Data Execution Prevention In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Data Execution Prevention In Windows Server 2003

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 years ago.

  • Author
  • #2192


    What does data execution prevention do?
    Dataexecution prevention (DEP) is a set of hardwareand softwaretechnologies that perform additional checks on memory to
    help protectagainst malicious codeexploits. In Windows Server 2003 with Service Pack 1, DEP is enforced by both hardware
    and software.
    Hardware-enforced DEP
    Hardware-enforced DEP marks all memory locations in a process as non-executable unless thelocation explicitly contains
    executablecode.Thereis a class of attacks thatattempt to insertand executecodefrom non-executable memory locations. DEP
    helps prevent theseattacks by intercepting them and raising an exception.
    Hardware-enforced DEP relies on processor hardwareto mark memory with an attributethat indicates that codeshould not be
    executed from that memory. DEP functions on a per-virtual-memory-page basis, usually changing a bit in the pagetableentry
    (PTE) to mark the memory page.
    Theactual hardwareimplementation of DEP and marking of thevirtual memory pagevaries by processor architecture.
    However, processors that support hardware-enforced DEP arecapable of raising an exception when codeis executed from a
    page marked with theappropriateattributeset.
    Both Advanced Micro Devices (AMD) and Intel Corporation have defined and shipped Windows-compatiblearchitectures that
    arecompatible with DEP.
    32-bitversions of Windows Server 2003 with Service Pack 1 utilizethe no-execute page-protection (NX) processor featureas
    defined by AMD or theExecute Disable bit (XD) featureas defined by Intel. In order to usethese processor features, the
    processor must berunning in Physical Address Extension (PAE) mode.The 64-bitversions of Windows usethe NX or XD
    processor feature on 64-bitextensions processors and certain values of theaccess rights pagetableentry (PTE) field on IPF
    It is hoped thatall future 32-bitand 64-bit processors will providesupport for hardware-enforced DEP. Microsoft continues to
    work with processor vendors to encouragetheadoption and development of DEP technologies.
    Software-enforced DEP
    An additional set of DEP security checks has been added to Windows Server 2003 with Service Pack 1.Thesechecks,known as
    software-enforced DEP,are designed to mitigateexploits of exception handling mechanisms in Windows.Software-enforced
    DEP runs on any processor that is capable of running Windows Server 2003 with Service Pack 1. By default, software-enforced
    DEP protects only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
    Who does this feature apply to?
    Application and driver developers should beaware of DEP and therequirements of softwarerunning on a supporting platform.
    Applications that perform just-in-time(JIT) code generation or execute memory from the default process stack or heap should
    pay careful attention to DEP requirements.
    Driver developers areencouraged to beaware of PAE mode on platforms supporting hardware-enforced DEP. PAE mode
    behavior on systems running Windows Server 2003,Standard Edition with Service Pack 1, is changed to improve driver
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Data execution prevention on 32-bit and 64-bit versions of Windows and applications
    Detailed description
    Hardware-enforced DEP
    To provideconsistency for application and driver developers, the memory protection model (including DEP) is designed to be
    thesamefor both 32-bitand 64-bitversions of Windows.
    Application developers should beaware of DEP behavior in user mode. A user-mode DEP exception results in a
    STATUS_ACCESS_VIOLATION (0xc0000005) on Windows systems.Thefirst parameter of ExceptionInformation that is located
    insidethe EXCEPTION_RECORD structurecontains thetype of access violation that occurred. A value of 8 for
    ExceptionInformation[0] indicates theaccess violation was an execution violation.
    In most processes, the STATUS_ACCESS_VIOLATION exception will bean unhandled exception and result in termination of the
    DEP is also applied to drivers in kernel mode. DEP for memory regions in kernel modecannot beselectively enabled or
    disabled. On 32-bitversions of Windows, DEP is applied to thestack by default.This differs from kernel-mode DEP on 64-bit
    versions of Windows, wherethestack, paged pool,and session pool have DEP applied.
    Device drivers are not permitted to executecodefrom thestack when DEP is enabled. A DEP access violation in kernel mode
    will result in an error 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.
    Software-enforced DEP
    Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. If the program’s image
    files are built with SafeStructured Exception Handling (SafeSEH), software-enforced DEP ensures that beforean exception is
    dispatched, theexception handler is registered in thefunction tablelocated within theimagefile.
    If the program’s imagefiles are not built with SafeSEH, software-enforced DEP ensures that beforean exception is dispatched,
    theexception handler is located within a memory region marked as executable.
    DEP application close behavior
    The majority of applications will notencounter a problem with DEP. However, when an application does encounter a problem
    with DEP,a Data Execution Prevention messageis presented to the user,alerting them to the problem.
    The Data Execution Prevention messageindicates thata DEP problem occurred with theapplication and provides theability for
    the user to learn moreabout DEP and optionally disable DEP for theapplication that was closed.
    If a DEP problem occurs with an application, Microsoft recommends contacting theapplication vendor for an update.The
    security implications of disabling DEP for an application should bethoroughly considered before disabling DEP for an
    Theability to change DEP settings for a closed application using the Change Settings button on the Data Execution
    Prevention message window depends on thesystem-wide DEP configuration. Changes to DEP protection for an application
    can be made only if thesystem-wide DEP configuration is set to the OptOut mode.
    The Data Execution Prevention messageis presented immediately beforea Windows Error Reporting window, which provides
    the opportunity to submita reportabout the DEP problem to Microsoft.
    On Windows Server 2003 with Service Pack 1, the Data Execution Prevention message will be presented the next timean
    Administrator logs onto thesystem interactively.The behavior is changed on Windows Server 2003 with Service Pack 1 from
    Windows XP with Service Pack 2 because Windows Error Reporting is configured in queued mode by default. Queued mode
    causes error reporting messages to be queued until the next timean administrator interactively logs onto thesystem.
    To learn moreabout Windows Error Reporting, or to configure Windows Error Reporting such that DEP and Windows Error
    Reporting messages are displayed immediately following an application problem, seethe”Using Windows Server 2003 in a
    Managed Environment:Windows Error Reporting”article on the Microsoft Web siteat
    Windows Error Reporting generates an error signature when an application is closed dueto DEP.Theerror signaturecan be
    viewed by following the”click here” link on the Windows Error Reporting dialog.Theerror signaturefor a DEP problem has the
    following attributes:
    EventType BEX Indicates a buffer overflow (/GS) or DEP exception (BEX64 indicates a buffer overflow (/GS) or DEP
    exception on 64-bitversions of Windows)
    P1 DEPDemo.exe Name of theapplication executablethatencountered the problem
    P2 5.1.2600.2180 Version of theapplication executablethatencountered the problem
    P3 416725f2 Faulting application stamp
    P4 DEPDemo.exe Faulting module name
    P5 5.1.2600.2180 Faulting moduleversion
    P6 416725f2 Faulting modulestamp
    P7 00002060 Fault offset (Instruction address if a moduleis not loaded at thefaulting address)
    P8 C0000005 Indicates aSTATUS_ACCESS_VIOLATION exception (If this parameter is c0000409, the problem is a
    /GS-related fault)
    P9 00000008 Indicates an execution STATUS_ACCESS_VIOLATION (00000002 indicates an execution
    STATUS_ACCESS_VIOLATION on 64-bitversions of Windows for theIntel Itanium architecture)
    Finally, the Data Execution Prevention message might not beshown for someapplications when they encounter a problem
    with DEP, regardless of the Windows Error Reporting configuration.Theseapplications handlethe
    STATUS_ACCESS_VIOLATION exception raised by DEP, or they install an unhandled exception filter (UEF), which overrides the
    default Win32 UEF.The default Win32 UEF is responsiblefor triggering both the Data Execution Prevention and Windows Error
    Reporting messages.The Data Execution Prevention message may also not beshown if an application has called the
    SetErrorMode() function with the SEM_NOGPFAULTERRORBOX flag.
    Why is this change important? What threats does it help mitigate?
    The primary benefit of DEP is that it helps to prevent codeexecution from data pages such as the default heap,various stacks,
    and memory pools. In normal operations of thesystem,codeis not typically executed from the default heap and stack.
    Hardware-enforced DEP detects codethat is running from theselocations and raises an exception when execution occurs. If the
    exception is unhandled, the process will beterminated.Execution of codefrom protected memory in kernel moderesults in an
    Although terminating a process or causing thesystem to fail with an error do notappear to beideal experiences, this helps
    prevent malicious codefrom executing. Preventing malicious codefrom executing on thesystem may prevent damageto the
    system or propagation of malicious code whose harmful effects could easily exceed those of a terminated process or system
    DEP can help prevent someexploits in which a virus or other attack has injected a process with executablecodeand then
    attempts to executetheinjected code. On a system with DEP,execution of theinjected codeshould result in an exception.
    Software-enforced DEP can help mitigateexploits of exception handling mechanisms within Windows.
    A secondary benefit of DEP relates to good engineering and best practices for application and driver developers. DEP forces
    developers to avoid executing code out of data pages withoutexplicitly marking the pages as executable.
    What works differently?
    Application Compatibility
    Someapplication behaviors areexpected to beincompatible with DEP. Applications that perform dynamic code generation
    (such as just-in-timecode generation) and that do notexplicitly mark generated code with Execute permission might have
    compatibility problems with DEP. Applications thatare not built with SafeSEH must havetheir exception handlers located in
    executable memory regions.
    Applications thatattempt to violate DEP will receivean exception with status code STATUS_ACCESS_VIOLATION (0xC0000005). If
    an application requires executable memory, it mustexplicitly set this attribute on theappropriate memory by specifying
    argument of the Virtual* memory allocation functions. Heap allocations using the malloc() and HeapAlloc() functions are
    Driver compatibility
    Driver compatibility issues with DEP mostly center on PAE mode-induced compatibility issues.
    PAE is required only on systems running 32-bitversions of Windows with processors that support hardware-enforced DEP.
    On its own, DEP might createcompatibility problems with drivers that perform code generation or use other techniques to
    generateexecutablecodein real time. Although many drivers with such behavior would have been fixed — as DEP is “always
    on” for drivers loaded on 64-bitversions of Windows — thereis no guaranteethatall drivers have been updated. However,
    therearefew drivers thatemploy thesetechniques,and it is notexpected that DEP alone will causea large quantity of driver
    compatibility problems.
    The primary driver compatibility concern is running Physical Address Extension (PAE) mode on 32-bit systems. PAE mode
    enables processors to address greater than 4 gigabytes (GB) of memory.The primary difference between PAE memory paging
    and non-PAE memory paging schemes is theextra level of paging that is required in PAE mode(threelevels instead of two).
    Some drivers might fail to load if PAE is enabled, becausethe device might be unableto perform 64-bitaddressing or the
    drivers mightassumethat PAE moderequires morethan 4 GB of random access memory (RAM).Such drivers expect that they
    will always receive 64-bitaddresses when in PAE modeand that they or their deviceareincapable of interpreting theaddress.
    Other drivers might load in PAE mode but causesystem instability by directly modifying system pagetableentries (PTEs).
    These drivers expect 32-bit PTEs, but receive 64-bit PTEs in PAE modeinstead.
    Thelargest driver PAE compatibility issueinvolves direct memory access (DMA) transfers and map register allocation. Many
    devices that support DMA, usually 32-bitadapters,are not capable of performing 64-bit physical addressing.When run in 32-
    bit mode, the devicecan address all physical address space. In PAE mode, it is possiblethat data would be presentata physical
    address greater than 4 GB.To allow devices with theseconstraints to function in this scenario,Windows 2000 Server and later
    operating systems provide double-buffering for the DMA transaction by providing a 32-bitaddress that is indicated by a map
    register.The devicecan perform the DMA transaction to the 32-bitaddress and thekernel copies the memory to the 64-bit
    address that is provided to the driver.
    When thesystem runs with PAE disabled, drivers for 32-bit devices never requiretheir map registers to be backed by real
    memory.This means that double-buffering is not necessary, sinceall devices and drivers arecontained within the 32-bit
    address space. Based on testing of drivers for 32-bit devices on 64-bit processor–based computers, it is expected that most
    client-tested, DMA-capable drivers expect unlimited map registers.
    To constrain compatibility issues,Windows Server 2003,Standard Edition with Service Pack 1, includes hardwareabstraction
    layer (HAL) changes that mimic the 32-bit HAL DMA behavior.Thealtered HAL grants unlimited map registers when the
    system is running in PAE mode. In addition, thekernel memory manager ignores any physical address above 4 GB. Any system
    RAM beyond the 4 GB barrier would be made unaddressable by Windows and be unusablein thesystem. By limiting the
    address spaceto 4 GB, devices with 32-bit DMA bus master capability will not seea transaction with an address abovethe 4
    GB barrier. Becausethesechanges removethe need to double-buffer thetransactions, they avoid a class of bugs in some
    drivers related to proper implementation of double buffering support.
    Notethat the PAE behavior of Windows Server 2003,EnterpriseEdition with Service Pack 1,and Windows Server 2003,
    Datacenter Edition with Service Pack 1, is unchanged from theversions without theservice pack.
    As a result of thesechanges to the HAL and memory manager, theimpact to device driver compatibility is expected to be
    minimal on systems running Windows Server 2003 with Service Pack 1 with DEP enabled.
    System compatibility
    A final DEP compatibility concern derives from systems with PAE modeenabled,even though they may not be designed for
    morethan 4 GB of physical RAM. During internal testing Microsoft has noticed that somesystems with processors that support
    hardware-enforced DEP fail to start up or have other stability issues when the processor is running in PAE mode.
    PAE modeis a requirement for leveraging the NX processor feature.Therefore, system designers and firmwareengineers
    should beawarethateven though thesystem’s chipsetand firmware may not have been designed to support morethan 4 GB
    of physical RAM, thesystem may berunning in PAE mode.
    Of particular concern is system firmwarethat interprets pagetableentries to determineinstructions executed by the operating
    system. Pagetableentries areextended to 64 bits in length when the processor is running in PAE mode.System designers and
    firmware developers areencouraged to contact their processor and chipsetvendors for moreinformation about how to safely
    determineinstructions executed by the operating system.
    System designers working with AMD processors can obtain moreinformation in the”BIOS and Kernel Developer’s Guidefor
    AMD Athlon 64 and AMD Opteron Processors.”To obtain this paper, go to the AMD Athlon 64 Web siteat and click “BIOS and Kernel Developer’s Guidefor AMD Athlon 64 and AMD
    Opteron Processors.”
    Intel does not make detailed information aboutSystem Management Mode(SMM) available publicly.System designers
    working with Intel processors areencouraged to contact Intel directly for moreinformation.
    For moreinformation regarding Windows support for PAE mode, see”Physical Address Extension – PAE Memory and
    Windows” on the Microsoft Web siteat
    How do I resolve these issues?
    Applications that requireexecutableregions of memory must usethe PAGE_EXECUTE, PAGE_EXECUTE_READ,
    PAGE_EXECUTE_READWRITE, or PAGE_EXECUTE_WRITECOPY attributes when allocating memory. Additionally,applications cannot
    executefrom the default process heap or thestack. Mostapplications that perform actions incompatible with DEP will need to
    be updated to becompatible. Applications mustalso be built with SafeSEH or ensuretheir exception handlers arelocated in
    memory explicitly marked as executable.
    An application can usethe VirtualAlloc() application programming interface(API) function to allocateexecutable memory
    with theappropriate memory protection options. Ata minimum, the PAGE_EXECUTE memory protection option should be used.
    After theexecutablecode has been generated, it is recommended that theapplication set memory protections to disallow write
    access to theallocated memory. Applications can disallow writeaccess to allocated memory using the VirtualProtect() API
    function. Disallowing writeaccess ensures maximum protection for executableregions of process address space.
    If a malicious process attempts to insert codeinto an executableregion, theaccess would result in a STATUS_ACCESS_VIOLATION
    writeexception.Theapplication should attempt to maketheexecutableregions of its address spaceas small as possible.This
    would result in a smaller attack surfacethrough which executable memory could beinjected into the process address space
    and beexecuted.
    Additionally, sophisticated applications can control thelayout of their virtual memory and createexecutableregions.These
    applications should attempt to locateexecutableregions in a lower memory spacethan non-executableregions.The purpose
    of locating executableregions below non-executableregions is to protecta buffer overflow from overflowing into executable
    A small number of executables and libraries may contain executablecodein a data section of theimagefile. In somecases,
    applications may placesmall segments of code(commonly referred to as thunks) in the data sections. However, DEP will mark
    sections of theimagefileloaded in memory as non-executable unless thesection has theexecutableattributeapplied.
    Therefore,executablecodein data sections should be moved to a codesection, or the data section containing theexecutable
    codeshould beexplicitly marked as executable.Theexecutableattribute, IMAGE_SCN_MEM_EXECUTE (0x20000000), should be
    added to the Characteristics field of thecorresponding section header for sections that contain executablecode.
    The Microsoft linker that is distributed with Microsoft Visual Studio products can add theexecutableattributeto a section using
    the /SECTION linker option.The /SECTION linker option has thefollowing format:
    /SECTION: Name ,[E][R][W][S][D][K][L][P][X][,ALIGN=#]
    The E valueindicates theexecutableattribute(0x20000000). Moreinformation about /SECTION and other Microsoft linker
    options is available on the MSDN Web siteat
    Additionally, the Microsoft COFF Binary FileEditor (Editbin.exe) utility can be used to changethesection attributes of an
    existing image.TheEditbin utility has a /SECTION option with thefollowing format:
    /SECTION: Name [= newname ][,[[!]{CDEIKOMPRSUW}][A{1248PTSX}]]
    The C and E values indicatecodeand executableattributes respectively.For moreinformation about theEditbin utility and the
    /SECTION option, seethe MSDN Web siteat
    Microsoft has provided service packs for Microsoft .NETFramework version 1.0 and version 1.1 to takeadvantage of DEP in
    Windows Server 2003 with Service Pack 1. Applications that usethe Microsoft .NETFramework will continueto function
    normally, but will not benefit from DEP if it is enabled unless theappropriate Microsoft .NETFramework Service Pack has been
    Microsoftencourages application developers who redistributethe Microsoft .NETFramework to updateto Microsoft .NET
    Framework version 1.0 Service Pack 3 or version 1.1 Service Pack 1, which takeadvantage of DEP.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    System-wide configuration of DEP
    The primary differencein DEP behavior on Windows Server 2003 Service Pack 1 as compared to Windows XP Service Pack 2
    (SP2) is that on theserver operating system the default configuration is to protectall applications and services. In Windows XP
    SP2, DEP was turned on by default only for essential Windows operating system programs and services.
    DEP configuration for thesystem is controlled through Boot.ini switches. Additionally,changes to System in Control Panel have
    been madeto enableend users to easily configure DEP settings if they arelogged onto thesystem as an administrator.
    System DEP configuration settings apply only for 32-bitapplications and processes when running on 32-bit or 64-bitversions
    of Windows. On 64-bitversions of Windows, if hardware-enforced DEP is availableit is always applied to 64-bit processes and
    kernel memory spaces and thereare no system configuration settings to disableit.
    Windows supports four system-wideconfigurations for both hardware-enforced and software-enforced DEP.
    DEP Configuration
    Configuration Description
    (default for
    Windows XP SP2
    and Windows XP
    On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited
    system binaries and applications that opt in.With this option, only Windows system binaries arecovered by
    DEP by default.
    (default for
    Server 2003
    Service Pack 1)
    DEP is enabled by default for all processes. Users can manually createa list of specificapplications that do
    not have DEP applied using System in Control Panel. IT pros can usethe Application Compatibility Toolkit to
    opt-out one or moreapplications from DEP protection.System Compatibility Fixes (“shims”) for DEP do
    AlwaysOn This provides full DEP coveragefor theentiresystem. All processes always run with DEP applied.The
    exceptions list for exempting specificapplications from DEP protection is notavailable.System
    Compatibility Fixes (“shims”) for DEP do not takeeffect. Applications that have been opted-out using the
    Application Compatibility Toolkit run with DEP applied.
    AlwaysOff This does not provideany DEP coveragefor any part of thesystem, regardless of hardware DEP support.
    However, the processor will run in PAE mode with 32-bitversions of Windows unless the
    /noexecute=alwaysoff option is replaced with the /execute option in the bootentry.
    Hardware-enforced and software-enforced DEP areconfigured in thesame manner. If thesystem-wide DEP policy is set to
    OptIn, thesame Windows core binaries and applications will be protected by both hardwareand software-enforced DEP. If the
    system is not capable of hardware-enforced DEP, the Windows core binaries and applications will be protected only by
    software-enforced DEP.
    Similarly, if thesystem-wide DEP policy is set to OptOut,applications that have been exempted from DEP protection will be
    exempted from both hardwareand software-enforced DEP.
    Thefour system-wide DEP configurations arecontrolled through Boot.ini switches.The Boot.ini settings areas follows:
    where policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.
    Any existing /noexecute setting in the Boot.ini fileis not changed when Windows Server 2003 Service Pack 1 is installed or if
    a Windows operating system imageis moved across computers with and without hardware-enforced DEP support.
    During installation of Windows Server 2003 Service Pack 1, the OptOut policy level is enabled by default unless a different
    policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the bootentry for a
    version of Windows that supports DEP, the behavior is thesameas if the /noexecute=OptIn option was included.
    End users who arelogged on as administrators can manually configure DEP between the OptIn and OptOut policies using the
    Data Execution Prevention tab insidethe Performance Options dialog box.Thefollowing procedure describes how to
    manually configure DEP on thecomputer:
    To configure DEP settings
    1. Click Start,click Control Panel,and then double-click System.
    2. Click the Advanced tab.Then, under Performance,click Settings.
    3. Click the Data Execution Prevention tab.
    4. Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
    5. Click Turn on DEP for all programs and services except those I select to select the OptOut policy.
    6. If you selected the OptOut policy,click Add and add theapplications thatyou do not want to use DEP with.
    IT professionals can control system-wide DEP configuration with a variety of methods.The Boot.ini filecan be modified directly
    with scripting mechanisms or with the Bootcfg.exetool, which is included as part of Windows Server 2003 Service Pack 1.
    For unattended installations of Windows Server 2003 with Service Pack 1,you can usethe Unattend.txt fileto prepopulatea
    specific DEP configuration. You can usethe OSLoadOptionsVar entry in the [Data] section of the Unattend.txt fileto specify a
    system-wide DEP configuration.
    Per-application DEP configuration
    For the purposes of application compatibility when DEP is set to the OptOut policy level, it is possibleto selectively disable DEP
    for individual 32-bitapplications. However, DEP is always enabled for 64-bitapplications.
    For end users, the Data Execution Prevention tab in System Properties can be used to selectively disable DEP for an
    For IT professionals,a new application compatibility fix named DisableNX is included with Windows Server 2003 Service
    Pack 1.The DisableNX compatibility fix disables DEP for the program it is applied to.
    The DisableNX compatibility fix can beapplied to an application by using the Application Compatibility Toolkit.For more
    information about Windows application compatibility, see”Windows Application Compatibility” on the Microsoft Web siteat

You must be logged in to reply to this topic.