Data Execution Prevention In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Data Execution Prevention In Windows Server 2003

Viewing 0 reply threads
  • Author
    • #2192

      What does data execution prevention do?
      Dataexecution prevention (DEP) is a set of hardwareand softwaretechnologies that perform additional checks on memory to
      help protectagainst malicious codeexploits. In Windows Server 2003 with Service Pack 1, DEP is enforced by both hardware
      and software.
      Hardware-enforced DEP
      Hardware-enforced DEP marks all memory locations in a process as non-executable unless thelocation explicitly contains
      executablecode.Thereis a class of attacks thatattempt to insertand executecodefrom non-executable memory locations. DEP
      helps prevent theseattacks by intercepting them and raising an exception.
      Hardware-enforced DEP relies on processor hardwareto mark memory with an attributethat indicates that codeshould not be
      executed from that memory. DEP functions on a per-virtual-memory-page basis, usually changing a bit in the pagetableentry
      (PTE) to mark the memory page.
      Theactual hardwareimplementation of DEP and marking of thevirtual memory pagevaries by processor architecture.
      However, processors that support hardware-enforced DEP arecapable of raising an exception when codeis executed from a
      page marked with theappropriateattributeset.
      Both Advanced Micro Devices (AMD) and Intel Corporation have defined and shipped Windows-compatiblearchitectures that
      arecompatible with DEP.
      32-bitversions of Windows Server 2003 with Service Pack 1 utilizethe no-execute page-protection (NX) processor featureas
      defined by AMD or theExecute Disable bit (XD) featureas defined by Intel. In order to usethese processor features, the
      processor must berunning in Physical Address Extension (PAE) mode.The 64-bitversions of Windows usethe NX or XD
      processor feature on 64-bitextensions processors and certain values of theaccess rights pagetableentry (PTE) field on IPF
      It is hoped thatall future 32-bitand 64-bit processors will providesupport for hardware-enforced DEP. Microsoft continues to
      work with processor vendors to encouragetheadoption and development of DEP technologies.
      Software-enforced DEP
      An additional set of DEP security checks has been added to Windows Server 2003 with Service Pack 1.Thesechecks,known as
      software-enforced DEP,are designed to mitigateexploits of exception handling mechanisms in Windows.Software-enforced
      DEP runs on any processor that is capable of running Windows Server 2003 with Service Pack 1. By default, software-enforced
      DEP protects only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
      Who does this feature apply to?
      Application and driver developers should beaware of DEP and therequirements of softwarerunning on a supporting platform.
      Applications that perform just-in-time(JIT) code generation or execute memory from the default process stack or heap should
      pay careful attention to DEP requirements.
      Driver developers areencouraged to beaware of PAE mode on platforms supporting hardware-enforced DEP. PAE mode
      behavior on systems running Windows Server 2003,Standard Edition with Service Pack 1, is changed to improve driver
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Data execution prevention on 32-bit and 64-bit versions of Windows and applications
      Detailed description
      Hardware-enforced DEP
      To provideconsistency for application and driver developers, the memory protection model (including DEP) is designed to be
      thesamefor both 32-bitand 64-bitversions of Windows.
      Application developers should beaware of DEP behavior in user mode. A user-mode DEP exception results in a
      STATUS_ACCESS_VIOLATION (0xc0000005) on Windows systems.Thefirst parameter of ExceptionInformation that is located
      insidethe EXCEPTION_RECORD structurecontains thetype of access violation that occurred. A value of 8 for
      ExceptionInformation[0] indicates theaccess violation was an execution violation.
      In most processes, the STATUS_ACCESS_VIOLATION exception will bean unhandled exception and result in termination of the
      DEP is also applied to drivers in kernel mode. DEP for memory regions in kernel modecannot beselectively enabled or
      disabled. On 32-bitversions of Windows, DEP is applied to thestack by default.This differs from kernel-mode DEP on 64-bit
      versions of Windows, wherethestack, paged pool,and session pool have DEP applied.
      Device drivers are not permitted to executecodefrom thestack when DEP is enabled. A DEP access violation in kernel mode
      will result in an error 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.
      Software-enforced DEP
      Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. If the program’s image
      files are built with SafeStructured Exception Handling (SafeSEH), software-enforced DEP ensures that beforean exception is
      dispatched, theexception handler is registered in thefunction tablelocated within theimagefile.
      If the program’s imagefiles are not built with SafeSEH, software-enforced DEP ensures that beforean exception is dispatched,
      theexception handler is located within a memory region marked as executable.
      DEP application close behavior
      The majority of applications will notencounter a problem with DEP. However, when an application does encounter a problem
      with DEP,a Data Execution Prevention messageis presented to the user,alerting them to the problem.
      The Data Execution Prevention messageindicates thata DEP problem occurred with theapplication and provides theability for
      the user to learn moreabout DEP and optionally disable DEP for theapplication that was closed.
      If a DEP problem occurs with an application, Microsoft recommends contacting theapplication vendor for an update.The
      security implications of disabling DEP for an application should bethoroughly considered before disabling DEP for an
      Theability to change DEP settings for a closed application using the Change Settings button on the Data Execution
      Prevention message window depends on thesystem-wide DEP configuration. Changes to DEP protection for an application
      can be made only if thesystem-wide DEP configuration is set to the OptOut mode.
      The Data Execution Prevention messageis presented immediately beforea Windows Error Reporting window, which provides
      the opportunity to submita reportabout the DEP problem to Microsoft.
      On Windows Server 2003 with Service Pack 1, the Data Execution Prevention message will be presented the next timean
      Administrator logs onto thesystem interactively.The behavior is changed on Windows Server 2003 with Service Pack 1 from
      Windows XP with Service Pack 2 because Windows Error Reporting is configured in queued mode by default. Queued mode
      causes error reporting messages to be queued until the next timean administrator interactively logs onto thesystem.
      To learn moreabout Windows Error Reporting, or to configure Windows Error Reporting such that DEP and Windows Error
      Reporting messages are displayed immediately following an application problem, seethe”Using Windows Server 2003 in a
      Managed Environment:Windows Error Reporting”article on the Microsoft Web siteat
      Windows Error Reporting generates an error signature when an application is closed dueto DEP.Theerror signaturecan be
      viewed by following the”click here” link on the Windows Error Reporting dialog.Theerror signaturefor a DEP problem has the
      following attributes:
      EventType BEX Indicates a buffer overflow (/GS) or DEP exception (BEX64 indicates a buffer overflow (/GS) or DEP
      exception on 64-bitversions of Windows)
      P1 DEPDemo.exe Name of theapplication executablethatencountered the problem
      P2 5.1.2600.2180 Version of theapplication executablethatencountered the problem
      P3 416725f2 Faulting application stamp
      P4 DEPDemo.exe Faulting module name
      P5 5.1.2600.2180 Faulting moduleversion
      P6 416725f2 Faulting modulestamp
      P7 00002060 Fault offset (Instruction address if a moduleis not loaded at thefaulting address)
      P8 C0000005 Indicates aSTATUS_ACCESS_VIOLATION exception (If this parameter is c0000409, the problem is a
      /GS-related fault)
      P9 00000008 Indicates an execution STATUS_ACCESS_VIOLATION (00000002 indicates an execution
      STATUS_ACCESS_VIOLATION on 64-bitversions of Windows for theIntel Itanium architecture)
      Finally, the Data Execution Prevention message might not beshown for someapplications when they encounter a problem
      with DEP, regardless of the Windows Error Reporting configuration.Theseapplications handlethe
      STATUS_ACCESS_VIOLATION exception raised by DEP, or they install an unhandled exception filter (UEF), which overrides the
      default Win32 UEF.The default Win32 UEF is responsiblefor triggering both the Data Execution Prevention and Windows Error
      Reporting messages.The Data Execution Prevention message may also not beshown if an application has called the
      SetErrorMode() function with the SEM_NOGPFAULTERRORBOX flag.
      Why is this change important? What threats does it help mitigate?
      The primary benefit of DEP is that it helps to prevent codeexecution from data pages such as the default heap,various stacks,
      and memory pools. In normal operations of thesystem,codeis not typically executed from the default heap and stack.
      Hardware-enforced DEP detects codethat is running from theselocations and raises an exception when execution occurs. If the
      exception is unhandled, the process will beterminated.Execution of codefrom protected memory in kernel moderesults in an
      Although terminating a process or causing thesystem to fail with an error do notappear to beideal experiences, this helps
      prevent malicious codefrom executing. Preventing malicious codefrom executing on thesystem may prevent damageto the
      system or propagation of malicious code whose harmful effects could easily exceed those of a terminated process or system
      DEP can help prevent someexploits in which a virus or other attack has injected a process with executablecodeand then
      attempts to executetheinjected code. On a system with DEP,execution of theinjected codeshould result in an exception.
      Software-enforced DEP can help mitigateexploits of exception handling mechanisms within Windows.
      A secondary benefit of DEP relates to good engineering and best practices for application and driver developers. DEP forces
      developers to avoid executing code out of data pages withoutexplicitly marking the pages as executable.
      What works differently?
      Application Compatibility
      Someapplication behaviors areexpected to beincompatible with DEP. Applications that perform dynamic code generation
      (such as just-in-timecode generation) and that do notexplicitly mark generated code with Execute permission might have
      compatibility problems with DEP. Applications thatare not built with SafeSEH must havetheir exception handlers located in
      executable memory regions.
      Applications thatattempt to violate DEP will receivean exception with status code STATUS_ACCESS_VIOLATION (0xC0000005). If
      an application requires executable memory, it mustexplicitly set this attribute on theappropriate memory by specifying
      argument of the Virtual* memory allocation functions. Heap allocations using the malloc() and HeapAlloc() functions are
      Driver compatibility
      Driver compatibility issues with DEP mostly center on PAE mode-induced compatibility issues.
      PAE is required only on systems running 32-bitversions of Windows with processors that support hardware-enforced DEP.
      On its own, DEP might createcompatibility problems with drivers that perform code generation or use other techniques to
      generateexecutablecodein real time. Although many drivers with such behavior would have been fixed — as DEP is “always
      on” for drivers loaded on 64-bitversions of Windows — thereis no guaranteethatall drivers have been updated. However,
      therearefew drivers thatemploy thesetechniques,and it is notexpected that DEP alone will causea large quantity of driver
      compatibility problems.
      The primary driver compatibility concern is running Physical Address Extension (PAE) mode on 32-bit systems. PAE mode
      enables processors to address greater than 4 gigabytes (GB) of memory.The primary difference between PAE memory paging
      and non-PAE memory paging schemes is theextra level of paging that is required in PAE mode(threelevels instead of two).
      Some drivers might fail to load if PAE is enabled, becausethe device might be unableto perform 64-bitaddressing or the
      drivers mightassumethat PAE moderequires morethan 4 GB of random access memory (RAM).Such drivers expect that they
      will always receive 64-bitaddresses when in PAE modeand that they or their deviceareincapable of interpreting theaddress.
      Other drivers might load in PAE mode but causesystem instability by directly modifying system pagetableentries (PTEs).
      These drivers expect 32-bit PTEs, but receive 64-bit PTEs in PAE modeinstead.
      Thelargest driver PAE compatibility issueinvolves direct memory access (DMA) transfers and map register allocation. Many
      devices that support DMA, usually 32-bitadapters,are not capable of performing 64-bit physical addressing.When run in 32-
      bit mode, the devicecan address all physical address space. In PAE mode, it is possiblethat data would be presentata physical
      address greater than 4 GB.To allow devices with theseconstraints to function in this scenario,Windows 2000 Server and later
      operating systems provide double-buffering for the DMA transaction by providing a 32-bitaddress that is indicated by a map
      register.The devicecan perform the DMA transaction to the 32-bitaddress and thekernel copies the memory to the 64-bit
      address that is provided to the driver.
      When thesystem runs with PAE disabled, drivers for 32-bit devices never requiretheir map registers to be backed by real
      memory.This means that double-buffering is not necessary, sinceall devices and drivers arecontained within the 32-bit
      address space. Based on testing of drivers for 32-bit devices on 64-bit processor–based computers, it is expected that most
      client-tested, DMA-capable drivers expect unlimited map registers.
      To constrain compatibility issues,Windows Server 2003,Standard Edition with Service Pack 1, includes hardwareabstraction
      layer (HAL) changes that mimic the 32-bit HAL DMA behavior.Thealtered HAL grants unlimited map registers when the
      system is running in PAE mode. In addition, thekernel memory manager ignores any physical address above 4 GB. Any system
      RAM beyond the 4 GB barrier would be made unaddressable by Windows and be unusablein thesystem. By limiting the
      address spaceto 4 GB, devices with 32-bit DMA bus master capability will not seea transaction with an address abovethe 4
      GB barrier. Becausethesechanges removethe need to double-buffer thetransactions, they avoid a class of bugs in some
      drivers related to proper implementation of double buffering support.
      Notethat the PAE behavior of Windows Server 2003,EnterpriseEdition with Service Pack 1,and Windows Server 2003,
      Datacenter Edition with Service Pack 1, is unchanged from theversions without theservice pack.
      As a result of thesechanges to the HAL and memory manager, theimpact to device driver compatibility is expected to be
      minimal on systems running Windows Server 2003 with Service Pack 1 with DEP enabled.
      System compatibility
      A final DEP compatibility concern derives from systems with PAE modeenabled,even though they may not be designed for
      morethan 4 GB of physical RAM. During internal testing Microsoft has noticed that somesystems with processors that support
      hardware-enforced DEP fail to start up or have other stability issues when the processor is running in PAE mode.
      PAE modeis a requirement for leveraging the NX processor feature.Therefore, system designers and firmwareengineers
      should beawarethateven though thesystem’s chipsetand firmware may not have been designed to support morethan 4 GB
      of physical RAM, thesystem may berunning in PAE mode.
      Of particular concern is system firmwarethat interprets pagetableentries to determineinstructions executed by the operating
      system. Pagetableentries areextended to 64 bits in length when the processor is running in PAE mode.System designers and
      firmware developers areencouraged to contact their processor and chipsetvendors for moreinformation about how to safely
      determineinstructions executed by the operating system.
      System designers working with AMD processors can obtain moreinformation in the”BIOS and Kernel Developer’s Guidefor
      AMD Athlon 64 and AMD Opteron Processors.”To obtain this paper, go to the AMD Athlon 64 Web siteat and click “BIOS and Kernel Developer’s Guidefor AMD Athlon 64 and AMD
      Opteron Processors.”
      Intel does not make detailed information aboutSystem Management Mode(SMM) available publicly.System designers
      working with Intel processors areencouraged to contact Intel directly for moreinformation.
      For moreinformation regarding Windows support for PAE mode, see”Physical Address Extension – PAE Memory and
      Windows” on the Microsoft Web siteat
      How do I resolve these issues?
      Applications that requireexecutableregions of memory must usethe PAGE_EXECUTE, PAGE_EXECUTE_READ,
      PAGE_EXECUTE_READWRITE, or PAGE_EXECUTE_WRITECOPY attributes when allocating memory. Additionally,applications cannot
      executefrom the default process heap or thestack. Mostapplications that perform actions incompatible with DEP will need to
      be updated to becompatible. Applications mustalso be built with SafeSEH or ensuretheir exception handlers arelocated in
      memory explicitly marked as executable.
      An application can usethe VirtualAlloc() application programming interface(API) function to allocateexecutable memory
      with theappropriate memory protection options. Ata minimum, the PAGE_EXECUTE memory protection option should be used.
      After theexecutablecode has been generated, it is recommended that theapplication set memory protections to disallow write
      access to theallocated memory. Applications can disallow writeaccess to allocated memory using the VirtualProtect() API
      function. Disallowing writeaccess ensures maximum protection for executableregions of process address space.
      If a malicious process attempts to insert codeinto an executableregion, theaccess would result in a STATUS_ACCESS_VIOLATION
      writeexception.Theapplication should attempt to maketheexecutableregions of its address spaceas small as possible.This
      would result in a smaller attack surfacethrough which executable memory could beinjected into the process address space
      and beexecuted.
      Additionally, sophisticated applications can control thelayout of their virtual memory and createexecutableregions.These
      applications should attempt to locateexecutableregions in a lower memory spacethan non-executableregions.The purpose
      of locating executableregions below non-executableregions is to protecta buffer overflow from overflowing into executable
      A small number of executables and libraries may contain executablecodein a data section of theimagefile. In somecases,
      applications may placesmall segments of code(commonly referred to as thunks) in the data sections. However, DEP will mark
      sections of theimagefileloaded in memory as non-executable unless thesection has theexecutableattributeapplied.
      Therefore,executablecodein data sections should be moved to a codesection, or the data section containing theexecutable
      codeshould beexplicitly marked as executable.Theexecutableattribute, IMAGE_SCN_MEM_EXECUTE (0x20000000), should be
      added to the Characteristics field of thecorresponding section header for sections that contain executablecode.
      The Microsoft linker that is distributed with Microsoft Visual Studio products can add theexecutableattributeto a section using
      the /SECTION linker option.The /SECTION linker option has thefollowing format:
      /SECTION: Name ,[E][R][W][S][D][K][L][P][X][,ALIGN=#]
      The E valueindicates theexecutableattribute(0x20000000). Moreinformation about /SECTION and other Microsoft linker
      options is available on the MSDN Web siteat
      Additionally, the Microsoft COFF Binary FileEditor (Editbin.exe) utility can be used to changethesection attributes of an
      existing image.TheEditbin utility has a /SECTION option with thefollowing format:
      /SECTION: Name [= newname ][,[[!]{CDEIKOMPRSUW}][A{1248PTSX}]]
      The C and E values indicatecodeand executableattributes respectively.For moreinformation about theEditbin utility and the
      /SECTION option, seethe MSDN Web siteat
      Microsoft has provided service packs for Microsoft .NETFramework version 1.0 and version 1.1 to takeadvantage of DEP in
      Windows Server 2003 with Service Pack 1. Applications that usethe Microsoft .NETFramework will continueto function
      normally, but will not benefit from DEP if it is enabled unless theappropriate Microsoft .NETFramework Service Pack has been
      Microsoftencourages application developers who redistributethe Microsoft .NETFramework to updateto Microsoft .NET
      Framework version 1.0 Service Pack 3 or version 1.1 Service Pack 1, which takeadvantage of DEP.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      System-wide configuration of DEP
      The primary differencein DEP behavior on Windows Server 2003 Service Pack 1 as compared to Windows XP Service Pack 2
      (SP2) is that on theserver operating system the default configuration is to protectall applications and services. In Windows XP
      SP2, DEP was turned on by default only for essential Windows operating system programs and services.
      DEP configuration for thesystem is controlled through Boot.ini switches. Additionally,changes to System in Control Panel have
      been madeto enableend users to easily configure DEP settings if they arelogged onto thesystem as an administrator.
      System DEP configuration settings apply only for 32-bitapplications and processes when running on 32-bit or 64-bitversions
      of Windows. On 64-bitversions of Windows, if hardware-enforced DEP is availableit is always applied to 64-bit processes and
      kernel memory spaces and thereare no system configuration settings to disableit.
      Windows supports four system-wideconfigurations for both hardware-enforced and software-enforced DEP.
      DEP Configuration
      Configuration Description
      (default for
      Windows XP SP2
      and Windows XP
      On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited
      system binaries and applications that opt in.With this option, only Windows system binaries arecovered by
      DEP by default.
      (default for
      Server 2003
      Service Pack 1)
      DEP is enabled by default for all processes. Users can manually createa list of specificapplications that do
      not have DEP applied using System in Control Panel. IT pros can usethe Application Compatibility Toolkit to
      opt-out one or moreapplications from DEP protection.System Compatibility Fixes (“shims”) for DEP do
      AlwaysOn This provides full DEP coveragefor theentiresystem. All processes always run with DEP applied.The
      exceptions list for exempting specificapplications from DEP protection is notavailable.System
      Compatibility Fixes (“shims”) for DEP do not takeeffect. Applications that have been opted-out using the
      Application Compatibility Toolkit run with DEP applied.
      AlwaysOff This does not provideany DEP coveragefor any part of thesystem, regardless of hardware DEP support.
      However, the processor will run in PAE mode with 32-bitversions of Windows unless the
      /noexecute=alwaysoff option is replaced with the /execute option in the bootentry.
      Hardware-enforced and software-enforced DEP areconfigured in thesame manner. If thesystem-wide DEP policy is set to
      OptIn, thesame Windows core binaries and applications will be protected by both hardwareand software-enforced DEP. If the
      system is not capable of hardware-enforced DEP, the Windows core binaries and applications will be protected only by
      software-enforced DEP.
      Similarly, if thesystem-wide DEP policy is set to OptOut,applications that have been exempted from DEP protection will be
      exempted from both hardwareand software-enforced DEP.
      Thefour system-wide DEP configurations arecontrolled through Boot.ini switches.The Boot.ini settings areas follows:
      where policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.
      Any existing /noexecute setting in the Boot.ini fileis not changed when Windows Server 2003 Service Pack 1 is installed or if
      a Windows operating system imageis moved across computers with and without hardware-enforced DEP support.
      During installation of Windows Server 2003 Service Pack 1, the OptOut policy level is enabled by default unless a different
      policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the bootentry for a
      version of Windows that supports DEP, the behavior is thesameas if the /noexecute=OptIn option was included.
      End users who arelogged on as administrators can manually configure DEP between the OptIn and OptOut policies using the
      Data Execution Prevention tab insidethe Performance Options dialog box.Thefollowing procedure describes how to
      manually configure DEP on thecomputer:
      To configure DEP settings
      1. Click Start,click Control Panel,and then double-click System.
      2. Click the Advanced tab.Then, under Performance,click Settings.
      3. Click the Data Execution Prevention tab.
      4. Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
      5. Click Turn on DEP for all programs and services except those I select to select the OptOut policy.
      6. If you selected the OptOut policy,click Add and add theapplications thatyou do not want to use DEP with.
      IT professionals can control system-wide DEP configuration with a variety of methods.The Boot.ini filecan be modified directly
      with scripting mechanisms or with the Bootcfg.exetool, which is included as part of Windows Server 2003 Service Pack 1.
      For unattended installations of Windows Server 2003 with Service Pack 1,you can usethe Unattend.txt fileto prepopulatea
      specific DEP configuration. You can usethe OSLoadOptionsVar entry in the [Data] section of the Unattend.txt fileto specify a
      system-wide DEP configuration.
      Per-application DEP configuration
      For the purposes of application compatibility when DEP is set to the OptOut policy level, it is possibleto selectively disable DEP
      for individual 32-bitapplications. However, DEP is always enabled for 64-bitapplications.
      For end users, the Data Execution Prevention tab in System Properties can be used to selectively disable DEP for an
      For IT professionals,a new application compatibility fix named DisableNX is included with Windows Server 2003 Service
      Pack 1.The DisableNX compatibility fix disables DEP for the program it is applied to.
      The DisableNX compatibility fix can beapplied to an application by using the Application Compatibility Toolkit.For more
      information about Windows application compatibility, see”Windows Application Compatibility” on the Microsoft Web siteat

Viewing 0 reply threads
  • You must be logged in to reply to this topic.