Hardware support for XP SP2 DEP not enabled by default ?

From: Nicolas RUFF (ruff.lists_at_edelweb.fr)
Date: 11/22/04

  • Next message: Stefan Esser: "Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities"
    Date: Mon, 22 Nov 2004 23:25:15 +0100
    To: bugtraq@securityfocus.com
    
    

    Windows XP SP2 comes out with a nice security feature : Data Execution
    Prevention (DEP). DEP is a mix of several techniques which all aim to
    achieve some kind of anti-buffer overflow protection :

    - Software : recompilation of system files with the /GS flag, etc.
    - Hardware : DEP can use hardware-enforced protection, namely the NX bit
    of AMD64 processors and the XD bit of latest Intel Pentium IV, to mark
    memory pages as "non executable".

    DEP can be enabled/disabled through Windows Control Panel, which has the
    effect of setting the "/NoExecute=" kernel parameter inside "BOOT.INI".

    According to the following article, PAE (Physical Address Extension)
    mode must be enabled for using hardware supported DEP, but automatically
    enabled if DEP is selected :
    http://support.microsoft.com/kb/875352

    However, on my computer (Windows XP SP2 32-bit edition + AMD64 Athlon
    3000+), hardware supported DEP does *not* work by default, even with
    "/NoExecute=AlwaysOn". I must add manually the "/PAE" boot parameter
    inside "BOOT.INI".

    It means that using default XP SP2 installation, you do not benefit from
    "Enhanced Virus Protection"* even if you bought an AMD64, unless you
    edit manually the "system hidden read-only" file BOOT.INI.

    * http://www.amd.com/us-en/Weblets/0,,7832_11104_11105,00.html

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    Mail : nicolas.ruff (at) edelweb.fr
    -----------------------------------


  • Next message: Stefan Esser: "Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities"