[kwlug disc.] Apache vs IIS system call chart

Abram Hindle abez at abez.ca
Sat Feb 10 12:47:21 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wouldn't read too much into either article. The first claim the calls
are syscalls yet you can't even read the image to figure out if they are
are actually system calls and not just call graph.

Also they are comparing 2 different web servers who have radically
different architectures. If this was supposed to be syscalls the
language choice wouldn't matter than much. For instance many heavy duty
apache modules will be dynamically loaded. Did they extract all the
calls from that? Also they aren't clear about what the links are and
which direction they go. Notice how it seems hard to find the root of
the graph or where it starts.

The whole article is misleading and not very verifiable.

The response is a work of art. With claims such as serving static
webpages is not exploitable. Yeah I can't buffer overflow the webserver
with a huge URL or a giant user-agent line, sure can't do that. Or even
the most simple, download an arbitrary file with a gracious helping of
"../../../". That never happened in the past, right?


> IIS is by default running more things than Apache,
> that is a fact, some call it functionality, others
> call it irresponsibility.

We can assume that but IIS might be in fact for monolithic than apache
and thus just look larger, where as apache relies heavily of dynamically
linked libs which everything uses and are not included.

The fact remains we're sitting here arguing over a blurry picture which
is not verifiable and lacks sufficient enough accuracy to make an
informed decision to claim anything about these results.

abram


Raul Suarez wrote:
> --- Kiwi Ssennyonjo <kiwi at ssenn.com> wrote:
> 
>> How about this?
>>
> http://blogs.techrepublic.com.com/programming-and-development/?p=32
>> It is True.
> 
> Are you saying that that reply is true?
> 
> That reply is totally (yes, totally) missleading. Each
> of the points of the response is just spin and
> missrepresentation of what was said.
> 
> Actually, the response inadvertently validates the
> premise of the picture.
> 
> IIS is by default running more things than Apache,
> that is a fact, some call it functionality, others
> call it irresponsibility.
> 
> Security experts always recomend starting with the
> "minimum you can get away with", So if you have a
> server serving static pages, why having any other
> features turned on?
> 
> Serious companies spend a lot of time trying to lock
> down the microsoft platform when in an ideal secure
> mindset, it would come already locked down and the
> time should be spent unlocking functionality.
> 
> Respect to the number of calls:
> Every experienced (or at least smart) developer knows
> that complexity increases risk. Every self respecting
> developer knows since several decades ago that highly
> cohesive, loosly coupled systems are desirables. What
> struck me from that picture was not just the number of
> lines, but the number of cross points between the
> lines that indicates high coupling.
> 
> Statistically speaking it is clear that having more
> function calls increases the absolute risk.
> 
> On the other hand the argument of "this is C++ vs.
> whatever" is missleading.
> 
> If the picture shows calls at the name space level C++
> should be less complex.
> 
> If it shows them at the vtables level then it will be
> more complex.
> 
> Object oriented languages are meant to simplify
> complexity to the human brain making it less likelly
> to make mistakes.
> 
> If the calls shown were at the vtable level then they
> would be a critique of the compiler not the
> application, so I highly doubt they are at that level.
> 
> _________________
> 
> http://rarsa.blogspot.com/ 
> An eclectic collection of random thoughts
> _______________________________________________
> KWLUG-Disc mailing list
> KWLUG-Disc at kwlug.org
> http://listserv.kwlug.org/mailman/listinfo/kwlug-disc
> 
>  
>  ** ACCEPT: CRM114 PASS osb unique microgroom Matcher ** 
> CLASSIFY succeeds; success probability: 1.0000  pR: 40.0075
> Best match to file #0 (/home/abez/crm/nonspam.css) prob: 1.0000  pR: 40.0075  
> Total features in input file: 4688
> #0 (/home/abez/crm/nonspam.css): features: 360992, hits: 4264704, prob: 1.00e+00, pR:  40.01 
> #1 (/home/abez/crm/spam.css): features: 1998313, hits: 3337724, prob: 9.83e-41, pR: -40.01 
>  

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFzgUpnOrfa1yW8IURAhtLAKCA5IWHer0YA1NjjxQTYk4QfgMaiACgpJOG
iOfLXuxlpc/4aI93XjneAK0=
=dJ/f
-----END PGP SIGNATURE-----

More information about the KWLUG-Disc mailing list