Beginning with Windows XP Service Pack 2 (SP2) and continuing with Windows Server 2003 SP1 and Windows XP Professional x64 Edition, Windows uses DEP to prevent malicious code from being able to execute, even when a buffer overrun occurs. Even without a processor that supports DEP in hardware, Windows is able to detect code running from memory locations that it should not.
x64 Advantages
With the introduction of x64 processors, both AMD and Intel added hardware support for DEP. The processor sets the No Execute bit (for AMD processors) or the Execute Disable bit (for Intel processors) on all entries in the memory address table that are for data only and should not be executed. If code attempts to execute from within an area of memory marked as data only, Windows will raise a status access violation exception and terminate the process.
While DEP is by no means a substitute for a well-designed and implemented anti-virus and anti-malware deployment in any organization, it is an important additional layer of protection that would have prevented the spread of the MSBlaster worm had it been widely implemented at the time.
All 64-bit versions of Windows support the hardware DEP features of the 64-bit processors, enabling users, developers, and administrators the ability to globally or selectively protect against this kind of exploit. By default, DEP is enabled on Windows XP Professional x64 Edition and Windows Server 2003 x64 Editions for essential Windows programs and services only.
The x64 versions of Windows also support Microsoft’s PatchGuard technology that prevents non-Microsoft originated programs from patching the Windows kernel. This technology, available only on Windows x64 Editions, prevents kernel mode drivers from extending or replacing kernel services including system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). Third-party software is also prevented from allocating kernel stacks or patching any part of the kernel.
|
