Data Execution Prevention: Wikis

  

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

From Wikipedia, the free encyclopedia

DEP causing Windows XP to end a program

Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support. Software-enforced DEP does not protect from execution of code in data pages, but instead from another type of attack (SEH overwrite).

DEP was introduced in Windows XP Service Pack 2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later,[1] Windows Vista, and Windows Server 2008, and all newer versions of Windows.

Contents

Mode of enforcement

Hardware enforcement

Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable.[1] This helps prevent buffer overflow attacks from succeeding. In Windows Vista, the DEP status for a process, that is, whether DEP is enabled or disabled for a particular process can be viewed on the Processes tab in the Windows Task Manager.

In some instances, Data Execution Prevention can have the unintended consequence of preventing legitimate software from executing. In these cases, the affected software needs to be flagged as being allowed to execute code in those parts of memory, but this itself leads to a possible attack if the application isn't rigorous in validating data that is passed into a region of memory that is marked as being executable.

If the x86 processor supports this feature in hardware, and if the system's BIOS provides support for this feature and it has been enabled, either by the manufacturer or the user,[2] then the NX features are turned on in Windows, on a limited "OptIn" basis.[3] This setting provides protection only for a limited set of Windows system and binary files. To achieve full protection, the user must choose either "OptOut", covering all programs and processes not specifically exempted, or "AlwaysOn", covering all such without exemption. These are configurable through the System Properties interface.[4] If the feature is not supported by the x86 processor, then no protection is given. Outside of the x86 architecture, a version of NX also exists for Intel's IA-64 architecture that is supported by Windows.

Software enforcement

Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Structured Exception Handling". Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. However, even though it creates an impression that software DEP is related to the prevention of executing code in data pages, it is a different form of protection.[1]

Issues

Limitations

Unlike similar protection schemes available on other operating systems, DEP provides no address space layout randomization (ASLR, a feature now available in Windows Vista), which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack. The possibility has now been demonstrated against Windows Hardware-enforced DEP by authors "skape & Skywing" in the following Uninformed article [1] which relies on a return-to-libc style attack. This technique relies on directly pointing the EIP register to the known service-pack-dependent location which applies the OptIn/OptOut mechanism. It is reliant on the boot-time option of OptOut/OptIn being available. If all pages are strictly enforced, then this attack will not succeed. The PaX documentation further elaborates on why ASLR is necessary. DEP is also useless in a situation where code must be written and executed at runtime; a JIT compiler is a prominent example. The compiler can potentially be used to produce exploit code (e.g. using JIT Spray) that has been flagged for execution and therefore wouldn't be trapped by DEP.

Compatibility

DEP is occasionally the cause of software problems, usually with older software. However, it also fixes problems with some applications, like the Age of Mythology game. DEP is applied to an entire process, so even if an application runs perfectly with DEP, it may need to be disabled if a non-DEP compliant extension is added.

Users have experienced problems using various command line commands that are a part of Microsoft's Services for Unix, which is included as part of Vista as well as Windows Server 2003 R2.

In most cases, these problems may be solved by disabling the DEP features. DEP can be turned off on a per-application basis, or turned off entirely for all non-essential Windows programs and services.[5] Microsoft recommends that DEP not be globally disabled where an application crashes due to a DEP error. Instead, the author or vendor of the offending software should firstly be contacted for an updated version that does not violate DEP, or failing that, that DEP be disabled on an exception basis for the offending application only.[6]

The "COM surrogate has stopped working" error that is sometimes received in Windows Vista while viewing media folders can be corrected by turning off DEP for the dllhost.exe. This error surfaces in Windows Vista because many third party video and audio codecs are not DEP-compliant. This problem may also generally be resolved by updating any installed codecs to their latest versions.

DEP problems can occasionally occur with DEP-compliant core operating system components such as Windows Explorer, Internet Explorer and Windows Installer as they support in-process third party extensions or plugins that may not be DEP-compliant.[7]

Configuration

Performance Options dialog box in Windows Vista allows Data Execution Prevention (DEP) to be configured.

This section describes the four available DEP modes. Two of the modes (OptIn, OptOut) can be controlled through the Performance Options dialog box of System applet in Control Panel, while the other two (AlwaysOn, AlwaysOff) can only be controlled by way of the boot.ini file.[1]

OptIn
This setting is the default configuration for Windows XP and Windows Vista. In this mode, DEP is only enabled for limited Windows system applications and services. Applications are not forced by the Operating System to opt-in -- applications that wish to opt in must explicitly submit a protection request.[8] The only exception however, are 64-bit application and services on Windows Vista x64: 64-bit applications and services that run in this mode are automatically protected in this mode unless they submit an explicit opt-out request.[9][10]
OptOut
This setting is the default configuration for Windows Server 2003 SP1. In this mode, DEP is enabled by default for all programs and services. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel. Network administrators can use the Application Compatibility Toolkit to "opt out" one or more programs from DEP protection. Programs and services that wish not to have DEP protection must explicitly submit an opt out request.[10][8]
AlwaysOn
This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exception list, application compatibility shims and opt-out requests are disregarded.
AlwaysOff
This setting disables DEP entirely. All opt-in requests are disregarded.

The Boot.ini file parameter /noexecute=policy_level adjusts the DEP setting, where policy_level can be either OptIn, OptOut, AlwaysOn or AlwaysOff.[1]

See also

References

  1. ^ a b c d e "A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003". Microsoft. 2006-09-26. http://support.microsoft.com/kb/875352/EN-US/. Retrieved 2008-07-11. 
  2. ^ "Microsoft Knowledge Base kb912923". 2007-10-07. http://support.microsoft.com/kb/912923. Retrieved 2009-03-14. 
  3. ^ "Microsoft Knowledge Base kb875352". 2006-09-26. http://support.microsoft.com/kb/875352. Retrieved 2009-03-14. 
  4. ^ "System-wide configuration of DEP". 2006-09-26. http://support.microsoft.com/kb/875352#5. Retrieved 2009-03-14. 
  5. ^ Marc Liron. "Adding Software Exceptions In Data Execution Prevention (DEP)". Windows XP Update. http://www.updatexp.com/dep-exceptions.html. Retrieved June 8, 2006. 
  6. ^ "Data Execution Prevention: frequently asked questions". Microsoft. http://windowshelp.microsoft.com/Windows/en-US/help/186de3d0-01af-4d4c-981d-674637d2f4bf1033.mspx. Retrieved 2008-09-15. 
  7. ^ "Windows Installer custom action code must be compatible with Data Execution Prevention in Windows Vista". Microsoft. 2007-03-15. http://support.microsoft.com/kb/929710. Retrieved 2008-07-10. 
  8. ^ a b "SetProcessDEPPolicy Function". Microsoft Developer Network. Microsoft Corporation. 3 December 2009. http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx. Retrieved 5 December 2009. 
  9. ^ Robert Hensing. "DEP on Vista exposed!". http://blogs.technet.com/robert_hensing/archive/2007/04/04/dep-on-vista-explained.aspx. Retrieved February 26, 2009. 
  10. ^ a b Hensing, Robert (12 June 2009). "Understanding DEP as a mitigation technology (Part 1)". Microsoft Security Research & Defense Blog. Microsoft TechNet Blog. http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx. Retrieved 5 December 2009. 

External links








Got something to say? Make a comment.
Your name
Your email address
Message