Monday, April 29, 2013

Being a Software Consultant - Microsoft Attack Surface Analyzer

I have been working as a software consultant for a long time now. During this time, I have to be at customers' locations adding new products, features and provide recommendations about their design. In order to do all of that, we first need to understand their current domain and eco-system of tools and applications. Many of these applications are custom-built while others are off the shelf toolkits, frameworks and software tools from various vendors. Most of the organizations which don't have Software Development and Design as a line departments don't have a very focused and streamlined approach to these toolkits, frameworks and tools. It is uncommon and rare to find out an individual who could give you an overview of the software eco-system.

During the early part of my professional career one of my mentors once said, "When you are thrown into a mud, don't just panic, just settle down first and then smoothly make your transition out" [I had to clean it up a bit for the respectable blog readers :)]. And this is so true as panicking in a situation like this only makes the situation worse. I have seen some consultants asking for the moon asking for the documentations about the current software design and domain in general. As I said, it is very rare to find such a thing expecting that this would be up-to-date is really an idealized view. Don't think employees would know better than consultants as they have been long enough in the organization. I have never seen this to be the case.

As a tech consultant, we are expected to know the technology bits required to work on the system but understanding the domain and host organization software eco-system is really necessary. Absence of people / documentation makes it really difficult. Organizations also suffer a lot because of this. We see multiple tools which seem to do the same thing (may be doing it differently). You see different design patterns followed in different parts of the same application. It makes it more challenging when development teams are geographically distributed as it affects the communication structure, which has an impact on design as we know from Conway's law, Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations.

So a convoluted mesh of software tools, frameworks and toolkits is a reality. Finding no navigation support in the systems is common. We need to learn how to deal with it as a technology consultant in order to be successful. Panicking is just not an option. As a software developer, we shouldn't be needing any document to understand the design as we know, Design lives in the code. In order to deal with this situation, I have learnt to follow some fixed steps when I step my foot in the doors of an organization. This includes making a list of the tools and frameworks used and having an externalized view of the software eco-system without first looking into the code.

Let's assume this is your first day in an organization. A software tool is thrown at you to look into that you would need to work on once you gets settled. Never just jump in the code and start looking at the classes and their relationship. This would be needed at later steps. First try to understand what is this tool consisted of? What does it do when it runs? What sort of changes does it make when installed on a client system? What components it loads when it is running. Is there any network activity involved? In order to answer these questions we need tools suitable. I recommend to be hands-on on major SysInternals tools, Profilers and DotPeek / Reflector. I have seen many developers running away from these tools and it appears that they would be turned into stones if they look at them (OK this is exaggerating, I admit :))

A few months back Microsoft has released one tool which should definitely draw our attention as a software consultant. This is Attack Surface Analyzer. The tool was introduced in August last year. It lets us take snapshot of system features including registry, drivers and other details. The recommended approach is to get the snapshot before we install the application being tested. We call it Baseline Snapshot. We then install the product and take a snapshot afterwards. The snapshots are created in the form of CAB files. The tool then supports comparing the CAB files and generates an HTML report which can be used to understand the changes caused by the software in the system. The report is also persisted automatically so we can later review the report.

Attack Surface Analyzer can be downloaded from Microsoft's download site. You can use the following link to download the tool:

The download consists of installation files for x86 and 64-bit operating systems. It also includes a read me file with the details of the tool. Running the download file would install the tool by running the setup program. We can select the folder where we want to install it.

Once installed, the tool is available in Windows Startup. Since the tool is supposed to collect sensitive information about the system, it needs to run with administrative privileges. Based on your system settings Windows UAC can ask about running with admin privileges.

As discussed above, the analyzer is used to run scan and saving the scan report as a cabinet file. The tool can then be used to run the comparison between any two files. Both of these use cases can be selected by selecting the appropriate radio buttons on the view. The idea is to run the scan first. Then install and run the tool running a scan second time.

Running the scan would collect data from the system. The list of details, being collected, is shown in the grid. It also shows the status of collecting each information. Once the collection is completed, the information is updated as Completed.

Once the run is completed, a cabinet file is generated in the selected folder with the specified name. It also generates a new sub-folder as data.

The data folder seems to have following details. The content of these files is based on XML. You can open the file and see the data about any particular details.

After complete scan and generation of these cabinet and data files, the view is updated showing with updated message. It also has information what you might need to do next. If it is baseline scan, you need to install and run the tool again and run a second scan. This scan is called Product scan.

Like the previous scan, we can generate the product scan in a selected folder. For my test scans, I have created them side by side in the same folder as follows:

Since we have both baseline and product scan and we have recorded the scan in the cabinet files. We can compare between these two scans by comparing these files. The tool supports this comparison. We need to update the selection to Generate standard attack surface report.

Clicking Generate button would load both cabinet files as specified in Baseline and Product Cabs. It then compares between both cabinet files. While generating report, it keeps showing the status message which keeps the user updated with each step running by the tool.

Finally it generates the comparison report with title Attack Surface Report. The report is opened in the default browser for the machine running the tool. It compares various aspect of the machine including content of Global assembly cache. We can argue that the report could have further details or the options could be selectable by the user and should be customized.

The report is also persisted for later viewing. The tool also creates a help file to look up the information about the comparison. You can see them persisted in the folder specified in the tool. Please notice the html files for report & help.

No comments: