07 February 2007

Windows: Rat's Nest and Dog's Breakfast

As Edward Tufte has explained far more eloquently than I can, images are able to convey information far more compactly and efficiently than words. So you don't have to be a geek to appreciate the two images in this posting:

Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

Well, not quite. The upper picture shows Apache running on GNU/Linux; the lower, IIS running on Windows. The former looks like a motherboard: complicated but orderly; the latter is simply a rat's nest.

As the post says:

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

Now, some have criticised this on the grounds that people don't attempt to attack systems through static Web pages. This is true, but the point is, if this is the difference for a simple operation like displaying a Web page, imagine the contrast for more complex tasks. It is precisely those tasks that offer the greatest scope for finding weaknesses. Thus the images in the post above offer a graphic, if not literal, representation of the dog's breakfast that is Windows security. (Via Slashdot.)

No comments: