DEP Down: Part 1

Today we continue our series of technical blogs with a blog about DEP (Data Execution Prevention). There are many good blogs and articles about DEP which go into great detail over the what, where, when and how’s of DEP and as such, I will only keep the introduction at a very minimum. Please follow the various links sprinkled throughout the blog for in-depth information about DEP, ROP and ASLR. Short Introduction on DEP Simply put, DEP was developed to protect against execution of code placed in memory meant to hold data such as heaps, stack, data sections, etc. Why is this a bad thing? Because most exploits rely on being able to do such a thing. We should mention right off the bat that there are two forms of DEP: hardware-based and software-based. Hardware-based DEP needs support from the CPU materialized by a so-called NX bit (non-executable bit). After AMD decided to include this functionality in its AMD64 family, Intel introduced a similar feature called Execute Disable Bit (XD) in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core. The NX bit specifically refers to bit number 63 (the most significant bit) of a 64-bit entry in Page Table Entries (PTE). If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page. It should be noted that Physical Address Extension (PAE) page table format is required, due to x86's original 32-bit page table format having no room for the NX bit. To find out if your CPU supports DEP try the excellent program SecurAble. Support for hardware DEP was introduced in Windows XP SP2 and Windows Server 2003 SP1 and is present in all releases after. DEP applies to user-land processes causing them to terminate by throwing a memory access violation exception, as well as kernel drivers where upon detection will cause the system to BSOD with a code of 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY. To see which processes are protected by DEP on Vista and above use Task Manager’s Process tab. On Windows XP, you need to use Process Explorer. In both cases the “Data Execution Prevention” box needs to be checked in the “View | Select Columns” menu. Software-Based DEP relies on code that performs validation checks instead and it has the obvious advantage of running on older CPUs while incurring a relative overhead compared to the hardware solution. In Windows however, software DEP is only used to validate SEH exception handler chains. For more details about how SEH validation is performed and to learn about the new SEHOP protection added in Vista and enabled by default on Windows 2008, please read this article. As most exploits rely on executing code from data memory, DEP should solve the problem, right? Well, not exactly… First, DEP is not always enforced even if the hardware and the OS support it. See this Microsoft Support Article for a description of the four DEP policy modes: AlwaysOn, AlwaysOff, OptIn, and OptOut. As the name suggests, if the policy is not set to AlwaysOn or OptOut, chances are that most 3rd-party applications will not be protected. In addition to those 4 modes, Microsoft implemented a mechanism called "Permanent DEP". On Vista (and newer), this "permanent" flag is automatically set for all executables that were linked by the vendor with the /NXCOMPAT linker option. To conclude our introduction on DEP, we’ve learned that while being a good defense against exploits, DEP is not perfect. In the next blog we will go into the details of how DEP can be defeated and one of the ways a security product with buffer overflow protection can still detect foul play. Blog by: Laurentiu Nicula Founding Software Engineer LNicula@eeye.com