Apache vs IIS
Blaming Windows security and praising Linux is like a speech stamp. No one really thinks about why this is happening, since the classic “Microsoft suxx” explains everything at once.
But the good man Richard Stiennon took it more seriously . Using the example of the same simple task — the return by a web server of an HTML page with a picture — he built a system call map.
')
According to its results, this is how the transfer control looks like when Apache is running under Linux:
Solving the same problem, IIS for Windows does a significantly large amount of work:
The author's argument sounds reasonable: every extra challenge is an additional point at which an error can occur. Incorrect parameter transfer, insufficient control over the range of values, stack overflow, etc. - All of these are potential problems that need to be tested and analyzed. And these are the problems that could potentially be used in hacking.
At the same time, as I personally think, it is necessary to take into account the fact that on the one hand we have open source software - and on the other hand, Microsoft’s policy to ignore defects, if they have not received wide publicity.
PS Richard Stiennon published a few larger pictures for Apache and IIS - but, IMHO, not large enough.
But the good man Richard Stiennon took it more seriously . Using the example of the same simple task — the return by a web server of an HTML page with a picture — he built a system call map.
')
According to its results, this is how the transfer control looks like when Apache is running under Linux:
Solving the same problem, IIS for Windows does a significantly large amount of work:
The author's argument sounds reasonable: every extra challenge is an additional point at which an error can occur. Incorrect parameter transfer, insufficient control over the range of values, stack overflow, etc. - All of these are potential problems that need to be tested and analyzed. And these are the problems that could potentially be used in hacking.
At the same time, as I personally think, it is necessary to take into account the fact that on the one hand we have open source software - and on the other hand, Microsoft’s policy to ignore defects, if they have not received wide publicity.
PS Richard Stiennon published a few larger pictures for Apache and IIS - but, IMHO, not large enough.
Source: https://habr.com/ru/post/3033/
All Articles