make something up without reading the article".

Re:Pudding graph

[imroy]

These graphs show the different calling models of C++ and C.
That is *all* they show.

No they don't. They show *system calls*, into the kernel, not method or function calls within the user-space program. The language shouldn't make much difference at that level.

Re:Pudding graph

[Rycross]

Quote from the article:

This second image is of a Windows Server running IIS.

You are wrong.

Re:

[jimstapleton]

the funny thing is, had you not said something as retarded as "home slice", I wouldn't have verified from TFA:

This second image is of a Windows Server running IIS.

Go back to your cave Mr Troll.

No, it was IIS on Win vs Apache on Linux.

[Kadin2048]

I don't know what you're talking about. In TFA it's quite clear that the top graph is Apache on Linux, and the bottom is IIS on Windows, both serving the same page. So there are two factors (at least) between them, a different OS and a different webserver. It's not fair, as much as I'd like to, to attribute the increase in calls purely to the design of Windows -- that would only be possible if it was Apache vs. Apache (and even then, there would be other things to control for).

If you accept that more system

Re:Pudding graph

[Malc]

Twaddle. The report comes from a company that makes money selling security software for Windows. Scaremongering is good for their sales.

What would be interesting is an analysis of the types of system calls. What about a comparison of the functionality of IIS vs. Apache? Perhaps Windows provides some calls that Apache has had to implement in it's own application code. How many of those so called system calls trap in to the kernel?

This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures.

Re:

[HomelessInLaJolla]

> This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures

So your assertion is that an overhead road map of cities, such as New York, NY vs. Kalamazoo, MI, would be entirely useless in generalizing points of traffic congestion and points of traffic collisions?

Maybe you don't design operating systems (computer or civil), or, if you do, maybe you shouldn't.

Re:

[IflyRC]

For all we know, the IIS sample used was executing ASP.NET pages that used some COM objects via COM Interop and Runtime Callable Wrappers. To handle the conversion between COM and managed code I could see there being that much inefficiency. However, the images are just too small to tell whats happening.

Re:This is more a comparison of efficiency to me.

[SatanicPuppy]

Except for the whole: "[T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

RTFS: Read The Fucking Summary.

0 Unpatched = 100% Patched

[mythosaz]

Uh... Zero unpatched means all patched; or if you like the percentages, means 100% patched. That's the best of the bunch.