A recent post by independent blogger Richard Stiennon on ZDNet http://blogs.zdnet.com/threatchaos/?p=311 on the system calls involved when viewing a simple html page has generated much heated debate over which operating system is more secure (Windows vs. Linux). Depending on which camp you belong to the view might be drastically different. There were many similar debates in the past (e.g. the number of un-patched security threats; the number of total security threats for a given time period, etc.) regarding which operating system is superior, and each side seems to have some valid points that support their own views.
Objectively though, we should not forget some of the very fundamental laws in physics and mathematics: the reliability of a system (in terms of software, reliability is an indicator of the software quality and is strongly correlated to security) is a function of the reliabilities of all the subsystems it consists. Particularly, in a serially connected system, the reliability of the whole system can be expressed as the products of the reliabilities of each individual component:
While the security issues of any given operating systems are generally much more complex than our over simplified model of a serially connected system, it gave us some general idea on how complexity affects the reliability and ultimately the security of a system.
So there is no doubt that the total number and level of system calls is strongly correlated to the overall security of an operating system. While many of the follow up discussions to the original article seemed to dismiss the way Richard presented, I would have to agree with the author.
After all, as the number of lines of code grows, the number of potential errors will also grow. And because the relation of , the attacker needs only to find the weakest link. As Andrew Tanenbaum stated in his ubiquitous text book “Modern Operating Systems” (second edition, see page 859), one of the most important design goal of an operating system is simplicity. And I really like the quote he used:
Perfection is reached not when there is no longer anything to add, but when there is no longer anything to take away.