BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

DEP Down: Part 1

Posted October 14, 2010    The eEye Research Team

Today we continue our series of technical blogs with a blog about DEP (Data Execution Prevention).

There are many good blogs and articles about DEP which go into great detail over the what, where, when and how’s of DEP and as such, I will only keep the introduction at a very minimum. Please follow the various links sprinkled throughout the blog for in-depth information about DEP, ROP and ASLR.

Short Introduction on DEP

Simply put, DEP was developed to protect against execution of code placed in memory meant to hold data such as heaps, stack, data sections, etc. Why is this a bad thing? Because most exploits rely on being able to do such a thing.

We should mention right off the bat that there are two forms of DEP: hardware-based and software-based.

Hardware-based DEP needs support from the CPU materialized by a so-called NX bit (non-executable bit). After AMD decided to include this functionality in its AMD64 family, Intel introduced a similar feature called Execute Disable Bit (XD) in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core.

The NX bit specifically refers to bit number 63 (the most significant bit) of a 64-bit entry in Page Table Entries (PTE). If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page. It should be noted that Physical Address Extension (PAE) page table format is required, due to x86’s original 32-bit page table format having no room for the NX bit.

To find out if your CPU supports DEP try the excellent program SecurAble.

Support for hardware DEP was introduced in Windows XP SP2 and Windows Server 2003 SP1 and is present in all releases after. DEP applies to user-land processes causing them to terminate by throwing a memory access violation exception, as well as kernel drivers where upon detection will cause the system to BSOD with a code of 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.

To see which processes are protected by DEP on Vista and above use Task Manager’s Process tab. On Windows XP, you need to use Process Explorer. In both cases the “Data Execution Prevention” box needs to be checked in the “View | Select Columns” menu.

Software-Based DEP relies on code that performs validation checks instead and it has the obvious advantage of running on older CPUs while incurring a relative overhead compared to the hardware solution. In Windows however, software DEP is only used to validate SEH exception handler chains.

For more details about how SEH validation is performed and to learn about the new SEHOP protection added in Vista and enabled by default on Windows 2008, please read this article.

As most exploits rely on executing code from data memory, DEP should solve the problem, right? Well, not exactly…

First, DEP is not always enforced even if the hardware and the OS support it. See this Microsoft Support Article for a description of the four DEP policy modes: AlwaysOn, AlwaysOff, OptIn, and OptOut. As the name suggests, if the policy is not set to AlwaysOn or OptOut, chances are that most 3rd-party applications will not be protected.

In addition to those 4 modes, Microsoft implemented a mechanism called “Permanent DEP”.
On Vista (and newer), this “permanent” flag is automatically set for all executables that were linked by the vendor with the /NXCOMPAT linker option.

To conclude our introduction on DEP, we’ve learned that while being a good defense against exploits, DEP is not perfect.

In the next blog we will go into the details of how DEP can be defeated and one of the ways a security product with buffer overflow protection can still detect foul play.

Blog by:
Laurentiu Nicula
Founding Software Engineer
LNicula@eeye.com

Tags:
,

Leave a Reply

Additional articles

dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,
webinar_ondemand

On Demand Webinar – A Security Expert’s Guide: The Windows Events You Should be Tracking and Why

Posted March 23, 2015    Lindsay Marsh

On-Demand Webinar – Windows Security Expert and MCSE, Russell Smith, discusses the Windows Events you should be tracking right now and why. He will also show you how to set up Event Log subscriptions so you have better monitoring across your Windows environments.

Tags:
, ,