|Home » Learning Curve » Can't Take a Punch
Microsoft's Remedies: Data Execution Prevention
Protecting that glass jaw.
Data execution prevention is a mechanism that prevents process memory marked as not containing executable code from being run. Enabling DEP means hackers can't turn over control to areas they've corrupted on the stack, on a heap, or in ordinary data sections.
For this to function properly there must be support at the hardware level. For the CPUs in Windows computers there must be a special flag called 'NX' ('non-executable') which can be applied to memory sections so the processor knows which areas of memory must not be treated as executable code.
Microsoft can compensate to a rather minimal degree with a software implementation of DEP if the processor isn't capable of 'NX' by making sure the exception handler resides on an executable 'page' of memory. But that's the extent of it.
DEP is not always implemented by default due to the great number of issues it can cause with legitimate programs. System administrators can set the DEP policy level according to the following.
- AlwaysOff. There's no way to turn DEP on for anyone, for any process.
- OptIn. The default setting on most versions of Windows. DEP is not used save for system processes and applications that specifically request it.
- OptOut. Obviously a more attractive level even if it can create issues. The administrator can place certain programs in an exemption list; otherwise all code is protected by default.
- AlwaysOn. The harshest but also potentially the safest. All processes use DEP and the administrator can't set up an exemption list. Used by 64-bit Windows with the notable exception of Internet Explorer which even there is still a 32-bit program.
So this is real safety or is it only incremental safety? Can hackers still find areas of process memory?