PDA

View Full Version : Why Apache on Linux is significantly better than IIS on Windows



ComplexNumber
February 3rd, 2007, 02:03 AM
rather than have me explain, i will just say that a picture (http://www.visualcomplexity.com/vc/project_details.cfm?index=392&id=392&domain=) is worth a thousand words.
i thought it was quite interesting.

Brainfart
February 3rd, 2007, 02:11 AM
I wish I could see what all the labels were, which ones were system calls and which ones were part of the server software. Without that, it's hard to actually conclude anything security wise just based on the images...

euler_fan
February 3rd, 2007, 04:02 AM
I can certainly agree with the premise if there are fewer doors to lock, so to speak, it is easier to lock them all.

I just hope it has been done or there is a good set of documentation on how to do it.

mips
February 3rd, 2007, 04:18 PM
http://blogs.zdnet.com/threatchaos/?p=311 bigger versions here if you click on the links below the pics but you still cannot read the labels.

Maybe fire a mail off to http://www.sanasecurity.com/ I could not find the info on their site.

G Morgan
February 3rd, 2007, 04:51 PM
Apache is better because it is a vetted OSS project designed for portability. IIS is a monolithic, closed source piece of junk who's creators deserve death and despair in the deepest bowls of the warp. May Khorne show them mercy for they will find none from me :).

garba
February 3rd, 2007, 10:11 PM
you can rearrange the graph nodes and make things look messy and complicated on linux too

23meg
February 3rd, 2007, 10:19 PM
you can rearrange the graph nodes and make things look messy and complicated on linux too
Based on the premise here,

1) Why would you?

2) Can you do the opposite in IIS?

Phatfiddler
February 3rd, 2007, 10:32 PM
Before I make any judgments on the pictures, I would like to know:

1)What process was used to determine the number of required calls

2)Whether the images were generated by a program, or designed by a person


Until I see the methods used to create the images, I refuse to use them as an argument.

koenn
February 3rd, 2007, 10:38 PM
your second question is answered in the text that goes with the pcitures, isn't it ?

Tomosaur
February 3rd, 2007, 11:03 PM
I assume the labels are clustered to represent calls to related parts of the system. Those which handle file I/O (ie, finding the image) are grouped. Those which handle networking are grouped. Those which handle logging the file are grouped. Those which handle security are grouped etc etc etc. The redundancy and excessive amount of calls (compared to the Linux image) in the Windows system don't necessarily mean Windows is any less secure, it just means it's a lot less efficient.

koenn
February 3rd, 2007, 11:59 PM
don't necessarily mean Windows is any less secure, it just means it's a lot less efficient.
The assumption is that every system call accesses memory (to execute an instruction stored at a given memory address), and therefore might be used for buffer overruns, an exploit technigue based on having a program execute more that it should, i.c. malicious code also loaded in the memory. This can be prevented with good coding practises, but the more instructions that need to be called, to more chance their's a vulnarable one amongst them.

It's true in principle, but of course, the article was written by a firm that sells security and thus to be taken with a grain of salt

Brainfart
February 4th, 2007, 01:12 AM
It's true in principle, but of course, the article was written by a firm that sells security and thus to be taken with a grain of salt
QFT :D

Tomosaur
February 4th, 2007, 01:18 AM
The assumption is that every system call accesses memory (to execute an instruction stored at a given memory address), and therefore might be used for buffer overruns, an exploit technigue based on having a program execute more that it should, i.c. malicious code also loaded in the memory. This can be prevented with good coding practises, but the more instructions that need to be called, to more chance their's a vulnarable one amongst them.

It's true in principle, but of course, the article was written by a firm that sells security and thus to be taken with a grain of salt

What I meant was - the claim relies entirely on the dev teams not securing the software. Linux may be more efficient in terms of the number of calls made, but that doesn't mean there's any more protection in place than is present in the Windows system, or that there are any vulnerabilities in the Windows code. All it proves is that the Windows system is less efficient, and it doesn't even do a very good job of that, either. Without sitting there and counting the labels, it looks like the Windows image has roughly the same number of labels as the Linux version, it's just that the Linux one is more organised and looks cleaner. I know what buffer overruns are, I just don't see any reason why these images prove anything about Microsoft products' quality. Obviously, I think Linux is better than Windows, or I wouldn't be here, but I don't think the images are very good at proving what it suggests.