DEP stands for Data Execution Prevention and it is a security feature in Microsoft Windows Operating system. Data Execution Prevention (DEP) can be enforced by hardware or software technologies or both, to prevent an application or service from executing code from a non-executable memory region.
DEP prevents code execution from data pages i.e. default heap pages, stack pages and memory pool pages. If any code is executed from the default heap or stack pages, Hardware-enforced DEP detects it and raises an exception during execution. The exception will stop the process being executed, if it isn’t handled in the code. Likewise, a “Stop” error is thrown when code is executed from protected memory in kernel mode.
Modes of Data Execution Prevention (DEP):
Data Execution Prevention (DEP) can be enforced by either Hardware or Software to prevent exploits.
- Hardware-enforced DEP – In this mode, CPUs mark the memory pages as non executable regions.
- Software-enforced DEP this mode provides very limited support for DEP and it essentially offers protection from a type of attack known as “SEH overwrite”.
Hardware-enforced DEP works by marking memory locations in a process as non-executable.Whenever any code is executed from such regions, it is blocked and an exception is raised.
Windows Vista DEP works by marking certain memory locations to be capable of only holding data and not to execute any code. NX or XD bit enabled processors will then understand these regions as non-executable. This is helpful in preventing buffer overflow attacks. The DEP status for a process, can be viewed on the “Processes” tab in the “Task Manager”.
Hardware-enforced DEP enables the NX bit (no-execute page-protection feature) on AMD CPUs and the XD (Execute Disable Bit feature) on Intel CPUs, through the automatic use of PAE kernel in 32-bit Windows and native support on 64-bit kernels.
To find out if you computer system has a CPU that supports Data Execution Prevention, do the following.
- Open the Start menu, right-click “Computer” (or “My computer” in Windows XP) and Choose “Properties” from the context menu.
- On the “System Properties” window, click the tab labeled “Advanced”.
- Click the “Settings” button under “Performance”
- Then, click the tab labeled “Data Execution Prevention” in the window titled “Performance Options”.
If your system lacks a CPU that supports DEP, the following message will be highlighted in yellow and present at the bottom of the tab.
Your computer’s processor does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks.
If there is no such message as above, then your CPU is presumed to support DEP. In windows 7, you will find the message, “Your computer’s processor support hardware-based DEP”.
DEP can also be enforced by any software. The software maintains the list of all exceptions and verifies whether an exception thrown by Windows OS is present is the list. It this blocks attempts to run malicious code that tries to take advantage of exception-handling mechanisms in Windows. However, this mode offers protection against limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.Though Hardware-enforced DEP is available for Windows XP SP2 and subsequent versions, ASLR (address space layout randomization) feature is available only on windows Vista and Windows 7.
Benefits of DEP:
The primary benefit of DEP is in preventing any security intrusions by blocking all attempts to execute code in data pages by throwing exceptions.
Sometimes DEP may also cause software problems. In such cases, the problems may be solved by disabling the DEP features. You can read about how to enable or disable DEP in our next post.