Dep Protection Principle
The root cause of the overflow attack is the data andCodeThere is no clear distinction between these first-day defects. At present, it is basically impossible to redesign the computer architecture. We can only rely on forward-compatible patching to reduce the damage caused by overflow, dep (Data Execution Protection, dataexecution prevention) is used to make up for the computer's natural defect of data and code obfuscation.
The basic principle of DEP is to mark the Memory Page of the data as unexecutable. WhenProgramWhen an overflow is successfully transferred to shellcode, the program will attempt to execute commands on the data page, and the CPU will throw an exception instead of executing malicious commands. 12.1.1.
Dep is mainly used to prevent data pages (such as default heap pages, various stack pages, and memory pool pages) from executing code. Microsoft started to provide this technical support from Windows XP SP2, which can be divided into software Dep and hardware Dep (hardware-enforced dep) based on different implementation mechanisms ).
The software DEP is actually the safeseh we introduced earlier. It aims to prevent the use of s.e. h attacks. This mechanism has nothing to do with CPU hardware. Windows uses software simulation to implement DEP, which provides some protection for the operating system. Now everyone understands why the exception handling function is located on a non-executable page during the safeseh verification process.
Hardware DEP is the true dep. Hardware Dep requires CPU support. Both AMD and Intel have designed the dep. AMD calls it no-executepage-protection (nx ), intel is called executedisable bit (xd), and their functions and working principles are essentially the same.
The operating system specifies that the Code cannot be executed from the memory by setting the NX/XD attribute mark on the Memory Page. To implement this function, you need to add a special identification space (NX/xd) to the page table in the memory to identify whether commands can be executed on the page. When the flag is set to 0, the command can be executed on this page. If it is set to 1, the command cannot be executed on this page.
Because the software DEP is the legendary safeseh, we have already introduced the breakthrough in safeseh. Therefore, we only discuss and analyze the hardware DEP in this section.
You can use the following method to check whether the CPU supports hardware DEP, right-click "my computer" on the desktop, and select "properties ", in the "System Properties" window, click the "advanced" tab. Click "Settings" under "performance" on the "advanced" tab page to open the "performance options" page. Click the Data Execution Protection tab. on this page, you can check whether your computer's CPU supports dep. If the CPU does not support hardware DEP, a similar prompt is displayed at the bottom of the page: "Your computer's processor does not support hardware-based dep. However, Windows can use the DEP software to protect against certain types of attacks ". 12.1.2.
This article is excerpted from "0-day security: software vulnerability analysis technology (version 2nd.
Book details:Http://blog.csdn.net/broadview2006/article/details/6596921