DEP (Data Execution Prevention)

Date : May 10, 2010

DEP (Data Execution Prevention) is a feature implemented on Windows systems since the versions of XP and Vista. It allows to prevent the exploitation of vulnerabilities (e.g. buffer overflow, etc.) while a program is executed. When activated, this technology prevents attack programs from inserting and executing malicious code within certain memory portions normally reserved for non-executable code. There are two forms of DEP; hardware DEP and software DEP.

 

Hardware DEP

Hardware DEP uses features implemented in CPU chips. It can mark memory with a specific attribute indicating that no code can be ran from this memory area, unless the area is explicitly designated as executable. When appropriate, hardware DEP will throw an exception when running this kind of code.
Hardware DEP data execution prevention is applied on virtual memory page. Such prevention is usually characterized as a change on a bit of page table (PTE), the aim being to mark the memory page as protected.
The use of Hardware DEP is only possible with modern processors having the ability to restrict the use of memory areas.

DEP compatible processors

Currently, major processor vendors such as AMD and Intel sell architectures that are compatible with the DEP and use the “NX technology” (No Execute) for AMD and XD (Execute Disable Bit) for Intel. These technologies have been supported since Windows XP SP2 32-bit version.

"NX" or "XD" processor features can only work if the processor is being used in a mode called “Physical Address Extension” (PAE). Applications or operating systems can determine if the processor supports PAE by querying its field identification (CPUID).

 

Software DEP

Software DEP enforces controls on exceptions handling under Windows, by checking if exceptions are thrown to block any malicious code taking advantage of these mechanisms. It is worth noting that by default, software DEP protects only certain binary systems. Indeed, all applications on a system on which DEP is enabled, do not benefit from this feature.

 

DEP Security levels

There are 4 types of DEP security levels:
  • "OptIn": This parameter is enabled by default on systems with a processor that supports hardware DEP and programs explicitly using the option "OptIn". This is the default configuration of operating systems like Windows XP and Vista.
  • "OptOut": DEP is enabled on all processes which have the ability to manually create a list of specific program excluding the use of DEP. This is the default configuration of operating systems for servers such as Windows Server 2003 and 2008.
  • "AlwaysOn": DEP is enabled for the entire system regardless of whether the program is compatible with DEP or not.
  • "AlwaysOff": No DEP protection is enabled for any processes.
To check if DEP policy is enabled on a system, it is possible to use the WMIC command (Windows Management Instrumentation Command-line). The following command "wmic OS Get DataExecutionPrevention_SupportPolicy" returns:
  • 0 when the “AlwaysOff” option is enabled.
  • 1 when the “AlwaysOn” option is enabled.
  • 2 when the “OptIn” (default) is enabled.
  • 3 when the “OptOut”option is enabled.
Note: Under Windows Vista, hardware DEP is enabled by default for all services and executables which were compiled with the “/NXCOMPAT” parameter.

 

Limitations of DEP

Used alone, DEP is a solution which can "easily" be circumvented by malicious code using various programming techniques. For example, to bypass DEP, some programmers use the technique called “return-to-libc". This technique allows disabling DEP by passing to the stack, a return address pointing to the address of a function of a library. Indeed, this memory area presents the particularity of being executable, and thus allows code execution.

 

DEP and ASLR

ASLR (Address Space Layout Randomization) is a technique to enforce DEP. It adds memory address space "randomization" functions and can significantly improve the protection system. This technique especially allows to place particular date areas into virtual memory in a random manner, reducing possible attacks based on fixed addresses.

DEP and ASLR limitations: The « JIT Spraying » attack

Attacks against ASLR or against DEP (taken individually), have been known for some time. An attack against DEP is generally blocked by ASLR and vice-versa. The use of both of these techniques has significantly reduced such attacks. However, a new technique called “JIT Spray" was presented in February 2010 at the last BlackHat DC conference.

Although still undocumented, this technique allows to attack systems that have implemented simultaneously ASLR and DEP protections. This method is similar to the technique called "Heap Spray ', that is to say, it uses the diffusion of a payload in a large number of memory pages marked as executable. As ASLR makes it impossible to predict memory addresses, writing in the payload in several memory areas can increase the probability that the pay load gets executed.

The demonstration done at BlackHat DC showed how it was possible to force the Adobe Flash Player virtual machine to generate a payload, placed in multiple memory areas marked as executable, so that the native Flash malicious code could be native executed.

Note: This attack was possible because the code uses a Flash virtual machine and compiler that converts on the fly (Just In Time - JIT) the portable code of the application (Flash code here) to a native code that the machine understands.

 

Other initiatives


Without going into detail because of their complexity, other techniques exist. SEHOP (Structured Exception Handler Overwrite Protection) can prevent the exploitation of buffer overflows by rewriting the SEH exception handler on Windows systems. SafeSEH is an image that comes with exception handlers to secure Windows. Under Linux, there is  PaX, which is a kernel module that can be added to secure system kernels, or "Exec Shield", which emulates the NX bit (NoExecute) on x86 CPU to limit code execution.

Conclusion

Today, DEP associated with ASLR improve the security level of systems even if techniques such as “JIT Spraying” can bypass them, as they are not easy to implement and need particular conditions to be exploited.

Also, and even though their use may have side effects for some applications, DEP and ASLR remain protection measures to be looked at.
Previous Previous Next Next Print Print