Hardware support for XP SP2 DEP not enabled by default ?

From: Nicolas RUFF (ruff.lists_at_edelweb.fr)
Date: 11/22/04

  • Next message: Stefan Esser: "Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities"
    Date: Mon, 22 Nov 2004 23:25:15 +0100
    To: bugtraq@securityfocus.com
    
    

    Windows XP SP2 comes out with a nice security feature : Data Execution
    Prevention (DEP). DEP is a mix of several techniques which all aim to
    achieve some kind of anti-buffer overflow protection :

    - Software : recompilation of system files with the /GS flag, etc.
    - Hardware : DEP can use hardware-enforced protection, namely the NX bit
    of AMD64 processors and the XD bit of latest Intel Pentium IV, to mark
    memory pages as "non executable".

    DEP can be enabled/disabled through Windows Control Panel, which has the
    effect of setting the "/NoExecute=" kernel parameter inside "BOOT.INI".

    According to the following article, PAE (Physical Address Extension)
    mode must be enabled for using hardware supported DEP, but automatically
    enabled if DEP is selected :
    http://support.microsoft.com/kb/875352

    However, on my computer (Windows XP SP2 32-bit edition + AMD64 Athlon
    3000+), hardware supported DEP does *not* work by default, even with
    "/NoExecute=AlwaysOn". I must add manually the "/PAE" boot parameter
    inside "BOOT.INI".

    It means that using default XP SP2 installation, you do not benefit from
    "Enhanced Virus Protection"* even if you bought an AMD64, unless you
    edit manually the "system hidden read-only" file BOOT.INI.

    * http://www.amd.com/us-en/Weblets/0,,7832_11104_11105,00.html

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    Mail : nicolas.ruff (at) edelweb.fr
    -----------------------------------


  • Next message: Stefan Esser: "Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities"

    Relevant Pages

    • Re: svchost.exe
      ... Data Execution Prevention ... What does data execution prevention do? ... Data execution prevention (DEP) is a set of hardware and software ... Hardware-enforced DEP marks all memory locations in a process as ...
      (microsoft.public.windowsxp.help_and_support)
    • RE: FixIt from AvanQuest - Data Execution Prevention - Microsoft Wind
      ... If you are using the recommended security settings and your antivirus ... software did not detect a threat, your computer is probably not under attack. ... Prevention (DEP) for a specific program, ... Click the Data Execution Prevention tab. ...
      (microsoft.public.windowsxp.general)
    • Re: FixIt from AvanQuest - Data Execution Prevention - Microsoft Wind
      ... Prevention (DEP) for a specific program, ... Click the Data Execution Prevention tab. ... 'To help protect your computer, ...
      (microsoft.public.windowsxp.general)
    • Re: CRReport Crash
      ... A little more inspection, and it appears that the error that is crashing the program is Data Execution Prevention (DEP) error, the problem is that DEP will not let me turn it off for my running program. ... So, the line ReportDocument CRReport = new ReportDocument; crashes my application, and it does not even get caught, which is strange, as I have it wrapped in a try catch, which doesn't catch it. ...
      (microsoft.public.vb.crystal)
    • Re: DEP issue.
      ... Data Execution Prevention - Microsoft Windows ... The Windows ops are so fragile, you might consider to turn off Data ... Setting DEP in Control Panel ...
      (alt.2600)