Gourt Home::Gourt :: Data Execution Prevention
Data Execution Prevention (DEP) is a feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.
DEP was introduced in Windows XP Service Pack 2 and is included in Windows XP Tablet PC Edition 2005, and Windows Server 2003 Service Pack 1. Windows Vista and later operating systems support this feature as well.
Hardware protection
Hardware-enforced DEP enables the NX bit on CPUs that support it. DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands to not be executable. This helps prevents buffer overflow attacks from succeeding.
In some instances, Data Execution Prevention can have the unintended consequence of preventing legitimate software from executing. In these cases, the affected software needs to be flagged as being allowed to execute code in those parts of memory, but this itself leads to a possible attack if the application isn't rigorous in validating data that is passed into a region of memory that is marked as being executable.
If the x86 processor supports this feature in hardware, then the NX features are turned on automatically in Windows by default. If the feature is not supported by the x86 processor, then no protection is given. Outside of the x86 architecture, a version of NX also exists for Intel's IA-64 which is implemented into the Windows that operates that architecture.
Software protection
Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Secure Exception Handling". Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. This is likely a countermeasure to handle an exploit possible because of the way DEP handles NX faults. It is not possible for a program to truly recover from such an attack, however, because program flow is destroyed in an unrecoverable manner.
Unlike similar protection schemes available on other operating systems, DEP provides no address space layout randomization, which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack. The possibility has not yet been proven on Windows specifically; but the PaX documentation elaborates on why ASLR is necessary. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3s can be known by the attacker.
Software conflicts
DEP is occasionally the cause of software problems, usually with older software. It has exposed bugs in the Virtuozzo virtualization software that prevent certain programs from being virtualized correctly. In most cases, these problems may be solved by disabling the DEP features.
As a response to this, DEP can be turned off on a per-application basis, retaining compatibility for older programs.
Software configuration
DEP configuration for the system is controlled through switches in the Boot.ini file. DEP can be configured by using the System dialog box in Control Panel.
The Boot.ini file settings are as follows: /noexecute= policy_level Note policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.
OptIn: This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that "opt-in." With this option, only Windows system binaries are covered by DEP by default.
OptOut: DEP is enabled by default for all processes. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel. Network administrators can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.
AlwaysOn: This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.
AlwaysOff: This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.
See also
References
External link
"Data Execution Prevention"