Skip to main content

Hardware DEP (Data Execution Prevention), NX, XD & EVP

A processor can be instructed to designate regions of memory as non-executable. This means that the memory can be used to store reference data to be read and written, but that the processor cannot treat the contents of the memory as program code to be directly executed. Intel calls this capability in their newer processors XD for “eXecute Disable” and AMD refers to it as NX for “No eXecute.” AMD's marketing materials also sometimes refer to this capability by the term EVP for Enhanced Virus Protection.

As a hardware capability of modern processors this addition is important, but its use depends entirely upon support from the operating system. So when Microsoft introduced support for this into their operating systems, they termed it Hardware DEP for Data Execution Prevention. Support for hardware DEP was introduced into the 32-bit versions of Windows XP with Service Pack 2, into Windows 2003 Server with Service Pack 1, and has always been present in Windows Vista. Hardware DEP does no one any good unless it's turned on.

When hardware DEP support is active, an XD/NX-aware operating system running on an XD/NX-capable and enabled processor will mark all memory regions not explicitly containing executable code as non-executable. This protects the system's “heaps”, “stacks”, data and communications buffers from inadvertently running any executable code they might contain.

Why would data or communications buffers ever contain executable code? . . . because so-called “Buffer Overrun” attacks are the predominant way Internet-connected computers have historically been remotely hacked and compromised. Hackers locate obscure software vulnerabilities which allow them to “overrun” the buffers with their own data. This tricks the computer into executing the hacker's supplied data (which is actually code) contained within that buffer. But if the operating system has marked that Internet communications buffer region of memory as only being valid for containing data and NOT code, the hacker's attack will never get started. Instead, the operating system will display a notice to the user that the vulnerable program is being terminated BEFORE any of the hacker's code has the chance to run.


The real beauty of this system is that it provides strong protection



from unknown vulnerabilities in the system and user programs.

Anti-Virus and anti-malware software is useful, but as we know, virus signature files must be continually updated to keep A/V software aware of new threats. Significantly, A/V software is unable to protect against unknown viruses and malware intrusions because it searches for known malicious code rather than detecting and blocking potentially malicious behavior. Hardware DEP, on the other hand, when properly configured, hardens the entire system against both known and unknown vulnerabilities by detecting and preventing the behavior of code execution in data buffers.

Buffer overrun vulnerabilities are so difficult to prevent that scores of them are being found and exploited in operating system and application software every day. Taking advantage of modern processor XD/NX capabilities is a powerful way to fight back and prevent this most common class of vulnerabilities.

To confirm that hardware DEP is working in Windows, use one of the following methods.
You can use the Wmic command-line tool to examine the DEP settings. To determine whether hardware-enforced DEP is available, follow these steps: 
  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. At the command prompt, type the following command, and then press ENTER: wmic OS Get DataExecutionPrevention_Available
 If the output is "TRUE," hardware-enforced DEP is available.
To determine the current DEP support policy, follow these steps. 
  1. Click Start, click Run, type cmd in the Open box, and then click OK. 
  2. At the command prompt, type the following command, and then press ENTER: wmic OS Get DataExecutionPrevention_SupportPolicy 
The value returned will be 0, 1, 2 or 3. This value corresponds to one of the DEP support policies that are described in the following table.

2 - Only Windows System components and services have DEP applied
3 - DEP is enabled for all processes. Administrators can manually create a list of specific applications which do not have DEP applied
1 - DEP is enabled for all processes
0 - DEP is not enabled for any processes
 
For more commands on how to check if hardware DEP is available and configured on your computer, see http://support.microsoft.com/kb/912923 .

Comments

Popular posts from this blog

SQL Azure Error - 40544

If the size of your database reaches its MAXSIZE you will receive an error code 40544. You cannot insert or update data, or create new objects (such as tables, stored procedures, views, and functions).To fix this issue either increase your database size or delete data. For increasing/decreasing SQL Azure database size, you can use this command on the Master database. Alter DATABASE database_name MODIFY (MAXSIZE = {1|5|10|20|30… 150}GB); example: ALTER DATABASE sampleDB MODIFY (MAXSIZE = 5gb);