Tuesday, August 26, 2008

DEP

Data Execution Protection(DEP) is a feature that is provided in both Hardware and software. DEP is used for security reasons ie. to prevent code from executing from non-executable memory Region. Whenever there is a code executing from non-executable part of the memory, the hardware enforce DEP generates a interrupt. The OS catches this exception and stops the program from execution until the exception is handled. Example of such attacks is buffer overflow attack.

All areas of memory are marked as non-executable unless they are explicitly designated for executable code.

Typically the Software enforced DEP does not perform the same operation but it prevents SEH Overwrites. Obviously you will have this question!!

What is SEH? And what is SEH overwrite?
Structured Exception Handling works by defining a uniform way of handling all exceptions that occur during the normal course of process execution. It is used to dispatch both hardware and software exceptions.

There are two pointers involved: Next pointer and handler pointer. The attacker can gain control by overwriting this handler pointer.

The DEP is supported by Windows XP SP2, and above. There are two methods to enable DEP in windows.
  • In My computer properties , u can enable DEP for windows Binaries or for all applications
  • In boot.ini, using the /noexecute parameter.
There are limitations in DEP. It might not allow some programs to run as they try to execute in the above specified way. For example, Counter Strike. But windows has options to disable DEP being applied to those applications.

No comments: