Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Graph of Linux Vs. Windows System Calls

kdawson posted more than 7 years ago | from the linguini-or-angel-hair dept.

Security 302

cgrayson recommends Richard Stiennon's blog on ZDNet — a post titled Why Windows is less secure than Linux shows a compelling graphical comparison between system calls on the two operating systems. The blogger tips Sana Security for the images. Quoting: "In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture."

cancel ×


Sorry! There are no comments related to the filter you selected.

Poster? (2, Funny)

Anonymous Coward | more than 7 years ago | (#17908266)

Where can I get a high res version of that image to print out poster size? That's great!

Re:Poster? (0, Informative)

Anonymous Coward | more than 7 years ago | (#17908462)

If you had read digg about 10 months ago you would already have your poster hanging on the wall. ess_secure_than_Linux_ []

Re:Poster? (5, Insightful)

letxa2000 (215841) | more than 7 years ago | (#17908996)

Not defending Windows security, but it's entirely possible that the graphical depiction is not "optimized" so that it intentionally looks like spaghetti. It's hard to see what's going on with the resolution given, but some of the call "bubbles" seem to be unnecessarily placed far away from whatever called them with a long strand of spaghetti between them. This isn't necessarily an indication of spaghetti or bad design, but a bad graphical depiction. Also, just because lots of places make a call to the same API (which causes the graph to look like spaghetti) does not mean bad design--to the contrary, it can be very good design.

I hate Windows as much as the next guy, but I'm not sure this is really a good case for why.

A *truly* inconvenient truth (-1, Troll)

Hamilton Publius (909539) | more than 7 years ago | (#17908676)

Global Warming, as we think we know it, doesn't exist. And I am not the only one trying to make people open up their eyes and see the truth. But few listen, despite the fact that I was the first Canadian Ph.D. in Climatology and I have an extensive background in climatology, especially the reconstruction of past climates and the impact of climate change on human history and the human condition. Few listen, even though I have a Ph.D, (Doctor of Science) from the University of London, England and was a climatology professor at the University of Winnipeg. For some reason (actually for many), the World is not listening. Here is why.

What would happen if tomorrow we were told that, after all, the Earth is flat? It would probably be the most important piece of news in the media and would generate a lot of debate. So why is it that when scientists who have studied the Global Warming phenomenon for years say that humans are not the cause nobody listens? Why does no one acknowledge that the Emperor has no clothes on?

Believe it or not, Global Warming is not due to human contribution of Carbon Dioxide (CO2). This in fact is the greatest deception in the history of science. We are wasting time, energy and trillions of dollars while creating unnecessary fear and consternation over an issue with no scientific justification. For example, Environment Canada brags about spending $3.7 billion in the last five years dealing with climate change almost all on propaganda trying to defend an indefensible scientific position while at the same time closing weather stations and failing to meet legislated pollution targets.

No sensible person seeks conflict, especially with governments, but if we don't pursue the truth, we are lost as individuals and as a society. That is why I insist on saying that there is no evidence that we are, or could ever cause global climate change. And, recently, Yuri A. Izrael, Vice President of the United Nations sponsored Intergovernmental Panel on Climate Change (IPCC) confirmed this statement. So how has the world come to believe that something is wrong?

Maybe for the same reason we believed, 30 years ago, that global cooling was the biggest threat: a matter of faith. "It is a cold fact: the Global Cooling presents humankind with the most important social, political, and adaptive challenge we have had to deal with for ten thousand years. Your stake in the decisions we make concerning it is of ultimate importance; the survival of ourselves, our children, our species," wrote Lowell Ponte in 1976.

I was as opposed to the threats of impending doom global cooling engendered as I am to the threats made about Global Warming. Let me stress I am not denying the phenomenon has occurred. The world has warmed since 1680, the nadir of a cool period called the Little Ice Age (LIA) that has generally continued to the present. These climate changes are well within natural variability and explained quite easily by changes in the sun. But there is nothing unusual going on.

Since I obtained my doctorate in climatology from the University of London, Queen Mary College, England my career has spanned two climate cycles. Temperatures declined from 1940 to 1980 and in the early 1970's global cooling became the consensus. This proves that consensus is not a scientific fact. By the 1990's temperatures appeared to have reversed and Global Warming became the consensus. It appears I'll witness another cycle before retiring, as the major mechanisms and the global temperature trends now indicate a cooling.

No doubt passive acceptance yields less stress, fewer personal attacks and makes career progress easier. What I have experienced in my personal life during the last years makes me understand why most people choose not to speak out; job security and fear of reprisals. Even in University, where free speech and challenge to prevailing wisdoms are supposedly encouraged, academics remain silent.

I once received a three page letter that my lawyer defined as libellous, from an academic colleague, saying I had no right to say what I was saying, especially in public lectures. Sadly, my experience is that universities are the most dogmatic and oppressive places in our society. This becomes progressively worse as they receive more and more funding from governments that demand a particular viewpoint.

In another instance, I was accused by Canadian environmentalist David Suzuki of being paid by oil companies. That is a lie. Apparently he thinks if the fossil fuel companies pay you have an agenda. So if Greenpeace, Sierra Club or governments pay there is no agenda and only truth and enlightenment?

Personal attacks are difficult and shouldn't occur in a debate in a civilized society. I can only consider them from what they imply. They usually indicate a person or group is losing the debate. In this case, they also indicate how political the entire Global Warming debate has become. Both underline the lack of or even contradictory nature of the evidence.

I am not alone in this journey against the prevalent myth. Several well-known names have also raised their voices. Michael Crichton, the scientist, writer and filmmaker is one of them. In his latest book, "State of Fear" he takes time to explain, often in surprising detail, the flawed science behind Global Warming and other imagined environmental crises.

Another cry in the wildenerness is Richard Lindzen's. He is an atmospheric physicist and a professor of meteorology at MIT, renowned for his research in dynamic meteorology - especially atmospheric waves. He is also a member of the National Academy of Sciences and has held positions at the University of Chicago, Harvard University and MIT. Linzen frequently speaks out against the notion that significant Global Warming is caused by humans. Yet nobody seems to listen.

I think it may be because most people don't understand the scientific method which Thomas Kuhn so skilfully and briefly set out in his book "The Structure of Scientific Revolutions." A scientist makes certain assumptions and then produces a theory which is only as valid as the assumptions. The theory of Global Warming assumes that CO2 is an atmospheric greenhouse gas and as it increases temperatures rise. It was then theorized that since humans were producing more CO2 than before, the temperature would inevitably rise. The theory was accepted before testing had started, and effectively became a law.

As Lindzen said many years ago: "the consensus was reached before the research had even begun." Now, any scientist who dares to question the prevailing wisdom is marginalized and called a sceptic, when in fact they are simply being good scientists. This has reached frightening levels with these scientists now being called climate change denier with all the holocaust connotations of that word. The normal scientific method is effectively being thwarted.

Meanwhile, politicians are being listened to, even though most of them have no knowledge or understanding of science, especially the science of climate and climate change. Hence, they are in no position to question a policy on climate change when it threatens the entire planet. Moreover, using fear and creating hysteria makes it very difficult to make calm rational decisions about issues needing attention.

Until you have challenged the prevailing wisdom you have no idea how nasty people can be. Until you have re-examined any issue in an attempt to find out all the information, you cannot know how much misinformation exists in the supposed age of information.

I was greatly influenced several years ago by Aaron Wildavsky's book "Yes, but is it true?" The author taught political science at a New York University and realized how science was being influenced by and apparently misused by politics. He gave his graduate students an assignment to pursue the science behind a policy generated by a highly publicised environmental concern. To his and their surprise they found there was little scientific evidence, consensus and justification for the policy. You only realize the extent to which Wildavsky's findings occur when you ask the question he posed. Wildavsky's students did it in the safety of academia and with the excuse that it was an assignment. I have learned it is a difficult question to ask in the real world, however I firmly believe it is the most important question to ask if we are to advance in the right direction.

Dr. Tim Ball, Chairman of the Natural Resources Stewardship Project (, is a Victoria-based environmental consultant and former climatology professor at the University of Winnipeg. He can be reached at

Linux is less secure than Windows (0, Troll)

The_Abortionist (930834) | more than 7 years ago | (#17908810)

All evidence shows that Linux is less secure than other operating systems, in particular Windows.

For one thing, this can be explained by the open nature of Linux where anybody has access to all of the encryption algorithms, sources and keys. In the computer world, just like in the human world, it is in environments where anything goes that the worst viruses come to existence.

Also, Linux distributions are filled with various backdoors since anyone, including ill-intended foreigners, can add anything to the kernel base and its surroundings. At some point, there was even a hacked version of a compiler that introduced backdoors in every program that it produced!

Finally, and probably most importantly, Linux growth happens through the actions of the low-key movement of techies that try to replace everything they can in their organisations with Linux. Apart from acting unprofessionally, these zealots let their feelings for the beloved OS trump any kind of common sense behavior, such as using the right tool for the job. Instead they carelessly introduce vulnerabilities in environments that were previously locked down.

In short, organisations who value computer security should stay away from Linux, and refrain from hiring those who mention Linux in their resume.

Looks good. (5, Funny)

bradsenff (1047338) | more than 7 years ago | (#17908280)

Those pictures look great.

Suddenly I am hungry for spaghetti.

mmmMmm Food.

Damn. Windows *is* evil. It is making me fat!

Re:Looks good. (5, Insightful)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908420)

I just happened to think: Do you suppose it would be possible to refactor the Windows graph to make it look less tangled, or refactor the Linux graph to make it look more tangled? Imagine the graphs in 3-D space and being able to rotate around them or even view them from inside looking out in different directions. The concept is similar to adjusting the axes in the same manner as logarithmic paper can make some plots look like straight lines (once that concept is recognized then the math can become infinitely complex for defining the axes).

To be perfectly fair: How do we know that the researcher who created the graphs optimized both for clean and concise 2-D layout?

In response to my own question: No matter how you want to change the visualization the Linux graph looks to have far fewer multiple source intersection points and a larger prevalence of straight line heirarchical structure.

Re:Looks good. (1)

dctoastman (995251) | more than 7 years ago | (#17908642)

You beat me to it.

I was about to say that myself about the Linux picture having less entry points. It looks like the Windows picture relies on some system calls that are called by just about everything. It seems that you could do a lot for security by first focusing on these central points.

Unavoidable. (5, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#17908718)

I think you'd have to resort to a lot of trickery, like stacking vertices on top of each other with zero-length edges, to make the Windows graph appear less complicated than the Linux one. Provided that you model them in the same way, it ought to be pretty apparent that one just has a lot more vertices and edges than the other, even if you did it in a multidimensional space.

Really, the graphs are just a way of artfully showing a simple fact, which is that Windows requires more system calls than Linux, to complete a particular task. If you assume that each system call is a potential vulnerability, and that less calls are inherently better and more secure, than the result is a foregone conclusion. But those are pretty big "ifs," and it seems like someone who was pro-Windows would do better to attack those premises, rather than trying to dispute the graph, if it's indeed representative of the true number of system calls.

Pudding graph (-1, Troll)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908306)

Please allow me to be the first to say... OMG NICE!!! That picture is so applicable for every discussion in which MS advocates have tried to ride down (troll) Linux advocates as nothing but mere fanbois.

And, remarkably, the fortune cookie on the bottom of the page is...

"Patience is the best remedy for every trouble. -- Titus Maccius Plautus"

We have now been remedied from MS advocacy trolls. Many thanks to SANA for those pics and Steinnon for the blog entry.

Re:Pudding graph (2, Insightful)

ajs (35943) | more than 7 years ago | (#17908428)

NO! This is a terrible, terrible misuse of information. The person who came up with those graphs should be forced to read "The Visual Display of Quantitative Information" Edward R Tufte until their eyes fall out!

IIS is written in C++.

Apache is written in C.

These graphs show the different calling models of C++ and C.

That is *all* they show.

Re:Pudding graph (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908486)

> That is *all* they show

According to the blog author the graphs are maps of calls to memory locations which would also include calls made from the web server to the underlying OS (eg. calls from apache to glibc).

Re:Pudding graph (0)

Anonymous Coward | more than 7 years ago | (#17908832)

Which means absolutely nothing without having the server configuration information. FUD, and it got you hook, line and sinker.

Re:Pudding graph (5, Insightful)

j00r0m4nc3r (959816) | more than 7 years ago | (#17908488)

Well, not only that, but it has nothing to do with Windows and Linux. More like, Apache and IIS. You could run Apache on your Windows box, which I'm sure LOTS of people do.

Re:Pudding graph (1)

A beautiful mind (821714) | more than 7 years ago | (#17908606)

I know both of them!

Re:Pudding graph (-1)

Anonymous Coward | more than 7 years ago | (#17908670)

Home slice did not compare IIS on Windows to Apache on Linux -- he compared Apache on Linux to Apache on Windows. This is what he said he was doing. RTFA. It still doesn't PROVE much, but it certainly does justly imply something.

Re:Pudding graph (4, Funny)

Rycross (836649) | more than 7 years ago | (#17908754)

Quote from the article:

This second image is of a Windows Server running IIS.

You are wrong.

Re:Pudding graph (1, Funny)

jimstapleton (999106) | more than 7 years ago | (#17908864)

the funny thing is, had you not said something as retarded as "home slice", I wouldn't have verified from TFA:

This second image is of a Windows Server running IIS.
Go back to your cave Mr Troll.

No, it was IIS on Win vs Apache on Linux. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#17908886)

I don't know what you're talking about. In TFA it's quite clear that the top graph is Apache on Linux, and the bottom is IIS on Windows, both serving the same page. So there are two factors (at least) between them, a different OS and a different webserver. It's not fair, as much as I'd like to, to attribute the increase in calls purely to the design of Windows -- that would only be possible if it was Apache vs. Apache (and even then, there would be other things to control for).

If you accept that more system calls are inherently bad, than the graphs might indicate that "IIS on Windows" is less secure than "Apache on Linux," but it says nothing about Apache on Windows, or Windows as a platform inherently.

Re:Pudding graph (1)

0xdeadbeef (28836) | more than 7 years ago | (#17908824)

Why are people modding a joke insightful? You're making a joke, right?

Re:Pudding graph (3, Informative)

iusty (104688) | more than 7 years ago | (#17908882)

The article says syscalls, not function calls. The difference between calling models has no relation to syscalls, which are between userland and kernel space.

More likely, the article shows the difference between Apache and IIS, on one side, and the glibc and however-it's-called windows' base library, on the other side.

Re:Pudding graph (1)

jimstapleton (999106) | more than 7 years ago | (#17908998)

it the CRT/CRTD.dlls if I remember correctly in Windows, when using Visual Studios.

Re:Pudding graph (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17909016)

I agree [] that there are hundreds of considerations which may affect the visual pattern of the graphs. I still feel that there is some useful information to be gained by this particular visualization.

Nobody is claiming that this is a quantitative, tit-for-tat, comparison. What is being suggested is that this is qualitative evidence in the security debate.

Apparently this article touched off some pretty severe nerves, though, because both the posters and the mods are going hog-wild with the flamebait.

Re:Pudding graph (4, Insightful)

Malc (1751) | more than 7 years ago | (#17908542)

Twaddle. The report comes from a company that makes money selling security software for Windows. Scaremongering is good for their sales.

What would be interesting is an analysis of the types of system calls. What about a comparison of the functionality of IIS vs. Apache? Perhaps Windows provides some calls that Apache has had to implement in it's own application code. How many of those so called system calls trap in to the kernel?

This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures.

Re:Pudding graph (2, Insightful)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908906)

> This is just insubstantial FUD as far as I can see, backed up by indecipherable pictures

So your assertion is that an overhead road map of cities, such as New York, NY vs. Kalamazoo, MI, would be entirely useless in generalizing points of traffic congestion and points of traffic collisions?

Maybe you don't design operating systems (computer or civil), or, if you do, maybe you shouldn't.

OLD news (2, Informative)

sproketboy (608031) | more than 7 years ago | (#17908308)

Posted in last year sometime on zdnet. Is slashdot that out of touch?

Re:OLD news (-1, Offtopic)

viewtouch (1479) | more than 7 years ago | (#17908354)

Well, yes, actually, slashdot is out of touch. This and many other stories accepted lately are coming from readers of, a very useful site for news that's interesting.

Re:OLD news (0)

Anonymous Coward | more than 7 years ago | (#17908460)

You mean it *wasn't* posted 5 minutes ago?! The scandle! Was it posted on slashdot a year ago? Is it on a subject stupidly out of date? No? Then is it conceivable that the slashdot crowd might not have seen this yet and that it might be interesting to some of them? I'm going with yes.

nice pics (5, Funny)

Anonymous Coward | more than 7 years ago | (#17908310)

what can I say? I'm impressed, you can click on the larger images and still not see a god damn thing

Wow (1)

lavid (1020121) | more than 7 years ago | (#17908324)

I just checked out those pictures and all I have to say is wow. Unfortunately, from the given images, it's really impossible to follow any of those lines. It's amazing IIS even works....

FUD? (3, Insightful)

EveryNickIsTaken (1054794) | more than 7 years ago | (#17908326)

Can anyone verify the accuracy of the "graphs"?

Re:FUD? (4, Informative)

ejdmoo (193585) | more than 7 years ago | (#17908362)

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

Another quality article from Slashdot.

Re:FUD? (4, Informative)

ajs (35943) | more than 7 years ago | (#17908530)

It's good that Slashdot is covering it, though. I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web.

Taken completely out of its original context, the graphs are a useful way to compare real-world examples of C and C++ calling models, though. You'll notice that IIS (C++) has these "clusters" of activity where one routine acts as a nexus for calls into many others. This is fairly standard practice in C++ where you might have an accessor that triggers lots of behavior. In the C version, there's a much more visually procedural pattern where a function calls a few others, and then returns to a function that calls its tree of functions, but might overlap with a few calls to the previous function's utility functions, etc.

Re:FUD? (2, Insightful)

YellowElf (445681) | more than 7 years ago | (#17908618)

But these are system calls, and should not be part of the IIS application itself. Of course, Microsoft loooves to say everything is part of the OS, and we can't see the actual calls that are being made, but whatever is being called should be outside of IIS in order for the article to make sense.


Re:FUD? (1)

SheeEttin (899897) | more than 7 years ago | (#17908674)

I do like the fact that we periodically get the chance to debunk some of the misinformation on the Web
Is that what you call it?

Re:FUD? (1)

Spazmania (174582) | more than 7 years ago | (#17908950)

An attacker doesn't care -why- there are a bunch of system calls. Its all machihe language at that point. That those calls happen presents an opportunity to inject malicious code.

If your basic claim about C/C++ is right then the consequence is that code written per "standard practice" in C++ is inherently harder to secure than code written in C.

Re:FUD? (2, Insightful)

Red Flayer (890720) | more than 7 years ago | (#17908632)

Another quality article from Slashdot.
Have you done your part with firehose [] ?

You've got the power to make a difference in the story selection process, why don't you use it instead of complaining meaninglessly? Especially since it'd already been pointed out by several posters?

Re:FUD? (1)

gmack (197796) | more than 7 years ago | (#17908888)

Accurate or not, it's a graph of Apache vs. IIS calls, NOT Linux vs. Windows. Also old as hell.

More to the point it conveys no useful info on how complex the calls are. Are they single function calls that pass off the core of the work to others or are they complicated calls that try to do too many things in one place?

I'm actually surprised the Apache graph was less cluttered than the IIS graph given that Microsoft tends to prefer functions that do as many things as possible so code can be better reused while apache is more UNIX like in that they tend to prefer smaller functions that are easier to debug. Of course a lot of that could just be the efficiency of the compiler

Re:FUD? (1)

Nos. (179609) | more than 7 years ago | (#17908396)

That's just it, without methodology and at least higher resolution pictures where things could be traced, this could be a complete farce. Without more documentation to back it up, I can't really call this news (as the blogger notes in his posting).

Re:FUD? (0)

Anonymous Coward | more than 7 years ago | (#17908410)

IIS, Just like using one pointer to an object that does all the work.

Re:FUD? (1)

hotdiggitydawg (881316) | more than 7 years ago | (#17908434)

My thoughts exactly. From TFA:

A picture is worth millions of words
Not when it is supposedly a map of system calls and there isn't a single friggin' word anywhere on either of the pictures. In fact, the only way to tell which system is which is by the filename of the image! How can anyone even begin to verify that it is not complete bollocks?

Re:FUD? (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908580)

> there isn't a single friggin' word anywhere on either of the pictures

If you read the article then you would understand that the intersection points are memory locations, not words. The author explains that each memory location is a point of possible failure.

Re:FUD? (1)

hotdiggitydawg (881316) | more than 7 years ago | (#17908742)

You missed my point. I read the article. I know what his claims are, but I want verifiable proof. The pictures as they stand are entirely meaningless, except to the gullible.

Re:FUD? (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#17908780)

> are entirely meaningless

Which is entirely wrong

> except to the gullible

Unless you're prone to extremist knee-jerk overreaction.

The graphs are not entirely meaningless. They demonstrate trends which have real world interpretable value.

Re:FUD? (1)

convolvatron (176505) | more than 7 years ago | (#17908988)

no, they dont really. as much as i love the dot project, its really not the
worlds best general purpose graph drawer. it also turns out to be very subjective
depending on the planarization approximation to generate something that looks
clean or messy.

so if you just build a dynamic call graph and run it through dot (having done this
before many times myself), you cant really say that the overall visual impression
leaves you any more informed than you were before.

put it this way, do you really know anything more about the respective implementations
from looking at these pictures aside from the false generalization that windows
is 'messier' than linux? no, you dont.

Re:FUD? (1)

flakier (177415) | more than 7 years ago | (#17908720)

Impossible to tell with the small pictures, though it's certainly believable. The graphs look similar to others I've seen. It would be nice to see instructions on how to create the graphs rather than the graphs themselves.

Interesting (2, Insightful)

theqmann (716953) | more than 7 years ago | (#17908344)

Interesting, they look hand drawn. I wonder if arbitrary complexity could be visually added by using a suboptimal drawing pattern.

Re:Interesting (4, Informative)

0xABADC0DA (867955) | more than 7 years ago | (#17908594)

It's not hand drawn. They obviously used dot from graphviz [] . You can't mistake that layout once you've seen it.

Vista (2, Insightful)

IflyRC (956454) | more than 7 years ago | (#17908346)

Where is the Vista version?

Re:Vista (1)

dreamlax (981973) | more than 7 years ago | (#17908776)

Windows Vista Home Graph Edition? Or Windows Vista Maths Centre Edition? Just keep in mind that only Maths Centre comes with Aero.

A slice off the dll block. (0)

Anonymous Coward | more than 7 years ago | (#17908348)

""In its long evolution, Windows has grown so complicated that it is harder to secure... [T]hese images... are a complete map of the system calls that occur when a web server serves up [the same] single page of [HTML] with a single picture.""

Fine grained vs coarse grained. Whoo-pee.

Old and Pointless News (5, Insightful)

garcia (6573) | more than 7 years ago | (#17908368)

The article is dated April 14th, 2006. Nice.

The photos are completely unreadable and mean absolutely nothing. Let's see the entire graph with labels so that we can know exactly what's going on during the calls. From that graph, for all we know, we could be looking at more than what they claim.

Re:Old and Pointless News (2, Insightful)

*weasel (174362) | more than 7 years ago | (#17908722)

Not to mention that we should be looking at Apache-on-Windows vs Apache-on-Linux.

Why mix up the comparison of Linux/Windows with Apache/IIS with C/C++ if you don't have to?

An actual apples-to-apples comparison would be interesting.

Just one case ... (1)

dsojourner (695863) | more than 7 years ago | (#17908372)

I'm pretty "anti-microsoft", but I still know it's pretty dangerous to deduce much from a single example. For example, are there any situations where the complexity is reversed? I'd guess not (or not as many), but you can't really tell ...

They both look a mess (0)

Anonymous Coward | more than 7 years ago | (#17908392)

Clearly, the windows example is a bigger bowl of spaghetti, but the Linux version is also a mess of complexity.

Operating systems are complex beasts. This is all this non-scientific blog proves.

I feel that this artical.... (0)

Drakin020 (980931) | more than 7 years ago | (#17908408)

Is just a big flamebait.

A single page with a single picture? (3, Funny)

fireman sam (662213) | more than 7 years ago | (#17908424)

and I thought goatse was taken down.

Linux developers should take note.... (1, Interesting)

StressGuy (472374) | more than 7 years ago | (#17908426)

It is tempting to add more and more features and functionality over time. Ultimatly, you risk getting consumed by "entropy".

KDE and Gnome developers also....lest XFCE surprise them both over time.

Re:Linux developers should take note.... (5, Funny)

Fred Ferrigno (122319) | more than 7 years ago | (#17908540)

Obviously, the solution is to code everything as a single function. Then the graph will look very nice and tidy.

A "grand unified coding function"... (1)

StressGuy (472374) | more than 7 years ago | (#17909014)


Complete FUD (2, Insightful)

DrDitto (962751) | more than 7 years ago | (#17908446)

Never have I seen papers or research that implies the number of system calls correlates to security. What's next, implying MS-DOS is more secure than Linux based on numbers of system calls and lines of code?

Re:Complete FUD (1)

Foofoobar (318279) | more than 7 years ago | (#17908772)

No but it has everything to do with speed and use of resources. A couple hundred system cals (including redundant ones) in IIS verses maybe 70 in Apache would correlate to Apache using fewer resources, booting faster ad having a faster response time.

Also as I pointed out, IIS has loads of redundant system calls making for a bloated system.

This is what the graphs show. Not security, bloat, poor performance and bad development.

Re:Complete FUD (3, Funny)

flyingfsck (986395) | more than 7 years ago | (#17908914)

Of course DOS is more secure than Linux. It doesn't do networking...

Re:Complete FUD (1)

A beautiful mind (821714) | more than 7 years ago | (#17908918)

"MS-DOS - without a remote hole in the default installation for 26 years."

I call FUD (5, Insightful)

LighterShadeOfBlack (1011407) | more than 7 years ago | (#17908454)

Comparing the complexity of system calls made by two different programs on two different OSes and then using that solely to judge the two differing OSes seems like an astoundingly flawed comparison. Seeing as Apache runs on Linux and Windows it seems pretty obvious that they should've used at least used the same program to make this comparison even slightly relevant.

I'm not saying Windows isn't worse than Linux in this respect, just that this article proves nothing.

This is more a comparison of efficiency to me. (1)

Ariastis (797888) | more than 7 years ago | (#17908458)

Sure, it shows that Windows is harder to secure on the system calls front because it makes so many more of them (with IIS). But to me, if the graphs aren't factise, it just confirms that Windows/IIS is way too bloated to be an efficient webserver. Same task, similar results, but Windows requires nearly twice the computing power to do it in the same time. No wonder Unix|Linux webservers can run on older/cheaper hardware and give satisfying results...

Re:This is more a comparison of efficiency to me. (1)

IflyRC (956454) | more than 7 years ago | (#17908520)

For all we know, the IIS sample used was executing ASP.NET pages that used some COM objects via COM Interop and Runtime Callable Wrappers. To handle the conversion between COM and managed code I could see there being that much inefficiency. However, the images are just too small to tell whats happening.

OT: Is google working at the mo? (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#17908478) seems to not work. Neither is I'm in the UK. It's been like this for about an hour - never had this problem before.

Not true - pure FUD (1)

A Friendly Troll (1017492) | more than 7 years ago | (#17908480)

Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.

(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)

IIS 6 []
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)

Apache 1.3.x []
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)

Apache 2.0.x []
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)

Apache 2.2.x []
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories)

Re:Not true - pure FUD (1)

Watson Azfor (815694) | more than 7 years ago | (#17908652)

Hmmm. Maybe I'm not seeing this correctly, but by your logic of unpatched advisories, there appears to be a mistake in the IIS 6 category. 0 Unpatched of 3 Secunia advisories would be 100% unpatched, making IIS 6 the worst of the bunch.

0 Unpatched = 100% Patched (1)

mythosaz (572040) | more than 7 years ago | (#17908734)

Uh... Zero unpatched means all patched; or if you like the percentages, means 100% patched. That's the best of the bunch.

Re:Not true - pure FUD (0)

Anonymous Coward | more than 7 years ago | (#17908692)

So you're only going to compare the latest? What happens to your IIS->Apache 2.2 comparison if you don't include optional modules that are disabled by default?

What happens if you don't include configurations that the documentation recommends against specifically because they are insecure?

What happens if you don't include issues that have no impact on the server?

Re:Not true - pure FUD (1)

A Friendly Troll (1017492) | more than 7 years ago | (#17908900)

What happens when you write a blog post which includes two images of gray spaghetti and claim that one web server is more (in)secure than another?

Judging security by Secunia's advisories is the same as judging security by pictures that don't make sense at all. You can spread FUD either way, which is what I just did, in accordance with my nickname (which isn't really meant to be taken literally, but hey, I have to live up to it sometimes). Even Secunia says "Please Note: The statistics provided should not be used to compare the overall security of products against one another."

My post is the equivalent of the linked blog entry. Crappy FUD.

Now, for our favourite car analogy (we like those, don't we?): a car cheap made in 1970 doesn't make any system calls (obviously). Is it more secure when driving than the latest 2007 top-end BMW or Toyota, both of which include very complex computer systems? ;)

So you admit you're full of shite (0)

Anonymous Coward | more than 7 years ago | (#17908954)

You didn't like the FUD in this article, so you posted more (and by your own admission) equally bad FUD to this site.

How's that an improvement?

Re:Not true - pure FUD (1)

csplinter (734017) | more than 7 years ago | (#17908812)

Quote from

"Please Note: The statistics provided should not be used to compare the overall security of products against one another."

Very suspicious of what "syscall" means here. (5, Insightful)

Nevyn (5505) | more than 7 years ago | (#17908504)

The normal usage of syscall is something that has to transfer control to the system, from your program. Things like accept(), write() and sbrk() but not strcpy() or malloc(). While I haven't done an strace on Apache-httpd I have done it on my own webserver and I find it hard to believe that Apache-httpd is as bad as the graph in the article implies. And given there's no text in the graph it's hard to check.

At it's simplest a HTTP response is: accept(); read(); open(); fstat(); write(); sendfile(); close(); close();. A lot of servers will set options like: FD_CLOEXEC, O_NONBLOCK, TCP_CORK and call shutdown() at the end. You can also easily blow a few more syscalls on config. options which don't do anything for the simplest case, but the graph implies 50-100.

The confusing thing, to me, is that if by "syscall" they meant something like "library calls" then I'd expect much more for Apache-httpd (as large bits of code are in libapr etc.) ... but the comparison is worthless then anyway.

Err... Mod Parent Up (1)

argent (18001) | more than 7 years ago | (#17909066)

that was my first reaction as well... what the hell do they mean by "system calls", 'cos that looks like a library call graph...

I'm so confused (4, Funny)

Anonymous Coward | more than 7 years ago | (#17908508)

Windows is less sucure because more blimps are firing more laser beams at other blimps in its picture than in linux's picture. ??? Wouldn't the larger swarm of blimbs with more lasers make it more secure it has the better army?

Re:I'm so confused (0)

Anonymous Coward | more than 7 years ago | (#17908866)

you win teh internets

Well, kind of right (2, Insightful)

varmittang (849469) | more than 7 years ago | (#17908514)

Yeah, its Apache on Linux and IIS on Windows, but what about Apache on Windows. What are the system calls there. If they are about the same from Linux to Windows for Apache, then all this proves is that MS wrote a crappy Web server. But if there are more calls to be made with Apache on Windows, then I would say that Windows makes its programs do more system calls and possibly makes all programs more likely to be cracked into. But its not fair to put one program against another on different OSs, then say the OS is the problem.

Good point.. (1)

d_jedi (773213) | more than 7 years ago | (#17908550)

Assuming the graphs generated are, in fact, accurate and not just a bunch of scribbles on a page (it would be nice if there was an expanded version that showed the whole thing, legibly..).

One of the principles of secure programming is to keep it simple (stupid). Simpler interfaces have fewer potential areas for exploitation. That said, the picture doesn't tell the whole story. For one, the blog title saying Windows is less secure, is possibly inaccurate (at least, it cannot be derived from that picture) - the additional complexity may make it HARDER for MS to secure Windows, but that says nothing really of the intrinsic security of either platform.

OMG! It's the Spaghetti Monster (0)

Anonymous Coward | more than 7 years ago | (#17908554)

Microsoft *is* His Noodlyness!

more calls could just as easily mean more security (3, Insightful)

harlows_monkeys (106428) | more than 7 years ago | (#17908558)

This is kind of ridiculous. More calls could indicate that some things are being broken down into more fine-grained, simpler, subproblems, or that more use is being made of existing libraries as opposed to writing new code. Both of those would tend to lead to better security.

In other words, number of system calls tells us nothing useful about security.

Some points (1)

thousandinone (918319) | more than 7 years ago | (#17908604)

Two pretty pictures. Two pretty, interesting looking pictures. Two pretty, interesting looking, but completely unlabeled printers. This is the sort of thing an IS representative would show at a meeting with non tech-savvy personnel. All it shows is two messes of lines, one more tangled at the top, the other the bottom. It would be more helpful if there was some indication of what was causing the different calls. On another note: How is this windows vs. linux? The article would indicate it was a comparison of windows and linux in general, but its actually comparing two types of web server, and last I checked Apache can be run on a windows machine...

Or is it the other way? (1)

edmicman (830206) | more than 7 years ago | (#17908666)

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.
Not that I necessarily disagree with the point of the article, but couldn't you argue that if a hacker has to "investigate each memory access to see if it is vulnerable", then by having more entry points it would be MORE secure? If I have 10 possible vulnerable points to look through versus 1000 possible vulnerable points, wouldn't I want to tackle the smaller job?

Re:Or is it the other way? (1)

ja (14684) | more than 7 years ago | (#17908894)

No. It is like getting 10 lottery tickets vs 1000 lottery tickets. Chances of finding a vulnerability are better the more opportunities you get.

Re:Or is it the other way? (1)

Slightly Askew (638918) | more than 7 years ago | (#17908910)

If I have 10 possible vulnerable points to look through versus 1000 possible vulnerable points, wouldn't I want to tackle the smaller job?

BadAnalogy(TM) time. If I want to invade a foreign country, one which has 10 bridges leading to it, and one which has 1000, I'm going to assume (rightly so) that the defending nation is going to have a harder time securing those 1000 bridges than the one securing 10 bridges. Yes, it is easier for me to determine which are undefended in the 10 bridge is also far more likely that nation has in-depth knowledge of the defensibility of those bridges. As the defender, I'm much more likely to catch a guard napping when I only have 10 bridges to monitor.

Documented Evidence for the Spaghetti Monster (1)

geoffrobinson (109879) | more than 7 years ago | (#17908744)

I'm sure the Microsoft folks have excellent debugging tools to work with.

More system calls could very well mean LESS secure (0)

Anonymous Coward | more than 7 years ago | (#17908768)

This is a totally meaningless study. All you've shown is that for one relatively uncontrolled test, there were more system calls under Windows than under Linux. This could mean lots of things, and none of us can possibly know which:

1) MAYBE it means that Linux system calls tend to jam lots of diverse functionality into a single system call, with complex parameters to select which is desired. This would mean Windows has far more system calls than Linux. But this is also a horrible and insecure programming practice, implying Windows is better.

2) MAYBE it means that Windows did a better job of factoring common subroutines out into their own functions, which is a good programming practice and would imply Windows is better.

3) Or, MAYBE it means what you seem to be asserting, that if the average number of lines of code per system call is the same in both Windows and Linux, then Windows requires more lines of codes to be correct per task, so Linux is better.

Besides, when was the last time that you saw a web-server based bug that was a kernel vulnerability, in either Windows *or* Linux? The vast majority of remotely exploitable bugs are found in user-code, making this study yet more meaningless. Maybe next time show us a graph of user-level library calls for the two OSs. But then it's still meaningless because of the 3 points above.

Now, I'm not saying Windows is better, OR that Linux is better. I use both every day. What I am saying is that, being a rational systems researcher who really likes to know how these OSs might be measured, this piece of information adds nothing to the debate either way. It's just a sound bite.

Quick Summary (2)

bendodge (998616) | more than 7 years ago | (#17908778)

A quick summary:

1. These are old
2. They have nothing to do with Linux vs Windows; they are Apache vs IIS
3. They are unlabeled, so they are only good for showing the difference between C (Apache) and C++ (IIS)

So this tells you that Apache is simpler than IIS, and C is simpler than C++.

What are they actually measuring? (1)

argent (18001) | more than 7 years ago | (#17908878)

What are they actually measuring, though? They look like a subroutine call tree, very little to do with system calls at all, really.

Recalling fundamental differences (0)

Anonymous Coward | more than 7 years ago | (#17908862)

Not surprising.

The greatest difference between the Windows and Linux traditions is that the Windows tradition is "be everything to everyone" while the Unix tradition is "do one job, but do it well".

There are problems/benefits associated with both approaches, and the charts illustrate just one example problem for the Windows approach.

Why is Windows less secure? (1)

night_flyer (453866) | more than 7 years ago | (#17908874)

Because you have people who dont know what they are doing using their computer like they would use a toaster oven or VCR! (and they STILL cant get the clocks set right!)
People who use Linux are tech savvy enough to realize you cant just plug a machine into a wall socket and expect it to be secure.
Windows owners who are wise to this fact have secure machines.

its a dumb argument.

If Joe Sixpack ever got ahold of Linux he would be logged in as ROOT!

In the boardroom: (2, Funny)

rehtonAesoohC (954490) | more than 7 years ago | (#17908896)

Corporate Linux Fanboy: "As you can see here Gentlemen, the Linux web server has far less tubes going everywhere, which means the information travels a shorter distance through these tubes."
Board: "Oooohhh. Ahhhhh. Tubes..." *nod nod*
Corporate Linux Fanboy: "Now as we look at the Microsoft version of the same exact thing, you can see that the tubes snake every which way with no sense of order. Chaos ensues, and the tubes are tangled every which way. Obviously, less tubes means better."
Corporate Microsoft Fanboy: "Your Mom has more tubes!"

dupe (1)

goarilla (908067) | more than 7 years ago | (#17908924)

this obviously is a dupe
but why would i believe any of it if i can't even read the names of the
function-calls, for all we know this could be as much fiction as scientology

His Noodly Goodness Does Not Approve (2, Funny)

sehlat (180760) | more than 7 years ago | (#17908938)

I have prayed to the Flying Spaghetti Monster [] for guidance about these graphs, and yea, verily did He appear before me and said "What? No sauce?" Then he Frowned his Terrible Frown, and did drown my monitor in Parmesan, bellowing "Away, demons!" and vanished.

Doesn't prove much (1)

dtfinch (661405) | more than 7 years ago | (#17908952)

The more modular a program, the more its call graph will look like spaghetti. The function nodes don't indicate the complexity of the functions. I'm assuming these graphs cover all function calls. It looks too deeply nested to just be system calls.

Imagine if the call graph was much much simpler, like just one central node with branches to each system call. Anyone responsible for such a monolithic blob of spaghetti code would have trouble finding a new job.

I've seen these graphs several times already. With a date like "April 14th, 2006", I'm almost sure this is a dupe, but I don't feel like searching to prove it.

Plethora of issues (4, Insightful)

DLG (14172) | more than 7 years ago | (#17908966)

#1. Old news
#2. Apples and Oranges (IIS on Windows versus Apache on Linux? Which are we comparing?)
#3. Lack of detail: You can't see what system calls are really involved. No indication of configuration. No version numbers.

So that puts it in the realm of FUD, although the blogger does explain that its just a blog.

From my experience with Linux and Windows, the philosophical difference has to do with what is doing most of the work. In Windows a great deal of functionality is granted by the Windows API. As most programmers throughout the 90's know, Microsoft created their API around the functionality they needed for their own development, and then the rest of us had to buy the 'Secret' API manual with all the treats.

In Linux the Kernel where all those system calls go, is pretty limited compared to Windows. Where most functionality is added for developers is in shared libraries. Windows of course has the too, but its more a matter of where the real action is running. Is it in the kernel or in userspace. With Linux mostly its userspace, so there is less issues with software errors being capable of interfering with the machine itself. Still there are ways developers, especially of servers requiring some superuser priveleges (listening to ports under 1024) have provided security holes in basic interfaces (Sendmail and Bind for example). Still thats not reserved to Linux. Beyond that, we talk about the fact that Linux users don't run as root, but I have seen alot of irc session where the username of root is in the GID. So SOME folks do run as root. Whether the distributions now make that less necessary, that is also how Vista is going.

Apache is a bad project to compare other software too. It has been remarkably well developed both for stability and resisting sneaky security issues. Obviously one can muck up their configuration to reduce their security, but Apache itself (despite its initial moniker of being A patchy webserver) is a terrific example of well run coding projects.

IIS on the other hand is one of the posterchildren of security problems, with early versions not checking for navigation of parent directories, along with other trivial insecurites, based in some ways on permitting the developer to easily integrate IIS with other Microsoft tools.

So yes, IIS on Windows is more insecure than Apache on Linux. And Apache on Linux has always kicked IIS's ass in market share. I wonder if we compared Apache on Linux to Apache on Windows what we would find.


Not to jump to Microsoft's defense... (2, Funny)

HerculesMO (693085) | more than 7 years ago | (#17909038)

But IIS is probably one of their best products, and most secure as far as security bulletins go.

I think the rest has been covered ad nauseum, as far as C versus C++ procedure calls.

Is this in response to Netcraft's February survey? (1)

sheldon (2322) | more than 7 years ago | (#17909064)

The latest web survey showed further erosion of Apache compared to IIS? Do we need to spread a little marketing over at OSDL to try to turn that around?

It's kind of an old article, and the assertion made is pretty stupid. I don't see any other purpose.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?