DEP is a security feature included in modern Microsoft Windows OS that is intended to prevent an application or service from executing code from a non-executable memory region.It is a system-level memory protection feature that is built into OS starting with Windows XP and Windows Server 2003.
DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns (buffer overflow). It is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits.
- This level of pagin has been introduced with AMD64 (the ability to indicate that code should not be executed from a page or a set of pages by setting NX bit = 1; this is 63rd bit in 64-bit entry in the page table)
- This feature is enabled if NO execute bit in Enable Feature Extended Register (EFER.NXE) and the PAE in CR4 are set, regardless of operating mode (this is because x86's original 32-bit page table format obviously has no bit 63)
Modes of Enforcement
- Hardware Enforcement: Achieving this DEP using NX bit (bit number 63) of a 64-bit Page Translation Entry. It marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.
- Software Enforcement: System software (kernel) can mark pages used for program stacks and data sections as non-executable.
Processor-corresponding features
- AMD: Enhanced Virus Protection (EVP in AMD64)
- Intel: Execute Disable (XD in EM64T)
No comments:
Post a Comment