“Hello World” or “Oh mum, what a complex World”
Hello World is a typical example of a small program used as an introductory tutorial for all programming languages. It has also evolved to act as an introductory act for blogs as well . WordPress creates a “Hello World” post automatically when creating a blog. Anyway you got the point. Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.
McGraw[1] defines software complexity as one of the three factors in the trinity of trouble for software security. The other two are connectivity and extensibility.
So we have a simple HelloWorld code snippet in Java :
public class Hello { /** * @param args */ public static void main (String[] args) { // TODO Auto-generated method stub System.out.println("Hello World!"); } }
Fairly simple right ? Can you imagine how many system and library calls this program makes while executing ?
System Calls :
ilektrojohn@securebook:~$ strace -c -f -q java HelloHello World!upeek: ptrace(PTRACE_PEEKUSER,19107,120,0): No such process% time seconds usecs/call calls errors syscall------ ----------- ----------- --------- --------- ----------------100.00 0.044222 533 83 3 futex0.00 0.000000 0 632 read0.00 0.000000 0 2 write0.00 0.000000 0 109 61 open0.00 0.000000 0 49 close0.00 0.000000 0 58 28 stat0.00 0.000000 0 44 fstat0.00 0.000000 0 50 1 lstat0.00 0.000000 0 598 lseek0.00 0.000000 0 125 mmap0.00 0.000000 0 51 mprotect0.00 0.000000 0 20 munmap0.00 0.000000 0 10 brk0.00 0.000000 0 27 rt_sigaction0.00 0.000000 0 42 rt_sigprocmask0.00 0.000000 0 18 16 access0.00 0.000000 0 2 sched_yield0.00 0.000000 0 2 socket0.00 0.000000 0 2 2 connect0.00 0.000000 0 11 clone0.00 0.000000 0 2 execve0.00 0.000000 0 1 uname0.00 0.000000 0 4 fcntl0.00 0.000000 0 1 ftruncate0.00 0.000000 0 6 getdents0.00 0.000000 0 1 getcwd0.00 0.000000 0 1 1 mkdir0.00 0.000000 0 1 unlink0.00 0.000000 0 4 readlink0.00 0.000000 0 4 getrlimit0.00 0.000000 0 3 getuid0.00 0.000000 0 2 getgid0.00 0.000000 0 3 geteuid0.00 0.000000 0 2 getegid0.00 0.000000 0 2 arch_prctl0.00 0.000000 0 1 setrlimit0.00 0.000000 0 12 gettid0.00 0.000000 0 24 sched_getaffinity0.00 0.000000 0 2 set_tid_address0.00 0.000000 0 1 clock_getres0.00 0.000000 0 13 set_robust_list------ ----------- ----------- --------- --------- ----------------100.00 0.044222 2025 112 total
Library Calls
ilektrojohn@securebook:~$ ltrace -c -f java Hello Hello World! % time seconds usecs/call calls function ------ ----------- ----------- --------- -------------------- 91.11 0.126965 126965 1 pthread_join 1.68 0.002335 53 44 fgets 1.50 0.002085 2085 1 dlopen 0.73 0.001015 59 17 JLI_MemAlloc 0.52 0.000727 45 16 JLI_StringDup 0.37 0.000522 43 12 strcspn 0.37 0.000515 42 12 strspn 0.37 0.000511 28 18 strlen 0.36 0.000498 33 15 JLI_MemFree 0.30 0.000422 38 11 getenv 0.27 0.000372 46 8 sprintf 0.25 0.000343 42 8 strrchr 0.21 0.000295 36 8 strcat 0.19 0.000260 130 2 fclose 0.17 0.000233 116 2 fopen 0.16 0.000224 112 2 readlink 0.14 0.000196 98 2 getuid 0.14 0.000191 95 2 access 0.13 0.000182 91 2 __xstat 0.12 0.000161 80 2 getgid 0.11 0.000154 77 2 geteuid 0.11 0.000152 76 2 getegid 0.10 0.000136 27 5 strchr 0.08 0.000116 116 1 pthread_create 0.08 0.000115 57 2 memset 0.07 0.000103 51 2 strcpy 0.07 0.000102 51 2 strncpy 0.07 0.000095 47 2 JLI_FreeManifest 0.06 0.000086 43 2 fflush 0.04 0.000059 59 1 putenv 0.04 0.000057 57 1 pthread_attr_destroy 0.02 0.000034 17 2 dlsym 0.01 0.000018 18 1 pthread_attr_init 0.01 0.000016 16 1 JLI_WildcardExpandClasspath 0.01 0.000016 16 1 strncmp 0.01 0.000014 14 1 pthread_attr_setstacksize 0.01 0.000014 14 1 getpid 0.01 0.000013 13 1 pthread_attr_setdetachstate ------ ----------- ----------- --------- -------------------- 100.00 0.139352 215 total
You can get the drill, complexity is a beast. Ah, and I almost forgot : Hello world 😉
[1] Gary McGraw (2006). Software Security, Building Security In. Crawfordsville, Indiana: Addison-Wesley Professional. p7-10.
Seriously, you have to love Java (a language that i never touched)
I liked the experiment , and I just tried it in C. Since i am not sure that i will be able to post here correctly (formatting and all), i am posting the results here: http://blog.nihilnovo.eu/?p=799
I really like the idea behind this small experiment,however, I will have to be a naysayer in certain aspects of the blog post.
With Java (which is far,far away from being one of my favourite programming languages), you get a complex VM, that initializes itself, loads the bytecode and executes it, is this supposed to take the same number of sys/lcalls with C? Or does that even proves anything?
This is the reason we are not coding everything in assembler anymore, we delegate certain elements towards the backend in order to do both less work and more complex/expressive work. I am also confident (recent JRE exploits notwithstanding, implementation bugs go away eventually) that this is not the complexity Dr McGraw had in mind! From a syscall/library call perspective, assembler is the “lightest” thus the less complex, right? By extension, the other two factors you mention being equal, the program coded in assembler would be the less likely to have bugs (security or otherwise). Obviously, this is false 🙂
In any case, welcome to blogging and I really look forward to your next posts!
PS: My overkill experiment (I just could not resist!) is located at https://woktime.wordpress.com/2010/10/22/hello-world-demystified/
Thanks for the comment and the welcome ( actually as you can see from the date, its an old post, but since I am rebooting the blog your welcome is welcome 🙂 ) .
As for the things that you pointed out : Of course it is not supposed to take the same calls as a C program that has the same functionality. My idea was not to compare C to Java, or to prove that Java is unnecessarily more complex. This is what Dimitris and you did in your posts( the comparison part I mean), and as it is interesting to see the differences, it wasn’t the point I was trying to make.
My point can be summarized in these sentences : “Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.” The fact that 3 lines of code that only print a string in stdout needs 2025 system calls and 215 library calls. It’s not about Java being complex, as you pointed out, JVM needs to be initialized, bytecode is loaded, verified and executed e.t.c.
You’re probably right though, about Dr McGraw not having in mind this “kind of” complexity.
Anyhow, I wrote this post after a discussion in class about buffer overflows. The main question was if programming in languages with memory management like Java or Perl means that you don’t have to think about buffer overflows at all. Well, not programming in C eliminates programmer-introduced buffer overflow vulnerabilities, but one has to consider in what language the JVM and the OS he is using , is written.
Hello again,
The 2000+ syscalls and 200+ lcalls is a “one-time” cost for most of the cases, therefore if your program is “Hello World” or something a bit more complex, you end up “paying for it”, although in the case of a more complex program the cost/output ratio (I am being very, very loose with the ratio definition) is much much smaller.
One should always keep in mind that buffer overflows (and derivatives of them) can always lurk in the corner. The most common example is having code in a higher level language, such as Java, interfacing with poorly written/understood legacy C/C++ code, however other elements such as the quality of the interpreter/VM (where applicable) come into play
Hi there, just became alert to your blog through Google, and found that it is really informative.
I’m gonna watch out for brussels. I will appreciate if you continue this in future. Numerous people will be benefited from your writing. Cheers!
Heya i’m for the primary time here. I found this board and I find It truly useful & it helped me out a lot. I’m hoping to give one thing back
and aid others such as you helped me.