Microsoft has rewritten its Attack Surface Analyzer tool as a cross platform supported open source project on Github.
Attack Surface Analyzer was first released in 2012, after which it quickly gained a following among software developers and IT security administrators who wished to understand and detect what key systems changes were being enacted by the installation of third party software on Microsoft’s core operating systems.
Using the newly rewritten Attack Surface Analyzer 2.0 users can identify potential security risks that arise out of changes to the OS from new installations. Key locations monitored by the tool are the File System, User Accounts System, Services Network Ports (listeners), System Certificate Stores and the Windows Registry.
Before the installation of new software the tool will created a snapshot, called the baseline scan, of the status and configuration of files within the OS. Once the installation of software is complete it will compare the system to the baseline scan. Users can review the changes in the system to determine what impact they will have on security and system policies.
Analysis of the data can be done on the computer where the data was generated or it can be exported to another system via a JSON file. Alternatively as the original baseline scan is stored in the SQLite file location, users can simply make a copy of this file if they wish run the tests on another system.
The default scan method is ‘static’ as detailed above, but users have the option to run the tool in a live monitoring mode which will record the changes to the OS in real-time.
Guy Acosta Security Program Manager at Microsoft wrote in a security blog that: “This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes.”
“The tool includes both Electron and command line interface options. Results for the command line use option are written to a local HTML or JSON file, making it easy to include as part of your automated toolchain.”
Rewritten Attack Surface Analyzer
Microsoft have rewritten the code for its Attack Surface Analyzer using two open source cross platform frameworks .NET Core and Electron.
Electron is a software framework used in the development of graphical user interfaces (GUI) which run as web applications on the Chromium engine, the software is developed and maintained by the GitHub community. While .NET Core is a framework designed to help developers build applications that work on all operating systems such as Mac, Windows and Linux.
The application does not come with an installation program, but binaries are provided for each master branch update, while pre-built binaries are available within the release menu.
Unfortunately the Attack Surface Analyzer does have performance issues as the tool is very demanding on the system as Microsoft warn on Github that the: “Analyzer has very high CPU and memory demands, and often takes a considerable amount of time to complete. Analyses should never be run on live production servers since it can severely degrade the performance of the system. Use of the file system or registry (on Windows systems) will add significant time to the collection and analysis.”