BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

DEP Down: Part 1

Posted October 14, 2010    The eEye Research Team

Today we continue our series of technical blogs with a blog about DEP (Data Execution Prevention).

There are many good blogs and articles about DEP which go into great detail over the what, where, when and how’s of DEP and as such, I will only keep the introduction at a very minimum. Please follow the various links sprinkled throughout the blog for in-depth information about DEP, ROP and ASLR.

Short Introduction on DEP

Simply put, DEP was developed to protect against execution of code placed in memory meant to hold data such as heaps, stack, data sections, etc. Why is this a bad thing? Because most exploits rely on being able to do such a thing.

We should mention right off the bat that there are two forms of DEP: hardware-based and software-based.

Hardware-based DEP needs support from the CPU materialized by a so-called NX bit (non-executable bit). After AMD decided to include this functionality in its AMD64 family, Intel introduced a similar feature called Execute Disable Bit (XD) in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core.

The NX bit specifically refers to bit number 63 (the most significant bit) of a 64-bit entry in Page Table Entries (PTE). If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page. It should be noted that Physical Address Extension (PAE) page table format is required, due to x86’s original 32-bit page table format having no room for the NX bit.

To find out if your CPU supports DEP try the excellent program SecurAble.

Support for hardware DEP was introduced in Windows XP SP2 and Windows Server 2003 SP1 and is present in all releases after. DEP applies to user-land processes causing them to terminate by throwing a memory access violation exception, as well as kernel drivers where upon detection will cause the system to BSOD with a code of 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.

To see which processes are protected by DEP on Vista and above use Task Manager’s Process tab. On Windows XP, you need to use Process Explorer. In both cases the “Data Execution Prevention” box needs to be checked in the “View | Select Columns” menu.

Software-Based DEP relies on code that performs validation checks instead and it has the obvious advantage of running on older CPUs while incurring a relative overhead compared to the hardware solution. In Windows however, software DEP is only used to validate SEH exception handler chains.

For more details about how SEH validation is performed and to learn about the new SEHOP protection added in Vista and enabled by default on Windows 2008, please read this article.

As most exploits rely on executing code from data memory, DEP should solve the problem, right? Well, not exactly…

First, DEP is not always enforced even if the hardware and the OS support it. See this Microsoft Support Article for a description of the four DEP policy modes: AlwaysOn, AlwaysOff, OptIn, and OptOut. As the name suggests, if the policy is not set to AlwaysOn or OptOut, chances are that most 3rd-party applications will not be protected.

In addition to those 4 modes, Microsoft implemented a mechanism called “Permanent DEP”.
On Vista (and newer), this “permanent” flag is automatically set for all executables that were linked by the vendor with the /NXCOMPAT linker option.

To conclude our introduction on DEP, we’ve learned that while being a good defense against exploits, DEP is not perfect.

In the next blog we will go into the details of how DEP can be defeated and one of the ways a security product with buffer overflow protection can still detect foul play.

Blog by:
Laurentiu Nicula
Founding Software Engineer
LNicula@eeye.com

Tags:
,

Leave a Reply

Additional articles

{c4eae211-3ca2-4f8e-b2b9-6df0e970aab1}_g.markhardy

The “insider” threat. Is it real, or is it being blown out of proportion?

Posted March 4, 2015    G. Mark Hardy

A lot depends on whether or not you’ve been compromised. And therein lies the problem. Cyber threats are often ignored until they cause some damage, at which point management looks for people to blame and gives all kinds of attention to fixing the problem – until the next crisis in accounting or warehousing or staffing comes along.

Tags:
, , ,
webinar_chalk

Webinar March 4th: Recreating the Carbanak Breach & Techniques for Mitigating Similar Attacks

Posted March 3, 2015    Lindsay Marsh

Join BeyondTrust Research and Development team for an in-depth live webinar that will explore the attack vectors used in the Carbanak Bank Breach and share successful mitigation techniques needed to prevent this type of attack.

Tags:
, ,
VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,