Data Execution Prevention
By: Arie SlobIn Windows XP Service Pack 2 (SP2), Microsoft introduced Data Execution Prevention (DEP). DEP is a processor feature that prevents execution of code in memory that is marked as data storage. This limits the "attack surface", specifically for the so-called "buffer overrun" vulnerabilities, where an attacker would typically overrun a buffer with code, and then executing this code. Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine whether they use system memory safely. DEP isn't the "end all", but rather just another added layer of protection.
Hardware-enforced DEP
Currently, the only x86 processors that support No-Execute functionality are the AMD 32/64-bit Opteron and Athlon-64. Other processor manufacturers are looking to incorporate DEP support in their processor line. The Intel Itanium family of 64-bit processors (IA-64 architecture) support DEP. According to Intel, they will add NX ("No Execute") functionality to all desktop processors by late Q3, 2004, and mobile products by late Q4, 2004.
Software-enforced DEP
Windows XP SP2 uses software-based DEP which monitors your programs to determine whether they use system memory safely. To do this, DEP software marks some memory locations as "non-executable." If a program tries to run code from a protected location, DEP closes the program and notifies you. This action occurs even if the code is not malicious. DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools.
DEP compatibility issues can occur for both programs and drivers. Symptoms of a failure that is related to DEP support would include access violations. A dialog box indicates that a program has failed because of DEP. The dialog box contains a message that is similar to the following:
Data execution prevention A Windows security feature has detected a problem and closed this program. Name: Program name Publisher: Program publisher
From the initial error interface, you can click Advanced to access DEP configuration settings (you can also access these by going to Windows XP's Control Panel > Performance and Maintenance > System. Choose the Advanced tab, and click the Settings button under Performance. DEP settings are on the Data Execution Prevention tab). You can add an exception for the failing program.
The Data Execution Prevention configuration offers you the following options:
- Turn on DEP for necessary Windows programs and services only.
- Turn on DEP for all programs and services except those that I select.
By selecting one of these options, you can exclude one or more programs or configure DEP settings for the whole computer. Setting the option to turn off DEP adds a switch to the Boot.ini configuration file for the Windows installation that you are currently running.
The Boot.ini file switches are as follows:
-
/noexecute=option - There are four options to this switch:
- OptIn - Default setting. Only Windows system binaries are monitored by DEP.
- OptOut - Enables DEP for all processes. Users can create a list of applications which are not monitored by DEP using the DEP configuration options listed in the System Control Panel applet.
- AlwaysOn - Enables DEP for all processes. DEP is always applied, and exceptions lists are ignored and not available for users to apply.
- AlwaysOff - This disables DEP
- /execute - This disables DEP.
When the Boot.ini file is set to either /noexecute=AlwaysOff or /execute, Physical Address Extension (PAE) mode is not invoked.
Likewise, on a processor that does not support hardware no-execute page-protection, PAE mode is not invoked.
Note: Microsoft recommends that you not disable DEP globally. This would put the computer in a less secure state.
Related Microsoft Knowledge Base Articles:
873155 - |
Windows desktop does not appear correctly, and you receive a "The application failed to initialize properly (0xc00000005)" error message after you enable the Norton CleanSweep Smart Sweep feature in Windows XP Service Pack 2 |
873158 - |
The Help and Support Center does not run when the Data Execution Protection feature is turned on in Windows XP Service Pack 2 |
873176 - |
You cannot install Paint Shop Pro 8 in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005 |
875351 - |
You receive a "Data Execution Prevention" error message in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005 |
886348 - |
You receive a Stop error when a driver is not compatible with the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005 |
889673 - |
Hardware (DEP)-enabled computer may unexpectedly quit after you resume from standby or from hibernation in Windows XP Service Pack 2 |
912923 - |
How to determine that hardware DEP is available and configured on your computer |
919490 - |
Programs that throw many exceptions run significantly slower on a Windows XP Service Pack 2 (SP2)-based computer |