Execute Disable Bit
We haven’t yet discussed the Execute Disable Bit technology in our reviews, so now is a good time – the more so as we’ve got such an occasion as an announcement of the first Pentium 4 that supports this feature.
We should make it clear from the start that Execute Disable Bit technology is a full analog of the Enhanced Virus Protection that AMD had implemented in its Athlon 64 and Opteron processors more than a year ago, so we can’t call it an innovation. The key point of both technologies is in support of the so-called NX bit (Non-Execute) which prohibits the execution of code that is stored in certain memory pages to prevent buffer-overflow attacks the x86 architecture originally had no means to oppose to. Such an attack looks like that: the malicious program writes some code into a memory page allocated for data and then executes this code. To execute the code, the program provokes an overflow of the buffer the OS keeps the return points of subroutines in. Right now more than 80 percent of all attacks use this technique, so the problem has long called for a solution. Enhanced Virus Protection and Execute Disable Bit technologies from AMD and Intel, respectively, introduce an additional attribute bit in paging structures for address translation. This attribute indicates if the code stored in the given memory page can be executed. Although it’s still possible to overflow the buffer and damage the application, the NX bit prevents the launch of the malicious code: the processor just issues a memory access error.
So, in a nutshell, the NX bit protects your computer against viruses and other dangerous programs that start up from those memory areas that are intended by the OS and other applications to store data (not code). Unlike a firewall or an anti-virus program, this technology won’t warn you against installing a potentially dangerous program on your computer – it only keeps track of how your programs are using the system memory.
All new operating systems support both Enhanced Virus Protection and Execute Disable Bit: Windows XP (32-bit) with Service Pack 2, Windows XP (64-bit) with Service Pack 1, and Windows Server 2003 (32-bit and 64-bit) with Service Pack 1. The function that prevents the execution of code from data pages is referred to by Microsoft as Data Execution Prevention (DEP). The above-mentioned operating systems enable DEP by default for processors that support either Enhanced Virus Protection or the Execute Bit Disable technology.
Let’s see how this Data Execution Prevention works in Windows XP SP2. If your processor supports the NX bit, you should see the text “Physical Address Extension” in the System Properties window after you have installed Service Pack 2:
In fact, the NX-bit-related technology is part of the x86-64 extension, so you shouldn’t wonder at the announcement of an extension of the physical address. If you don’t see this message, but you’re sure your processor supports the NX bit, you should make sure that the appropriate option is activated in the BIOS Setup.
DEP-related options are found on the Advanced tab of the System Properties dialog box in Windows XP SP2:
This setting is available even if your processor doesn’t support the NX bit, but your choices on this tab would have no effect then. If you do have a CPU that supports Enhanced Virus Protection or Execute Bit Disable, you can turn DEP on either for the OS core or for all applications (save for those that you set apart specifically).
You should be aware of the possible incompatibility of some programs and drivers with the DEP feature. For example, if an application dynamically creates a fragment of program code without giving this code the permission to be executed, such actions may provoke a memory error, although the application may have meant no harm. Such problems can occur with device drivers, but they first of all pertain to the PAE mode. That’s why Windows XP SP2 offers you the option of disabling DEP for selected programs.
In order to show you the behavior of the system when it recognizes an attempt to execute code that’s in a data area, we used the Data Execution Prevention Test by Robert Schlabbach. This small utility is downloadable from the author’s home page.
So, you’ll have the following warning when your Execute Disable Bit-supporting processor and OS spot an offending application:
Here you can calm down the OS saying the application isn’t dangerous or you can refuse from running it. If the OS or the user places the running application to the category of malicious ones, the application is terminated, issuing a standard error message:
The same malicious application would run without any error messages on a system whose CPU doesn’t support Enhanced Virus Protection or Execute Disable Bit.