Home > Uncategorized > “Hello World” or “Oh mum, what a complex World”

“Hello World” or “Oh mum, what a complex World”

Hello World is a typical example of a small program used as an introductory tutorial for all programming languages. It has also evolved to act as an introductory act for blogs as well . WordPress creates a “Hello World” post automatically when creating a blog. Anyway you got the point. Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.

McGraw[1] defines software complexity as one of the three factors in the trinity of trouble for software security. The other two are connectivity and extensibility.

So we have a simple HelloWorld code snippet in Java :

public class Hello {
/**
* @param args
*/
public static void main (String[] args)  {
// TODO Auto-generated method stub
System.out.println("Hello World!");
}
}

Fairly simple right ? Can you imagine how many system and library calls this program makes while executing ?

System Calls :

ilektrojohn@securebook:~$ strace -c -f -q java Hello
Hello World!
upeek: ptrace(PTRACE_PEEKUSER,19107,120,0): No such process
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
100.00    0.044222         533        83         3 futex
  0.00    0.000000           0       632           read
  0.00    0.000000           0         2           write
  0.00    0.000000           0       109        61 open
  0.00    0.000000           0        49           close
  0.00    0.000000           0        58        28 stat
  0.00    0.000000           0        44           fstat
  0.00    0.000000           0        50         1 lstat
  0.00    0.000000           0       598           lseek
  0.00    0.000000           0       125           mmap
  0.00    0.000000           0        51           mprotect
  0.00    0.000000           0        20           munmap
  0.00    0.000000           0        10           brk
  0.00    0.000000           0        27           rt_sigaction
  0.00    0.000000           0        42           rt_sigprocmask
  0.00    0.000000           0        18        16 access
  0.00    0.000000           0         2           sched_yield
  0.00    0.000000           0         2           socket
  0.00    0.000000           0         2         2 connect
  0.00    0.000000           0        11           clone
  0.00    0.000000           0         2           execve
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         4           fcntl
  0.00    0.000000           0         1           ftruncate
  0.00    0.000000           0         6           getdents
  0.00    0.000000           0         1           getcwd
  0.00    0.000000           0         1         1 mkdir
  0.00    0.000000           0         1           unlink
  0.00    0.000000           0         4           readlink
  0.00    0.000000           0         4           getrlimit
  0.00    0.000000           0         3           getuid
  0.00    0.000000           0         2           getgid
  0.00    0.000000           0         3           geteuid
  0.00    0.000000           0         2           getegid
  0.00    0.000000           0         2           arch_prctl
  0.00    0.000000           0         1           setrlimit
  0.00    0.000000           0        12           gettid
  0.00    0.000000           0        24           sched_getaffinity
  0.00    0.000000           0         2           set_tid_address
  0.00    0.000000           0         1           clock_getres
  0.00    0.000000           0        13           set_robust_list
------ ----------- ----------- --------- --------- ----------------
100.00    0.044222                  2025       112 total

Library Calls

ilektrojohn@securebook:~$ ltrace -c -f java Hello

Hello World!

% time     seconds  usecs/call     calls      function

------ ----------- ----------- --------- --------------------

 91.11    0.126965      126965         1 pthread_join

  1.68    0.002335          53        44 fgets

  1.50    0.002085        2085         1 dlopen

  0.73    0.001015          59        17 JLI_MemAlloc

  0.52    0.000727          45        16 JLI_StringDup

  0.37    0.000522          43        12 strcspn

  0.37    0.000515          42        12 strspn

  0.37    0.000511          28        18 strlen

  0.36    0.000498          33        15 JLI_MemFree

  0.30    0.000422          38        11 getenv

  0.27    0.000372          46         8 sprintf

  0.25    0.000343          42         8 strrchr

  0.21    0.000295          36         8 strcat

  0.19    0.000260         130         2 fclose

  0.17    0.000233         116         2 fopen

  0.16    0.000224         112         2 readlink

  0.14    0.000196          98         2 getuid

  0.14    0.000191          95         2 access

  0.13    0.000182          91         2 __xstat

  0.12    0.000161          80         2 getgid

  0.11    0.000154          77         2 geteuid

  0.11    0.000152          76         2 getegid

  0.10    0.000136          27         5 strchr

  0.08    0.000116         116         1 pthread_create

  0.08    0.000115          57         2 memset

  0.07    0.000103          51         2 strcpy

  0.07    0.000102          51         2 strncpy

  0.07    0.000095          47         2 JLI_FreeManifest

  0.06    0.000086          43         2 fflush

  0.04    0.000059          59         1 putenv

  0.04    0.000057          57         1 pthread_attr_destroy

  0.02    0.000034          17         2 dlsym

  0.01    0.000018          18         1 pthread_attr_init

  0.01    0.000016          16         1 JLI_WildcardExpandClasspath

  0.01    0.000016          16         1 strncmp

  0.01    0.000014          14         1 pthread_attr_setstacksize

  0.01    0.000014          14         1 getpid

  0.01    0.000013          13         1 pthread_attr_setdetachstate

------ ----------- ----------- --------- --------------------

100.00    0.139352                   215 total

You can get the drill, complexity is a beast. Ah, and I almost forgot : Hello world 😉

[1] Gary McGraw (2006). Software Security, Building Security In. Crawfordsville, Indiana: Addison-Wesley Professional. p7-10.

Advertisements
Categories: Uncategorized
  1. March 1, 2010 at 4:15 pm

    Seriously, you have to love Java (a language that i never touched)

    I liked the experiment , and I just tried it in C. Since i am not sure that i will be able to post here correctly (formatting and all), i am posting the results here: http://blog.nihilnovo.eu/?p=799

  2. October 22, 2010 at 1:26 am

    I really like the idea behind this small experiment,however, I will have to be a naysayer in certain aspects of the blog post.

    With Java (which is far,far away from being one of my favourite programming languages), you get a complex VM, that initializes itself, loads the bytecode and executes it, is this supposed to take the same number of sys/lcalls with C? Or does that even proves anything?

    This is the reason we are not coding everything in assembler anymore, we delegate certain elements towards the backend in order to do both less work and more complex/expressive work. I am also confident (recent JRE exploits notwithstanding, implementation bugs go away eventually) that this is not the complexity Dr McGraw had in mind! From a syscall/library call perspective, assembler is the “lightest” thus the less complex, right? By extension, the other two factors you mention being equal, the program coded in assembler would be the less likely to have bugs (security or otherwise). Obviously, this is false 🙂

    In any case, welcome to blogging and I really look forward to your next posts!

    PS: My overkill experiment (I just could not resist!) is located at https://woktime.wordpress.com/2010/10/22/hello-world-demystified/

  3. ilektrojohn
    October 22, 2010 at 11:13 am

    Thanks for the comment and the welcome ( actually as you can see from the date, its an old post, but since I am rebooting the blog your welcome is welcome 🙂 ) .

    As for the things that you pointed out : Of course it is not supposed to take the same calls as a C program that has the same functionality. My idea was not to compare C to Java, or to prove that Java is unnecessarily more complex. This is what Dimitris and you did in your posts( the comparison part I mean), and as it is interesting to see the differences, it wasn’t the point I was trying to make.

    My point can be summarized in these sentences : “Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.” The fact that 3 lines of code that only print a string in stdout needs 2025 system calls and 215 library calls. It’s not about Java being complex, as you pointed out, JVM needs to be initialized, bytecode is loaded, verified and executed e.t.c.
    You’re probably right though, about Dr McGraw not having in mind this “kind of” complexity.

    Anyhow, I wrote this post after a discussion in class about buffer overflows. The main question was if programming in languages with memory management like Java or Perl means that you don’t have to think about buffer overflows at all. Well, not programming in C eliminates programmer-introduced buffer overflow vulnerabilities, but one has to consider in what language the JVM and the OS he is using , is written.

  4. October 24, 2010 at 3:28 pm

    Hello again,
    The 2000+ syscalls and 200+ lcalls is a “one-time” cost for most of the cases, therefore if your program is “Hello World” or something a bit more complex, you end up “paying for it”, although in the case of a more complex program the cost/output ratio (I am being very, very loose with the ratio definition) is much much smaller.
    One should always keep in mind that buffer overflows (and derivatives of them) can always lurk in the corner. The most common example is having code in a higher level language, such as Java, interfacing with poorly written/understood legacy C/C++ code, however other elements such as the quality of the interpreter/VM (where applicable) come into play

  5. February 16, 2013 at 4:38 am

    Hi there, just became alert to your blog through Google, and found that it is really informative.
    I’m gonna watch out for brussels. I will appreciate if you continue this in future. Numerous people will be benefited from your writing. Cheers!

  6. April 1, 2013 at 11:33 am

    Heya i’m for the primary time here. I found this board and I find It truly useful & it helped me out a lot. I’m hoping to give one thing back
    and aid others such as you helped me.

  1. March 1, 2010 at 4:14 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: