Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

DEP Down: Part 1

October 14, 2010

  • Blog
  • Archive
Today we continue our series of technical blogs with a blog about DEP (Data Execution Prevention). There are many good blogs and articles about DEP which go into great detail over the what, where, when and how’s of DEP and as such, I will only keep the introduction at a very minimum. Please follow the various links sprinkled throughout the blog for in-depth information about DEP, ROP and ASLR. Short Introduction on DEP Simply put, DEP was developed to protect against execution of code placed in memory meant to hold data such as heaps, stack, data sections, etc. Why is this a bad thing? Because most exploits rely on being able to do such a thing. We should mention right off the bat that there are two forms of DEP: hardware-based and software-based. Hardware-based DEP needs support from the CPU materialized by a so-called NX bit (non-executable bit). After AMD decided to include this functionality in its AMD64 family, Intel introduced a similar feature called Execute Disable Bit (XD) in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core. The NX bit specifically refers to bit number 63 (the most significant bit) of a 64-bit entry in Page Table Entries (PTE). If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page. It should be noted that Physical Address Extension (PAE) page table format is required, due to x86's original 32-bit page table format having no room for the NX bit. To find out if your CPU supports DEP try the excellent program SecurAble. Support for hardware DEP was introduced in Windows XP SP2 and Windows Server 2003 SP1 and is present in all releases after. DEP applies to user-land processes causing them to terminate by throwing a memory access violation exception, as well as kernel drivers where upon detection will cause the system to BSOD with a code of 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY. To see which processes are protected by DEP on Vista and above use Task Manager’s Process tab. On Windows XP, you need to use Process Explorer. In both cases the “Data Execution Prevention” box needs to be checked in the “View | Select Columns” menu. Software-Based DEP relies on code that performs validation checks instead and it has the obvious advantage of running on older CPUs while incurring a relative overhead compared to the hardware solution. In Windows however, software DEP is only used to validate SEH exception handler chains. For more details about how SEH validation is performed and to learn about the new SEHOP protection added in Vista and enabled by default on Windows 2008, please read this article. As most exploits rely on executing code from data memory, DEP should solve the problem, right? Well, not exactly… First, DEP is not always enforced even if the hardware and the OS support it. See this Microsoft Support Article for a description of the four DEP policy modes: AlwaysOn, AlwaysOff, OptIn, and OptOut. As the name suggests, if the policy is not set to AlwaysOn or OptOut, chances are that most 3rd-party applications will not be protected. In addition to those 4 modes, Microsoft implemented a mechanism called "Permanent DEP". On Vista (and newer), this "permanent" flag is automatically set for all executables that were linked by the vendor with the /NXCOMPAT linker option. To conclude our introduction on DEP, we’ve learned that while being a good defense against exploits, DEP is not perfect. In the next blog we will go into the details of how DEP can be defeated and one of the ways a security product with buffer overflow protection can still detect foul play. Blog by: Laurentiu Nicula Founding Software Engineer LNicula@eeye.com
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Qatar National Information Assurance Policy v2.0

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

Webcasts

Tech Talk Tuesday: Managing Vendor Access

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.