[37448] in bugtraq
Hardware support for XP SP2 DEP not enabled by default ?
daemon@ATHENA.MIT.EDU (Nicolas RUFF)
Tue Nov 23 12:06:54 2004
Message-ID: <41A2674B.9070105@edelweb.fr>
Date: Mon, 22 Nov 2004 23:25:15 +0100
From: Nicolas RUFF <ruff.lists@edelweb.fr>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Windows XP SP2 comes out with a nice security feature : Data Execution
Prevention (DEP). DEP is a mix of several techniques which all aim to
achieve some kind of anti-buffer overflow protection :
- Software : recompilation of system files with the /GS flag, etc.
- Hardware : DEP can use hardware-enforced protection, namely the NX bit
of AMD64 processors and the XD bit of latest Intel Pentium IV, to mark
memory pages as "non executable".
DEP can be enabled/disabled through Windows Control Panel, which has the
effect of setting the "/NoExecute=" kernel parameter inside "BOOT.INI".
According to the following article, PAE (Physical Address Extension)
mode must be enabled for using hardware supported DEP, but automatically
enabled if DEP is selected :
http://support.microsoft.com/kb/875352
However, on my computer (Windows XP SP2 32-bit edition + AMD64 Athlon
3000+), hardware supported DEP does *not* work by default, even with
"/NoExecute=AlwaysOn". I must add manually the "/PAE" boot parameter
inside "BOOT.INI".
It means that using default XP SP2 installation, you do not benefit from
"Enhanced Virus Protection"* even if you bought an AMD64, unless you
edit manually the "system hidden read-only" file BOOT.INI.
* http://www.amd.com/us-en/Weblets/0,,7832_11104_11105,00.html
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff (at) edelweb.fr
-----------------------------------
