New Tool: Announcing Attack Surface Analyzer!

I wanted to write a quick post to let you know of an interesting new tool that Microsoft is releasing at Blackhat DC.

Microsoft has required attack surface validation of applications prior to release for years – however assessing the attack surface of an application or software platform can be an intimidating process at first glance.

To help ease the process, we are releasing a tool called Attack Surface Analyzer to assist both testers and IT Pros in assessing the security of an application.  The Attack Surface Analyzer is being released as a beta – to allow us time to gather feedback and real world usage data from our customers.

We have a number of folks from our team at Blackhat, including Jeremy Dallman, Solomon Lukie and Meng Li who will be in the Microsoft booth talking with customers about the SDL and demoing the tool.  Solomon will follow up with detailed blog posts about Attack Surface Analyzer at a later date, but in the meantime, here is a brief description of the tool and its intended use:

The Attack Surface Analyzer beta is a Microsoft verification tool now available for ISVs and IT professionals to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify increases in the attack surface caused by installing applications on a machine.

The tool takes snapshots of an organization’s system and compares (“diffing”) these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of the changes to the system Microsoft considers important to the security of the platform and highlights these in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product’s default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Additional information can be found in the Measuring Relative Attack Surface paper.

Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, ActiveX Controls, listening ports, access control lists and other parameters that affect a computer’s attack surface.

The Attack Surface Analyzer beta will be released for download Jan. 18, 2011, in conjunction with a number of updates to other Microsoft SDL tools, at Black Hat DC. The tool is available at no cost.  More information on Attack Surface Analyzer beta by Microsoft and other tools supporting the Microsoft SDL is available at

I’d encourage people to download the tool, and if you happen to be at Blackhat DC, swing by the Microsoft booth and take a look for yourself.



About the Author
Dave Ladd

Principal Security Group Program Manager

Join the conversation

  1. Anonymous

    Only get x64 bit version is offered by download page.

  2. Anonymous

    Any ideas on how to review the results (it generates a ton of XML files)

  3. Anonymous

    Nice. Do you plan to have a site for posting feedback on the beta?

  4. Anonymous

    @abc, the "download" link above will take you to which includes downloads for both 64 bit (x64) and 32 bit (x86) platforms.

    @Rob Bergin, to review results you need to run the tool twice to create two snapshots and the select "Generate Report" in the GUI, select your two scans (CABs) and then click Generate.  Step by step instructions are included on the download center –

  5. Anonymous

    Following all instructions FAILS.

    After creating multiple snapshots, and then selecting "Generate Report", Internet Explorer 9 cannot open the resuling "report.html" file with the error "Internet Explorer cannot display the webpage"

    Also Word 2010 cannot open the "report.html" file with the error details –   " DTD is prohibited. Location: Line: 2, Column: 9

  6. Anonymous

    Automation is supported for cab file creation, but generating the report does not appear to be scriptable.

    Is it possible to automatically create, using asa, the .html report files?  If not, is this feature on the roadmap?

  7. Anonymous

    @Ben Tucker: Yes, automated Attack Surface Report generation is on our roadmap, but I'm trying to get a handle on how many people would use this and in what scenario.  We do have such a capability within Microsoft but I'm pretty sure the external requirements are going to differ a little, so I'd like to get an idea if you'd like to just batch process a group of CAB pairs v's autolaunch a report on a regular basis after diffing against a previous CAB.

    If anyone has some ideas or suggestions around this, please feel free to drop us an email (remove [NOSPAM] before you hit send)…


  8. Anonymous

    For those of you who missed the Attack Surface Analyzer webcast, it is now online at:

    Additionally, we now have a TechNet article up showing how to run the tool, so make sure you check it out if you're a first time user:

    And lastly, I'll be at TechEd in Atlanta (May 16-19), so feel free to say Hi or come along to a session I'm co-presenting with Mark Simos & William Dixon from Microsoft consulting on Securing Your Windows Platform:

    As always, if you've got any feedback on Attack Surface Analyzer, please feel free to send them in via email:

Comments are closed.