The root cause of the overflow attack is that modern computers do not clearly distinguish data from code, so it is basically impossible to design a new computer architecture, we can only rely on forward-compatible patching to reduce the damage caused by overflow. DEP (Data Execution Prevention) is used to make up for the computer's natural defect of Data and code obfuscation.
The basic principle of DEP is to mark the Memory Page of the data as unexecutable. When the program overflows and is successfully transferred to shellcode, the program will attempt to execute the command on the data page, and the CPU will throw an exception, instead of executing malicious commands. 12.1.1.
DEP is mainly used to prevent data pages (such as default heap pages, various stack pages, and memory pool pages) from executing code. Microsoft started to provide this technical support from Windows XP SP2, which can be divided into Software DEP and Hardware DEP (Hardware-enforced DEP) based on different implementation mechanisms ).
The software DEP is actually the SafeSEH we introduced earlier. It aims to prevent the use of S.E. H attacks. This mechanism has nothing to do with CPU hardware. Windows uses software simulation to implement DEP, which provides some protection for the operating system. Now everyone understands why the exception handling function is located on a non-executable page during the SafeSEH verification process.
Hardware DEP is the true DEP. Hardware DEP requires CPU support. Both AMD and Intel have designed the DEP. AMD calls it No-Execute Page-Protection (NX ), intel is called Execute Disable Bit (XD). The functions and working principles of the two are essentially the same.
The operating system specifies that the Code cannot be executed from the memory by setting the NX/XD attribute mark on the Memory Page. To implement this function, you need to add a special identification space (NX/XD) to the Page Table in the memory to identify whether commands can be executed on the Page. When the flag is set to 0, the command can be executed on this page. If it is set to 1, the command cannot be executed on this page.
Because the software DEP is the legendary SafeSEH, we have already introduced the breakthrough in SafeSEH. Therefore, we only discuss and analyze the hardware DEP in this section.
You can use the following method to check whether the CPU supports hardware DEP, right-click "my computer" on the desktop, and select "properties ", in the "System Properties" window, click the "advanced" tab. Click "Settings" under "performance" on the "advanced" tab page to open the "performance options" page. Click the Data Execution Protection tab. on this page, you can check whether your computer's CPU supports DEP. If the CPU does not support hardware DEP, a similar prompt is displayed at the bottom of the page: "Your computer's processor does not support hardware-based DEP. However, Windows can use the DEP software to protect against certain types of attacks ". 12.1.2.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
