Guide to hardware-based DEP protection

Guide to hardware-based DEP protection

Summary: When the WMF exploit hit the wild and existing workarounds were tacky and the official Microsoft patch a week away, the DEP or Data Execution Prevention feature shined through when it was completely enabled and supported by NX or XD capable hardware.  While NX and XD also support other operating systems like Windows 2003 Server with SP1, BSD, and Linux, the vast majority of users will use it through Windows XP SP2.

SHARE:
TOPICS: Processors
40

When the WMF exploit hit the wild and existing workarounds were tacky and the official Microsoft patch a week away, the DEP or Data Execution Prevention feature shined through when it was completely enabled and supported by NX or XD capable hardware.  While NX and XD also support other operating systems like Windows 2003 Server with SP1, BSD, and Linux, the vast majority of users will use it through Windows XP SP2.  The down side to DEP protection in Windows XP SP2 is that it isn't completely enabled by default and most older computers don't have NX or XD capability from their AMD or Intel processor.  Fixing the first issue is just a few clicks away but fixing the second issue is a bit trickier because it involves having the right hardware.

Hopefully, you have a CPU that already has NX or XD capability.  The easiest way to verify this if you have Windows XP SP2 is to simply look at your DEP settings.  You do this by right-clicking on "My Computer" and then selecting "Properties".  In the "System Properties", go to the "Advanced" tab as shown here:

Then you click on the "Settings" button and you'll get the "Performance Options" window as shown here:

Jump to the "Data Execution Prevention" tab and you should "turn on DEP protection for all programs and services except those I select".  This allows DEP to work on all applications and services.  This is also where you verify if you have an NX or XD capable processor.  If you see the warning message at the bottom where it tells you that your computer's processor does not support hardware-based DEP, then you don't have an NX or XD capable processor.

If you don't have hardware-based DEP, then your only choice is to get a new Processor that has AMD NX or Intel XD capability or buy a new computer with the NX or XD CPU built in.  If you go the Processor upgrade route, that usually means you need a new motherboard too.  Fortunately, price isn't a big issue since I've seen $80 deals where you get both an AMD Sempron 2800+ NX capable CPU and a motherboard.  I've also seen similar deals with Intel Pentium 4 2.66 CPUs and a free motherboard for around $110.  The tricky part is recognizing which CPUs have NX or XD capability and which do not.  To help you figure this out, I've compiled a list processors from both Intel and AMD that support hardware-enforced DEP.

Intel Processors with XD support:

AMD processors with NX support:

* Except AMD64 based on Clawhammer-512 core rev. C0

It's fairly safe to assume all of the newest CPUs from Intel and AMD will support this feature in the future.  All of the newest server chips from Intel or AMD that weren't listed here also support hardware-enforced DEP.  Intel's newest dual-core Duo and single-core Solo CPUs will definitely support XD.   Only the low-end AMD Socket A and end-of-life Socket 940 CPUs don't have this feature.  All you need to do is follow the steps above and enable DEP and you'll be a lot more secure.  However, DEP by itself should never be considered a complete substitute for other forms of security and should only be treated as an extra layer of protection.

Topic: Processors

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • Is it Safe? / Do I have DEP Alternatives?

    Thanks George for the security advisory.

    Windows users should know that they have another 'option' at their disposal for if and when they venture onto the internet--epecially those who don't currently have one of the processors you list with DEP capability:

    VMWare Player's 'Browser-Appliance'.

    Found at:

    http://www.vmware.com/vmtn/vm/browserapp.html

    What does this do?

    In puts your internet session into a safe 'sand box' running in a 'virtual machine' with Linux Unbuntu 5.1 and will not propogate back to the Windows O/S upon which VMWare Player runs!

    The fact is Windows has suffered from so many security vulnerabilities that running an alternate O/S such as Linux avoids these issues entirely.

    I've spent a few days testing the VMWare 'Browser-Appliance' and can say that, at first blush, it's pretty good and runs the Mozilla Firefox 1.5 browser.

    Depending on your needs, this may or may not be an option to consider--this advice coming from a 'reformed' Windows User who now enjoys the relative 'serenity' of using SuSE Linux 10.0.

    It's a very interesting turn of events that VMWare chose to provide this 'alternative' to the Windows User Community! It's really a viable SAFE alternative.

    Give it a look and if you have a high-speed BroadBand connection, you can finish the download and be up and running in a Linux VM session in about an hour--including download time for the 'Browser-Appliance.vmx' image file.

    Be Safe!

    Thanks again George.
    D T Schmitz
    • Yes - it is safe/ DEP has leaks

      Minimum system requirements according to VMWare -

      Processor speed: 400MHz or faster (500MHz or faster recommended).
      ? Memory: 128MB minimum, 256MB recommended. You must have enough memory to run
      the host operating system, plus the memory required for each guest operating system and
      for applications on the host and guest. See your guest operating system and application
      documentation for their memory requirements.
      ? Hard disk: At least 1GB free disk space for each guest operating system. For installation,
      VMware Player requires approximately150MB.

      In my experience I find that 512mb of total memory is needed to avoid frequent trips into virtual memory mode. That allows a little more than ~128mb for XP; ~32mb for FW/AV; and enough room for VMWare Player and a couple of small apps like Outlook.

      So far, no effective malicious code has appeared in the wild that can bypass the Linux VM and into the Windows host OS. In a lab setting (information warfare), we refer to the VM as an "egg", and working on code to "hatch out" into the host OS has been difficult (although we have gotten the "shell" to "crack a little"). I really don't foresee a workable exploit in the wild for quite some time.

      I agree with George's assessment that DEP alone isn't a complete security solution for malicious data execution. Hardware based DEP has leaks due to the CPU's vulnerability to invalid instructions that mimics those in its hardwired internal instruction set. We can expect to see malicious code in the future that will turn off DEP via a invalid CPU instruction in a similar fashion of trojan horse exploits that now turns off your FW/AV.
      cburgess-iPALADIN
      • Not again

        "We can expect to see malicious code in the future that will turn off DEP via a invalid CPU instruction in a similar fashion of trojan horse exploits that now turns off your FW/AV"

        No, there are no "leaks". Trojan horses are not covered by DEP if you understand the basics about DEP.
        george_ou
        • Theoretical

          It seems theoretically possible to turn off DEP via a program. (its still speculative, but where there's smoke there's a chance that there's fire as well)

          http://woct-blog.blogspot.com/2005/01/dep-evasion-technique.html

          As George points out, it is indeed supported by Linux/BSD, though the implementation varies somewhat.
          tombalablomba
          • These methods apply to software DEP

            Software DEP as I've found in testing the WMF exploit isn't very effective even when you turn it on for every Service and Application. That's nothing new. Hardware enforced DEP is much better although it probably can't stop everything. This is why I call it an extra layer of defense and I warn people not to think of it as a substitute for other best practices.
            george_ou
        • The point is...

          The point is that DEP can be bypassed, sidestepped, or disabled with creative codework and scripting. Bear in mind that this is no simple feat, and that no single exploit can achieve it effectively and probably never will. It will take CEC tactics to make an effective vulnerability out of it.

          In my experience this is not something a script kiddie will be able to use. That solve 90% of the threat envelope. The bad news is that serious malicious hackers, especially those who make money as cybercriminals, will at some point in time be able to make it work.

          George - trojan horses cloak malicious scripts and account for the majority of malicious network traffic that is disguised as legit traffic. Basic DEP is a ho-hum no-brainer, it is the vast number a latent anomolys that make things really exciting.
          cburgess-iPALADIN
          • The point is that you don't understand anything about security

            You've memorized a few catch phrases, but that isn't a substitute for fundamental knowledge which you lack.

            Of course malicious code once it launches by explicit user request can bypass DEP and that isn't the point of DEP. DEP prevents accidental lunches of code residing in data space.
            george_ou
          • you are stuck on the fundamentals...

            I recall from Chem I classes that students are first taught the Bohr atomic model of the atom...even though later in the course they find out that the Bohr model is obsolete and replaced by the quantum model.

            George, you seem to be obessessed with fundamentals, while I am posting on the advanced and facinating aspects of network security from an information warfare point of view (something that you obviously know nothing about, let alone have any hands-on experience). My point of view come from a dimension of advanced networking that is totally alien to you.

            You wrote:"DEP prevents accidental lunches of code residing in data space." Are you implying that DEP prevents code residing in data space (memory) from being eaten in some manner? DEP tries to prevent "accidental" launches of code in the memory stack, but its success is limited at best. Malicious code can launch without explicit user input, even with DEP enabled. Don't get me wrong, it is better than nothing, and hopefully the functionality will improve in future improvements in DEP.

            I have been in the info security (or insecurity...LOL) field for over 25 years, and I still find the field extremely exciting and breathtaking. It takes an open mind to maintain a high level of productivity in my field (and I have 70,000 exploits to my credit since 2001 that have yet to be patched by vendors).

            George, you are far too young to have such a closed mind, and doesn't bode well for you in the future. No true expert in any field has such a closed mind.
            cburgess-iPALADIN
          • Open mind is one thing, not knowing the basics is just dangerous

            When you don?t know the difference between a user-initiated Trojan and a zero-interaction buffer overflow, that?s really scary. When you clearly demonstrated that you don't even know the difference between 768-bit asymmetric crypto and 128-bit symmetric crypto, that's scary. You're one of those people who know just enough to be dangerous. I guess you can pass yourself off as an ?expert? to some, but you don?t fool me.
            george_ou
          • RE: you are stuck on the fundamentals...

            [i](and I have 70,000 exploits to my credit since 2001 that have yet to be patched by vendors).[/i]

            Hahaha, that's great. Working nonstop for the past 5 years that about 38 exploits a day.

            You sound like a smart guy alright...
            ytpete
          • Geez, George!

            You're sounding real professional with this kind of post denigrating someone who clearly *does* have a clue. I wouldn't be surprised if your tenure at zdnet was a bit short...professional organizations generally watch their public image carefully. We expect zany posts from "joe user" on this forum, but the pros ought to be a bit more mannerly and tactful. "If you can't take the heat, get outta the kitchen!"
            Techboy_z
      • VMPlayer for Linux SuSE

        I am going to try to download the VM 'Browser-Appliance' for Linux again, because on the 1st try, it 'crapped the bed' when I tried to extract in SuSE 10.0

        Anyone have that happen?
        Again I am off topic. (Doh!)
        I have to stop doing that.
        D T Schmitz
    • I've used that, it's alright

      It boots slow but can be made to start almost instantly if you pause it and let it suspend to disk with a memory dump. The same thing works with Windows XP as a guest and that's what I use when I'm testing risky websites for exploits. I must have blown up a dozen VMs testing that WMF exploit.
      george_ou
      • Now you're talking my kind of fun...

        George wrote: "I must have blown up a dozen VMs testing that WMF exploit."

        As a professional in information warfare operations/security...I love making things explode in cyberspace. Making things break and figuring out why is always a good time.
        cburgess-iPALADIN
      • 'Just' Alright?

        Now, that was 'tepid'.
        Your colleague just put out an article that gives VMWare 'accolades'--entitled 'VMWare gets what it deserves':

        http://blogs.zdnet.com/BTL/?p=2462

        No to divert anyone's attention from your blog or to be 'off topic', but, it seems to me that your point for bring up the DEP features is good, but, most of the users of that technology are currently in the 'minority'.

        VMWare is 'innovating' by offering a Linux VM which, instead of DEP, is VEP (Viral Execution Propogation).

        The VMPlayer 'Browser-Appliance' effectively puts those 'script-kiddies' and all of the other 'ner do wells' in a 'sandbox' where they belong!

        This is 'alright'? Why this is the best thing since 'sliced bread'! ;)

        Oh George. Really. You are funny.
        Ok, I am 'off topic'. I hear you saying that. :)
        D T Schmitz
        • Doing everything in a VM isn't the answer to everything

          It's great for testing dangerous sites. It isn't the be-all and end-all. At some point, I prefer running native applications and not inside of a sandbox. Having Vista IE7 which uses a special account for IE is going to be very effective as well.

          Besides, I said DEP is an extra layer of protection. VMWare guests also benefits from NX/XD capability from the host machine so this DEP guide is still extremely useful. Having DEP on the host machine isn't a bad thing either (remember that NAT exploit in VMWare).
          george_ou
          • Stay in the Now

            Naturally, everyone hopes and looks forward to what Vista will offer.

            I know what you said. Not taking away from that--good article.

            But, it's an interesting 'twist' that VMWare is offering a Linux VM for the express purpose of 'safe' and 'secure' internet access.

            Now, George. Not Vista IE7, which is off in the future!

            Stay in the Now. ;)
            Ok thanks again George.
            D T Schmitz
          • You don't have to run as Admin

            I never let family members run as Admin. They never get in to any real trouble since malware always fails to embed itself in the startup. You don?t need Vista for this.
            george_ou
        • VEP Whahtt?

          VEP. Must be a new term.

          I am not sure if the VEP got across--not the best choice of words or the way I was thinking.

          VMPlayer is a pretty good guarantee that NOTHING 'leaves' the 'Browser-Appliance' during shutdown of the VM.

          NO PROPOGATION. And nothing to worry about.

          If set up correctly, the VM 'resets' to an 'original' state on each startup.

          Now, that's really slick, if I may say so myself.

          Ok, enuf on the VMPlayer 'jag'. I'll stop there.
          D T Schmitz
          • Are you sure?

            I guess you don't remember that NAT vulnerability in VMWare. DEP might actually help you there in some cases.
            george_ou