Data Execution Prevention In Windows Server 2003

What does data execution prevention do?
Dataexecution prevention (DEP) is a set of hardwareand softwaretechnologies that perform additional checks on memory to
help protectagainst malicious codeexploits. In Windows Server 2003 with Service Pack 1, DEP is enforced by both hardware
and software.
Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as non-executable unless thelocation explicitly contains
executablecode.Thereis a class of attacks thatattempt to insertand executecodefrom non-executable memory locations. DEP
helps prevent theseattacks by intercepting them and raising an exception.
Hardware-enforced DEP relies on processor hardwareto mark memory with an attributethat indicates that codeshould not be
executed from that memory. DEP functions on a per-virtual-memory-page basis, usually changing a bit in the pagetableentry
(PTE) to mark the memory page.
Theactual hardwareimplementation of DEP and marking of thevirtual memory pagevaries by processor architecture.
However, processors that support hardware-enforced DEP arecapable of raising an exception when codeis executed from a
page marked with theappropriateattributeset.
Both Advanced Micro Devices (AMD) and Intel Corporation have defined and shipped Windows-compatiblearchitectures that
arecompatible with DEP.
32-bitversions of Windows Server 2003 with Service Pack 1 utilizethe no-execute page-protection (NX) processor featureas
defined by AMD or theExecute Disable bit (XD) featureas defined by Intel. In order to usethese processor features, the
processor must berunning in Physical Address Extension (PAE) mode.The 64-bitversions of Windows usethe NX or XD
processor feature on 64-bitextensions processors and certain values of theaccess rights pagetableentry (PTE) field on IPF
processors.
It is hoped thatall future 32-bitand 64-bit processors will providesupport for hardware-enforced DEP. Microsoft continues to
work with processor vendors to encouragetheadoption and development of DEP technologies.
Software-enforced DEP
An additional set of DEP security checks has been added to Windows Server 2003 with Service Pack 1.Thesechecks,known as
software-enforced DEP,are designed to mitigateexploits of exception handling mechanisms in Windows.Software-enforced
DEP runs on any processor that is capable of running Windows Server 2003 with Service Pack 1. By default, software-enforced
DEP protects only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
Who does this feature apply to?
Application and driver developers should beaware of DEP and therequirements of softwarerunning on a supporting platform.
Applications that perform just-in-time(JIT) code generation or execute memory from the default process stack or heap should
pay careful attention to DEP requirements.
Driver developers areencouraged to beaware of PAE mode on platforms supporting hardware-enforced DEP. PAE mode
behavior on systems running Windows Server 2003,Standard Edition with Service Pack 1, is changed to improve driver
compatibility.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Data execution prevention on 32-bit and 64-bit versions of Windows and applications
Detailed description
Hardware-enforced DEP
To provideconsistency for application and driver developers, the memory protection model (including DEP) is designed to be
thesamefor both 32-bitand 64-bitversions of Windows.
Application developers should beaware of DEP behavior in user mode. A user-mode DEP exception results in a
STATUS_ACCESS_VIOLATION (0xc0000005) on Windows systems.Thefirst parameter of ExceptionInformation that is located
insidethe EXCEPTION_RECORD structurecontains thetype of access violation that occurred. A value of 8 for
ExceptionInformation[0] indicates theaccess violation was an execution violation.
In most processes, the STATUS_ACCESS_VIOLATION exception will bean unhandled exception and result in termination of the
process.
DEP is also applied to drivers in kernel mode. DEP for memory regions in kernel modecannot beselectively enabled or
disabled. On 32-bitversions of Windows, DEP is applied to thestack by default.This differs from kernel-mode DEP on 64-bit
versions of Windows, wherethestack, paged pool,and session pool have DEP applied.
Device drivers are not permitted to executecodefrom thestack when DEP is enabled. A DEP access violation in kernel mode
will result in an error 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.
Software-enforced DEP
Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. If the program’s image
files are built with SafeStructured Exception Handling (SafeSEH), software-enforced DEP ensures that beforean exception is
dispatched, theexception handler is registered in thefunction tablelocated within theimagefile.
If the program’s imagefiles are not built with SafeSEH, software-enforced DEP ensures that beforean exception is dispatched,
theexception handler is located within a memory region marked as executable.
DEP application close behavior
The majority of applications will notencounter a problem with DEP. However, when an application does encounter a problem
with DEP,a Data Execution Prevention messageis presented to the user,alerting them to the problem.
The Data Execution Prevention messageindicates thata DEP problem occurred with theapplication and provides theability for
the user to learn moreabout DEP and optionally disable DEP for theapplication that was closed.
Important
If a DEP problem occurs with an application, Microsoft recommends contacting theapplication vendor for an update.The
security implications of disabling DEP for an application should bethoroughly considered before disabling DEP for an
application.
Theability to change DEP settings for a closed application using the Change Settings button on the Data Execution
Prevention message window depends on thesystem-wide DEP configuration. Changes to DEP protection for an application
can be made only if thesystem-wide DEP configuration is set to the OptOut mode.
The Data Execution Prevention messageis presented immediately beforea Windows Error Reporting window, which provides
the opportunity to submita reportabout the DEP problem to Microsoft.
On Windows Server 2003 with Service Pack 1, the Data Execution Prevention message will be presented the next timean
Administrator logs onto thesystem interactively.The behavior is changed on Windows Server 2003 with Service Pack 1 from
Windows XP with Service Pack 2 because Windows Error Reporting is configured in queued mode by default. Queued mode
causes error reporting messages to be queued until the next timean administrator interactively logs onto thesystem.
To learn moreabout Windows Error Reporting, or to configure Windows Error Reporting such that DEP and Windows Error
Reporting messages are displayed immediately following an application problem, seethe”Using Windows Server 2003 in a
Managed Environment:Windows Error Reporting”article on the Microsoft Web siteat http://go.microsoft.com/fwlink/?
LinkId=38443.
Windows Error Reporting generates an error signature when an application is closed dueto DEP.Theerror signaturecan be
viewed by following the”click here” link on the Windows Error Reporting dialog.Theerror signaturefor a DEP problem has the
following attributes:
ParameterExample
Value
Description
EventType BEX Indicates a buffer overflow (/GS) or DEP exception (BEX64 indicates a buffer overflow (/GS) or DEP
exception on 64-bitversions of Windows)
P1 DEPDemo.exe Name of theapplication executablethatencountered the problem
P2 5.1.2600.2180 Version of theapplication executablethatencountered the problem
P3 416725f2 Faulting application stamp
P4 DEPDemo.exe Faulting module name
P5 5.1.2600.2180 Faulting moduleversion
P6 416725f2 Faulting modulestamp
P7 00002060 Fault offset (Instruction address if a moduleis not loaded at thefaulting address)
P8 C0000005 Indicates aSTATUS_ACCESS_VIOLATION exception (If this parameter is c0000409, the problem is a
/GS-related fault)
P9 00000008 Indicates an execution STATUS_ACCESS_VIOLATION (00000002 indicates an execution
STATUS_ACCESS_VIOLATION on 64-bitversions of Windows for theIntel Itanium architecture)
Finally, the Data Execution Prevention message might not beshown for someapplications when they encounter a problem
with DEP, regardless of the Windows Error Reporting configuration.Theseapplications handlethe
STATUS_ACCESS_VIOLATION exception raised by DEP, or they install an unhandled exception filter (UEF), which overrides the
default Win32 UEF.The default Win32 UEF is responsiblefor triggering both the Data Execution Prevention and Windows Error
Reporting messages.The Data Execution Prevention message may also not beshown if an application has called the
SetErrorMode() function with the SEM_NOGPFAULTERRORBOX flag.
Why is this change important? What threats does it help mitigate?
The primary benefit of DEP is that it helps to prevent codeexecution from data pages such as the default heap,various stacks,
and memory pools. In normal operations of thesystem,codeis not typically executed from the default heap and stack.
Hardware-enforced DEP detects codethat is running from theselocations and raises an exception when execution occurs. If the
exception is unhandled, the process will beterminated.Execution of codefrom protected memory in kernel moderesults in an
error.
Although terminating a process or causing thesystem to fail with an error do notappear to beideal experiences, this helps
prevent malicious codefrom executing. Preventing malicious codefrom executing on thesystem may prevent damageto the
system or propagation of malicious code whose harmful effects could easily exceed those of a terminated process or system
error.
DEP can help prevent someexploits in which a virus or other attack has injected a process with executablecodeand then
attempts to executetheinjected code. On a system with DEP,execution of theinjected codeshould result in an exception.
Software-enforced DEP can help mitigateexploits of exception handling mechanisms within Windows.
A secondary benefit of DEP relates to good engineering and best practices for application and driver developers. DEP forces
developers to avoid executing code out of data pages withoutexplicitly marking the pages as executable.
What works differently?
Application Compatibility
Someapplication behaviors areexpected to beincompatible with DEP. Applications that perform dynamic code generation
(such as just-in-timecode generation) and that do notexplicitly mark generated code with Execute permission might have
compatibility problems with DEP. Applications thatare not built with SafeSEH must havetheir exception handlers located in
executable memory regions.
Applications thatattempt to violate DEP will receivean exception with status code STATUS_ACCESS_VIOLATION (0xC0000005). If
an application requires executable memory, it mustexplicitly set this attribute on theappropriate memory by specifying
PAGE_EXECUTE, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY in the memory protection
argument of the Virtual* memory allocation functions. Heap allocations using the malloc() and HeapAlloc() functions are
non-executable.
Driver compatibility
Driver compatibility issues with DEP mostly center on PAE mode-induced compatibility issues.
Note
PAE is required only on systems running 32-bitversions of Windows with processors that support hardware-enforced DEP.
On its own, DEP might createcompatibility problems with drivers that perform code generation or use other techniques to
generateexecutablecodein real time. Although many drivers with such behavior would have been fixed — as DEP is “always
on” for drivers loaded on 64-bitversions of Windows — thereis no guaranteethatall drivers have been updated. However,
therearefew drivers thatemploy thesetechniques,and it is notexpected that DEP alone will causea large quantity of driver
compatibility problems.
The primary driver compatibility concern is running Physical Address Extension (PAE) mode on 32-bit systems. PAE mode
enables processors to address greater than 4 gigabytes (GB) of memory.The primary difference between PAE memory paging
and non-PAE memory paging schemes is theextra level of paging that is required in PAE mode(threelevels instead of two).
Some drivers might fail to load if PAE is enabled, becausethe device might be unableto perform 64-bitaddressing or the
drivers mightassumethat PAE moderequires morethan 4 GB of random access memory (RAM).Such drivers expect that they
will always receive 64-bitaddresses when in PAE modeand that they or their deviceareincapable of interpreting theaddress.
Other drivers might load in PAE mode but causesystem instability by directly modifying system pagetableentries (PTEs).
These drivers expect 32-bit PTEs, but receive 64-bit PTEs in PAE modeinstead.
Thelargest driver PAE compatibility issueinvolves direct memory access (DMA) transfers and map register allocation. Many
devices that support DMA, usually 32-bitadapters,are not capable of performing 64-bit physical addressing.When run in 32-
bit mode, the devicecan address all physical address space. In PAE mode, it is possiblethat data would be presentata physical
address greater than 4 GB.To allow devices with theseconstraints to function in this scenario,Windows 2000 Server and later
operating systems provide double-buffering for the DMA transaction by providing a 32-bitaddress that is indicated by a map
register.The devicecan perform the DMA transaction to the 32-bitaddress and thekernel copies the memory to the 64-bit
address that is provided to the driver.
When thesystem runs with PAE disabled, drivers for 32-bit devices never requiretheir map registers to be backed by real
memory.This means that double-buffering is not necessary, sinceall devices and drivers arecontained within the 32-bit
address space. Based on testing of drivers for 32-bit devices on 64-bit processor–based computers, it is expected that most
client-tested, DMA-capable drivers expect unlimited map registers.
To constrain compatibility issues,Windows Server 2003,Standard Edition with Service Pack 1, includes hardwareabstraction
layer (HAL) changes that mimic the 32-bit HAL DMA behavior.Thealtered HAL grants unlimited map registers when the
system is running in PAE mode. In addition, thekernel memory manager ignores any physical address above 4 GB. Any system
RAM beyond the 4 GB barrier would be made unaddressable by Windows and be unusablein thesystem. By limiting the
address spaceto 4 GB, devices with 32-bit DMA bus master capability will not seea transaction with an address abovethe 4
GB barrier. Becausethesechanges removethe need to double-buffer thetransactions, they avoid a class of bugs in some
drivers related to proper implementation of double buffering support.
Notethat the PAE behavior of Windows Server 2003,EnterpriseEdition with Service Pack 1,and Windows Server 2003,
Datacenter Edition with Service Pack 1, is unchanged from theversions without theservice pack.
As a result of thesechanges to the HAL and memory manager, theimpact to device driver compatibility is expected to be
minimal on systems running Windows Server 2003 with Service Pack 1 with DEP enabled.
System compatibility
A final DEP compatibility concern derives from systems with PAE modeenabled,even though they may not be designed for
morethan 4 GB of physical RAM. During internal testing Microsoft has noticed that somesystems with processors that support
hardware-enforced DEP fail to start up or have other stability issues when the processor is running in PAE mode.
PAE modeis a requirement for leveraging the NX processor feature.Therefore, system designers and firmwareengineers
should beawarethateven though thesystem’s chipsetand firmware may not have been designed to support morethan 4 GB
of physical RAM, thesystem may berunning in PAE mode.
Of particular concern is system firmwarethat interprets pagetableentries to determineinstructions executed by the operating
system. Pagetableentries areextended to 64 bits in length when the processor is running in PAE mode.System designers and
firmware developers areencouraged to contact their processor and chipsetvendors for moreinformation about how to safely
determineinstructions executed by the operating system.
System designers working with AMD processors can obtain moreinformation in the”BIOS and Kernel Developer’s Guidefor
AMD Athlon 64 and AMD Opteron Processors.”To obtain this paper, go to the AMD Athlon 64 Web siteat
http://go.microsoft.com/fwlink/?LinkId=28165 and click “BIOS and Kernel Developer’s Guidefor AMD Athlon 64 and AMD
Opteron Processors.”
Intel does not make detailed information aboutSystem Management Mode(SMM) available publicly.System designers
working with Intel processors areencouraged to contact Intel directly for moreinformation.
For moreinformation regarding Windows support for PAE mode, see”Physical Address Extension – PAE Memory and
Windows” on the Microsoft Web siteat http://go.microsoft.com/fwlink/?LinkId=45912.
How do I resolve these issues?
Applications that requireexecutableregions of memory must usethe PAGE_EXECUTE, PAGE_EXECUTE_READ,
PAGE_EXECUTE_READWRITE, or PAGE_EXECUTE_WRITECOPY attributes when allocating memory. Additionally,applications cannot
executefrom the default process heap or thestack. Mostapplications that perform actions incompatible with DEP will need to
be updated to becompatible. Applications mustalso be built with SafeSEH or ensuretheir exception handlers arelocated in
memory explicitly marked as executable.
An application can usethe VirtualAlloc() application programming interface(API) function to allocateexecutable memory
with theappropriate memory protection options. Ata minimum, the PAGE_EXECUTE memory protection option should be used.
After theexecutablecode has been generated, it is recommended that theapplication set memory protections to disallow write
access to theallocated memory. Applications can disallow writeaccess to allocated memory using the VirtualProtect() API
function. Disallowing writeaccess ensures maximum protection for executableregions of process address space.
If a malicious process attempts to insert codeinto an executableregion, theaccess would result in a STATUS_ACCESS_VIOLATION
writeexception.Theapplication should attempt to maketheexecutableregions of its address spaceas small as possible.This
would result in a smaller attack surfacethrough which executable memory could beinjected into the process address space
and beexecuted.
Additionally, sophisticated applications can control thelayout of their virtual memory and createexecutableregions.These
applications should attempt to locateexecutableregions in a lower memory spacethan non-executableregions.The purpose
of locating executableregions below non-executableregions is to protecta buffer overflow from overflowing into executable
memory.
A small number of executables and libraries may contain executablecodein a data section of theimagefile. In somecases,
applications may placesmall segments of code(commonly referred to as thunks) in the data sections. However, DEP will mark
sections of theimagefileloaded in memory as non-executable unless thesection has theexecutableattributeapplied.
Therefore,executablecodein data sections should be moved to a codesection, or the data section containing theexecutable
codeshould beexplicitly marked as executable.Theexecutableattribute, IMAGE_SCN_MEM_EXECUTE (0x20000000), should be
added to the Characteristics field of thecorresponding section header for sections that contain executablecode.
The Microsoft linker that is distributed with Microsoft Visual Studio products can add theexecutableattributeto a section using
the /SECTION linker option.The /SECTION linker option has thefollowing format:
/SECTION: Name ,[E][R][W][S][D][K][L][P][X][,ALIGN=#]
The E valueindicates theexecutableattribute(0x20000000). Moreinformation about /SECTION and other Microsoft linker
options is available on the MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=28167.
Additionally, the Microsoft COFF Binary FileEditor (Editbin.exe) utility can be used to changethesection attributes of an
existing image.TheEditbin utility has a /SECTION option with thefollowing format:
/SECTION: Name [= newname ][,[[!]{CDEIKOMPRSUW}][A{1248PTSX}]]
The C and E values indicatecodeand executableattributes respectively.For moreinformation about theEditbin utility and the
/SECTION option, seethe MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=28168.
Microsoft has provided service packs for Microsoft .NETFramework version 1.0 and version 1.1 to takeadvantage of DEP in
Windows Server 2003 with Service Pack 1. Applications that usethe Microsoft .NETFramework will continueto function
normally, but will not benefit from DEP if it is enabled unless theappropriate Microsoft .NETFramework Service Pack has been
installed.
Microsoftencourages application developers who redistributethe Microsoft .NETFramework to updateto Microsoft .NET
Framework version 1.0 Service Pack 3 or version 1.1 Service Pack 1, which takeadvantage of DEP.
What settings are added or changed in Windows Server 2003 Service Pack 1?
System-wide configuration of DEP
The primary differencein DEP behavior on Windows Server 2003 Service Pack 1 as compared to Windows XP Service Pack 2
(SP2) is that on theserver operating system the default configuration is to protectall applications and services. In Windows XP
SP2, DEP was turned on by default only for essential Windows operating system programs and services.
DEP configuration for thesystem is controlled through Boot.ini switches. Additionally,changes to System in Control Panel have
been madeto enableend users to easily configure DEP settings if they arelogged onto thesystem as an administrator.
System DEP configuration settings apply only for 32-bitapplications and processes when running on 32-bit or 64-bitversions
of Windows. On 64-bitversions of Windows, if hardware-enforced DEP is availableit is always applied to 64-bit processes and
kernel memory spaces and thereare no system configuration settings to disableit.
Windows supports four system-wideconfigurations for both hardware-enforced and software-enforced DEP.
DEP Configuration
Configuration Description
OptIn
(default for
Windows XP SP2
and Windows XP
64-bitedition)
On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited
system binaries and applications that opt in.With this option, only Windows system binaries arecovered by
DEP by default.
OptOut
(default for
Windows
Server 2003
Service Pack 1)
DEP is enabled by default for all processes. Users can manually createa list of specificapplications that do
not have DEP applied using System in Control Panel. IT pros can usethe Application Compatibility Toolkit to
opt-out one or moreapplications from DEP protection.System Compatibility Fixes (“shims”) for DEP do
takeeffect.
AlwaysOn This provides full DEP coveragefor theentiresystem. All processes always run with DEP applied.The
exceptions list for exempting specificapplications from DEP protection is notavailable.System
Compatibility Fixes (“shims”) for DEP do not takeeffect. Applications that have been opted-out using the
Application Compatibility Toolkit run with DEP applied.
AlwaysOff This does not provideany DEP coveragefor any part of thesystem, regardless of hardware DEP support.
However, the processor will run in PAE mode with 32-bitversions of Windows unless the
/noexecute=alwaysoff option is replaced with the /execute option in the bootentry.
Hardware-enforced and software-enforced DEP areconfigured in thesame manner. If thesystem-wide DEP policy is set to
OptIn, thesame Windows core binaries and applications will be protected by both hardwareand software-enforced DEP. If the
system is not capable of hardware-enforced DEP, the Windows core binaries and applications will be protected only by
software-enforced DEP.
Similarly, if thesystem-wide DEP policy is set to OptOut,applications that have been exempted from DEP protection will be
exempted from both hardwareand software-enforced DEP.
Thefour system-wide DEP configurations arecontrolled through Boot.ini switches.The Boot.ini settings areas follows:
/noexecute=policy_level
where policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.
Any existing /noexecute setting in the Boot.ini fileis not changed when Windows Server 2003 Service Pack 1 is installed or if
a Windows operating system imageis moved across computers with and without hardware-enforced DEP support.
During installation of Windows Server 2003 Service Pack 1, the OptOut policy level is enabled by default unless a different
policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the bootentry for a
version of Windows that supports DEP, the behavior is thesameas if the /noexecute=OptIn option was included.
End users who arelogged on as administrators can manually configure DEP between the OptIn and OptOut policies using the
Data Execution Prevention tab insidethe Performance Options dialog box.Thefollowing procedure describes how to
manually configure DEP on thecomputer:
To configure DEP settings
1. Click Start,click Control Panel,and then double-click System.
2. Click the Advanced tab.Then, under Performance,click Settings.
3. Click the Data Execution Prevention tab.
4. Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
5. Click Turn on DEP for all programs and services except those I select to select the OptOut policy.
6. If you selected the OptOut policy,click Add and add theapplications thatyou do not want to use DEP with.
IT professionals can control system-wide DEP configuration with a variety of methods.The Boot.ini filecan be modified directly
with scripting mechanisms or with the Bootcfg.exetool, which is included as part of Windows Server 2003 Service Pack 1.
For unattended installations of Windows Server 2003 with Service Pack 1,you can usethe Unattend.txt fileto prepopulatea
specific DEP configuration. You can usethe OSLoadOptionsVar entry in the [Data] section of the Unattend.txt fileto specify a
system-wide DEP configuration.
Per-application DEP configuration
For the purposes of application compatibility when DEP is set to the OptOut policy level, it is possibleto selectively disable DEP
for individual 32-bitapplications. However, DEP is always enabled for 64-bitapplications.
For end users, the Data Execution Prevention tab in System Properties can be used to selectively disable DEP for an
application.
For IT professionals,a new application compatibility fix named DisableNX is included with Windows Server 2003 Service
Pack 1.The DisableNX compatibility fix disables DEP for the program it is applied to.
The DisableNX compatibility fix can beapplied to an application by using the Application Compatibility Toolkit.For more
information about Windows application compatibility, see”Windows Application Compatibility” on the Microsoft Web siteat
http://go.microsoft.com/fwlink/?LinkId=23302.