[Dailydave] Graphing: Don't believe everything you see.
Felix von Leitner
felix-dailydave at fefe.de
Tue Feb 6 21:58:54 EST 2007
Thus spake Dave Aitel (dave at immunityinc.com):
> Complexity only correlates with insecurity; it doesn't let you make
> order-of-magnitude judgment calls. Especially not based on graphs like
> that.
Actually, an asynchronous webserver needs these syscalls to handle the
two requests:
GetQueuedCompletionStatus returns
[socket+AcceptEx+CreateIoCompletionPort to queue the next request]
CreateFile on the file to be served
GetFileSize et al to get header data (optional)
TransmitFile to send the response
CloseFile to close the file
ReadFile to read the second request
GetQueuedCompletionStatus returns again
CreateFile on the file to be served
GetFileSize et al to get header data (optional)
TransmitFile to send the response
CloseFile to close the file
closesocket
That's it. No, really. Sprinkle in some VirtualAlloc and friends for
malloc and free, but that's it.
So if you see a graph in fine print about how a couple hundred syscalls
are being called by a web server, that's a pretty good indicator that
there's something wrong with it.
Keep things simple.
That said: this particular troll is from mid-2006 and has been on
Slashdot back then, too. There is no reason to get worked up about it
now.
Felix
PS: Apache is a bloated pig. People use it because so many other
people are using it, not because there are any actual rational reasons
to use it. IIS is a pig, too. People use it because it comes with
Windows, and because it cheats (so it's faster than a pure user space
web server can be).
More information about the Dailydave
mailing list