Dep (Data Execution Protection) Introduction

Introduction

Dep-short for Data Execution Protection, Data Execution Prevention. Data Execution Protection (DEP) is a set of hardware and software technologies that can perform additional checks on the memory to help prevent malicious code from running on the system. In Microsoft Windows XP Service Pack 2, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP Tablet PC Edition 2005, Microsoft Windows Vista, and Microsoft Windows 7, dep is enforced by hardware and software. Dep close method Start Menu \ Settings \ Control Panel \ System \ Advanced \ Start and fault recovery \ Settings \ edit \ multi (0) disk (0) RDISK (0) Partition (1) \ Windows = "WindowsXP"/fastdetect/noexecute = alwaysoff/detecthaldep the main advantage is that it can help prevent data pages from executing code. Generally, code is not executed from the default heap and stack. The hardware implements Dep detection of code running from these locations and raises exceptions when detecting execution. Software Implementation Dep can help prevent malicious code from using the Exception Handling Mechanism in Windows for destruction. Hardware Implementation DEP is a feature of some Dep compatible processors that prevents code execution in the memory area marked as a data storage area. This function is also called non-execution and execution protection. Windows XP SP2 also includes software implementation DEP, which aims to reduce the use of the exception handling mechanism in windows. Unlike anti-virus programs, the hardware and software Dep technology is not designed to prevent installation of harmful programs on computers. Instead, it monitors your installed programs to help determine whether they are using the system memory safely. To monitor your program, the hardware implementation Dep tracks memory areas that have been specified as "unexecutable. If the memory is specified as "unexecutable" but a program tries to execute code through the memory, Windows will close the program to prevent malicious code. This operation is performed regardless of whether the code is malicious or not. [1] Note: software-based DEP is a part of Windows XP SP2 and is enabled by default. Dep is not implemented on the hardware of the processor. By default, DEP is applied to core operating system components and services. The default DEP configuration aims to protect your computer and minimize the impact on application compatibility. However, some programs may not run correctly, depending on your DEP configuration. On a computer running Microsoft Windows XP 64-bit with a Dep compatible processor, the hardware implementation DEP is enabled by default. 64-bit applications will not run through the "unexecutable" Area of the memory. Dep enabled by hardware cannot be disabled. Software on Windows XP SP2 Enables DEP and 32-bit applications running on any processor can be configured as the memory-used "executable" or "unexecutable" area. To work with Microsoft's DEP function, Intel developed the execute disable bit (EDB) memory Protection Technology for its CPU. Currently, Intel P4 Prescott (mpga478 and lga775 packages) is the C0 or D0 step-by-step core. The latest J series P4 Prescott uses the E0 step-by-step core. Among them, only the J series P4 Prescott has the anti-virus function. Only the J series P4 Prescott truly supports the EDP technology and can cooperate with the DEP anti-virus function of SP2 to invalidate the virus designed for the buffer overflow vulnerability, prevent them from replicating and spreading them to other systems. AMD 64-bit processors are the first to support Microsoft's DEP technology. To work with DEP, AMD and Microsoft have jointly designed and developed the new AMD chip function "enhanced virus protection" (EVP enhances virus protection ). AMD 64-bit processors (including the athlon 64/athlon 64 FX/athlon 64 mobile version/sempron mobile version) will all have the EVP function. The EVP function can work with the DEP Technology of SP2 to prevent the common attack means of "cache overflow" and to combat some viruses and worms, provides better protection for daily work such as sending and receiving emails and downloading files. [1] Dep Security Mechanism Dep (Data Execution Prevention) is "Data Execution Protection", which is a Windows security mechanism mainly used to prevent viruses and other security threats from causing damage to the system. Microsoft has introduced this technology from Windows XP SP2 and continues to Windows Server 2003 and Windows Server 2008 since then. Without exception, DEP is also introduced as a security mechanism in Windows 7. This article will analyze the DEP in Windows 7. 1. Dep's security mechanism can be said that overflow is always the pain of the Operating System (application software), and Windows 7 is no exception. The so-called overflow mainly refers to buffer overflow, which means that malicious code is executed from the memory location that only windows and other programs can use by using system (Application Software) vulnerabilities to control the system. As mentioned above, buffer overflow attacks often write executable malicious code in the memory buffer of other programs, and then trick the program into executing malicious code. Dep is used to prevent execution of malicious inserted code. Its running mechanism is that Windows uses Dep to mark the memory location containing only data as non-executable (nx ), when an application tries to execute code from a memory location marked as Nx, the DEP logic of Windows will prevent the application from doing so, thus protecting the system from overflow. 2. Dep implementation method Microsoft Dep implementation adopts two methods: hardware forced Dep and software forced dep. Hardware forces DEP, which requires support from the processor, but now most processors support dep. The software forces DEP, which is provided by a special set of pointers automatically added for the stored data objects in the system memory of the Windows operating system. How can I know whether my processor supports dep? Right-click the "computer" icon on the desktop, select "properties", and click "Advanced System settings" in the "System" window to open the "System Properties" panel. Click "Settings" under "performance" on the "advanced" tab page to open the "performance options" panel. Click the "Data Execution Protection" tab. on this page, you can check whether your computer's processor supports dep. If it is supported, "your computer processor supports hardware-based Dep" is displayed in the bottom line .", On the contrary, it will show that "your computer processor does not support hardware-based dep. However, Windows can use Dep to prevent some types of attacks ." (Figure 1)

[1]

3. The running level of Dep can be divided into four types based on the startup parameters. (1) optin: by default, only Dep protection is applied to components and services in windows, but not to other programs. However, you can use the application compatibility tool (Act, application compatibility Toolkit) enable DEP for the selected program. Dep is automatically applied to programs compiled by the/nxcompat option under Vista. This mode can be dynamically disabled by applications. It is mostly used in common user operating systems, such as Windows XP, Windows Vista, and Windows 7. (2) optout: Enables DEP for all programs and services not included in the exclusion list. You can manually specify programs and services that do not enable Dep protection in the exclusion list. This mode can be dynamically disabled by applications. It is mostly used for server version operating systems, such as Windows 2003 and Windows 2008. (3) alwayson: Enable Dep protection for all processes. There is no sorting list. In this mode, DEP cannot be disabled, currently, only 64-bit operating systems work in alwayson mode. (4) alwaysoff: DEP is disabled for all processes. In this mode, DEP cannot be dynamically enabled. This mode is generally used only in a specific scenario, for example, DEP interferes with the normal operation of the program. [1] In Windows 7, DEP is activated by default. However, DEP cannot protect all running applications in the system. The list of programs that Dep can protect is defined by the protection level of dep. Dep supports two protection levels: Level 1, which only protects Windows system code and executable files, and does not protect other Microsoft or third-party applications running in the system. Level 2, protects all executable code running in the system, including windows code and Microsoft or third-party applications. By default, DEP of Windows 7 runs under protection of level 1. In the "Data Execution Protection" configuration panel, we can set the DEP protection level. In Windows 7, the author "only activates DEP for basic Windows programs and services" by default, that is, the DEP protection level is 1. Of course, we can also switch "Open DEP for all programs and services in addition to the following options" to Dep Protection Level 2. In Protection Level 2, you can select a specific application not protected by dep. In practical applications, this function is very important because some old applications cannot run normally when activating dep. For example, when we use word for text editing, it is automatically excluded from Dep protection. Note that before you switch Dep protection to level 2, you must run the application compatibility test to ensure that all applications can run properly when DEP is activated. To exclude an application from DEP, you must use the "add" button on the DEP configuration page to add the executable files of the application to the exclusion list. 4. How to disable Dep protection should be reminded that when Dep runs at Protection Level 2, running all Dep checks on the processor and system memory will affect system performance, this slows down the system operation, so in some cases we can consider completely disabling Dep protection. We know that the DEP option is not provided in the DEP settings panel. How can we disable it? If it was a system earlier than Vista, we can modify the boot. ini file and add the noexecute = always0ff statement to close it. In Windows Vista, Windows Server 2008, and Windows 7. the INI file has been replaced by the boot configuration data (BCD) file. However, we can use the Microsoft command line tool bcdedit.exe to edit the BCD file. Run the bcedit command without any parameters at the command prompt. The current STARTUP configuration shows the result of running bcdedit on Windows 7. The last line shows NX optin, indicates that the current Dep protection level is 1. If it is displayed as optout, it indicates that the current EDP protection level is 2. To disable DEP, set NX to always0ff. Run the command "bcdedit/set NX alwaysoff" on the command line. After the system is restarted, the DEP of Windows 7 is disabled. If you want to enable DEP for all services and applications, execute the command "bcdedit/set NX alwayson. The limits of DEP are the same as those described earlier. Dep also has its own limitations. First, hardware Dep requires CPU support, but not all CPUs provide hardware Dep support. In some old CPUs, DEP cannot work. Secondly, due to compatibility, Windows cannot enable Dep protection for all processes; otherwise, exceptions may occur. For example, some third-party plug-in DLL cannot confirm whether it supports DEP, so it is hard to enable Dep protection for programs involving these DLL. In addition, programs using ATL 7.1 or earlier versions need to generate executable code on the data page. In this case, DEP protection cannot be enabled; otherwise, exceptions may occur. Again, the/nxcompat compilation option, or the image_dllcharacteristics_nx_compat setting, is only valid for Windows Vista and later systems. In previous systems, such as Windows XP SP3, this setting is ignored. That is to say, even programs that use this link option do not automatically enable Dep protection on some operating systems. Finally, when Dep works in the two most important statuses optin and optout, DEP can be dynamically disabled and enabled, this indicates that the operating system provides some API functions to control the DEP status. Unfortunately, there are no restrictions on the calling of these API functions in the early operating system. All processes can call these API functions, which poses a great security risk, it also provides a way for us to break through dep.