Windows Data Execution Protection (DEP)
Here’s a little known security technology enhancement that Microsoft quietly threw in with its Service Pack 2 (Read about the Service Pack 2 Security Center here). Most of you Windows XP users have been using this for awhile, but had no idea. It’s the Windows Data Execution Protection, also known as, DEP. Basically, it helps stop unauthorized programs from executing code in protected portions of memory. I know this probably doesn’t make much sense, but I’ll try explaining what this protection does, how it does it and how you can manage it in today’s Security Article of the Week.
A lot of Windows attacks attempt to run code in protected areas of your system’s memory, which are areas of memory that are allocated for other purposes. An attacker will attempt to inject malicious code into another service that will run when this service is called upon. This code execution cannot only be concealed by the legitimate service, but can also cause buffer overflows which can hang the machine, in turn giving the attacker access to your machine. DEP will stop the execution of this unauthorized code, mitigating the chances of damage and virtual multiplication on your system.
There are two different types of DEP. One is hardware based, which relies on a CPU with this capability and the other is software based, which was introduced with Service Pack 2. Since this is a lot to chew, I will split the two topics into two separate articles. This week we will discuss hardware DEP and how to see if your system has this ability.
Hardware DEP: Hardware DEP marks protected locations in memory as non-executable. This stops code execution in this range of memory. If code is executed in this protected area of memory, the DEP will intercept the code and raise an exception. In most cases, you will receive an error code of STATUS_ACCESS_VIOLATION followed by a code number. This exception is usually treated as unhandled, causing the termination of the process and eventually shutting down the program that was using it. Hardware DEP is the more effective of the two types of protection, but both can and should be on systems with the ability.
You can run the following procedure to find out if you have hardware DEP capacities on your processor, and if it is turned on or not (on by default with capable CPUs).
1. Click Start, click Run, type wbemtest in the Open box and then click OK.
2. In the Windows Management Instrumentation Tester dialog box, click Connect.
3. In the box at the top of the Connect dialog box, type root\cimv2 and then click Connect.
4. Click Enum Instances.
5. In the Class Info dialog box, type Win32_OperatingSystem in the Enter superclass name box and then click OK.
6. In the Query Result dialog box, double-click the top item.
Note: This item starts with “Win32_OperatingSystem.Name=Microsoft…”
7. In the Object editor dialog box, locate the DataExecutionPrevention_Available property in the Properties area.
8. Double-click DataExecutionPrevention_Available.
9. In the Property Editor dialog box, note the value in the Value box. If the value is TRUE, hardware DEP is available.
Next week in Part 2 of Windows DEP, I will show you how to view and manage the DEP settings for the software based protection, so you can utilize this security technology to its fullest.