Compaq dc5100 - Microtower PC, dc7100, dx6100, dx6120 - Microtower PC, dx6128 - Microtower PC Frequently Asked Questions Manual

Data Execution Prevention

v1.2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

What does Data Execution Prevention do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Data Execution Prevention Exception Message Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Hardware-Enforced DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

What is PAE? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Why is this change important? What threats does it help mitigate? . . . . . . . . . . . . . . . . . . .4

Will my NX- or XD-enabled systems protect me from virus attacks? . . . . . . . . . . . . . . . . . . . 5

What are the required components for XD/NX to function? . . . . . . . . . . . . . . . . . . . . . . . . 5

How do I control the DEP functionality on my computer? . . . . . . . . . . . . . . . . . . . . . . . . . .8

DEP Level Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Data Execution Prevention Tab - No XD/NX Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Software-Enforced DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Deploying Hardware-Enabled Data Execution Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

How will XD/NX impact HP customers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

What about customers who create their own software image? . . . . . . . . . . . . . . . . . . . . . 11

Advantages of using XD/NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Disadvantages of using XD/NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Conclusion and Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

1

Based upon Microsoft TechNet article “Changes to Functionality in Microsoft's Windows XP Service Pack
2,” dated August 9, 2004, by Starr Anderson & Vincent Abella.

Introduction

Microsoft’s Windows XP Service Pack 2 introduces a set of security technologies that will help improve the
ability of computers running Windows XP to withstand malicious attacks, especially those from viruses
and worms such as Code Red, Blaster and Sasser.

F-Secure Corporation’s Data Security Summary for 2004 reports that there are now in excess of 100,000
recognized viruses, with Sasser being the most recent major epidemic. Released in May 2004, this auto­matic network worm quickly spread, and reportedly affected three major banks, an Australian Railroad,
county hospitals in Sweden, and the European Commission in Brussels, to name a few.

Microsoft’s Windows XP Service Pack 2 includes multiple security improvements:

• Network protection

• Memory protection

• Email handling

• Web browsing security

• Computer maintenance

Together, these security technologies help to make it more difficult to attack Windows XP, even if the latest
antivirus updates are not applied.

This paper focuses on the aspect of memory protection and how Data Execution Prevention helps lock
down the ability for malicious code to propagate through the network. However, you should expect some
application behaviors to be incompatible with Data Execution Prevention. Applications that perform
dynamic code generation (such as Just-In-Time code generation) that do not explicitly mark generated
code with Execute permission may have compatibility issues with Data Execution Prevention.

HP recommends that customers test Windows XP Service Pack 2 before wide scale deployment in their
environment.

2

Data Execution Prevention (DEP)

What does Data Execution Prevention do?

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform checks on
memory to help protect against malicious code and viruses. In Windows XP SP2, DEP is enforced by both
hardware and software.

Data Execution Prevention Exception Message Box

If an application or driver attempts to execute code from an area where it should not on a DEP-protected
computer, Windows displays the following exception error:

Hardware-Enforced DEP

Hardware-enforced DEP marks all memory locations as non-executable (you cannot execute code in this
portion of memory) unless the location explicitly contains executable code. There is a class of attacks that
attempts to insert and execute code from non-executable memory locations. DEP helps prevent these
attacks by intercepting them and displaying the DEP message box.

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates
that code should not be executed from that memory. The actual hardware implementation of DEP varies
by processor architecture. However, processors that support hardware-enforced DEP are capable of rais­ing an exception when code is executed from a memory location where it should not be executed.

Both Advanced Micro Devices™ (AMD) and Intel® Corporation have defined and shipped Windows­compatible architectures that support DEP. Beginning with Windows XP Service Pack 2, the 32-bit version
of Windows utilizes the no-execute page-protection (NX) processor feature as defined by AMD and the
Execute Disable (XD) bit feature as defined by Intel. AMD also refers to this feature as “Enhanced Virus
Protection.” To use these processor features, the processor must run in Physical Address Extension (PAE)
mode. HP ships Windows XP with PAE enabled.

3

What is PAE?

The XD and NX features require that the processor run in Physical Address Extension (PAE) mode. A 32-bit
processor, such as the Intel Pentium 4 (IA32 family), is usually limited to addressing a maximum of 4-GB
of memory. This limitation is due to 32 bits of address capability, as follows:

32

= 4,294,967,296 (4 GB)

2

To address more than 4-GB of memory, Intel created PAE mode. PAE uses an additional 4 bits of address­ing, creating a 36-bit address, thereby allowing for the addressing of up to 64-GB of memory, as follows:

36

= 68,719,476,736 (64 GB)

2

A processor with XD or NX marks memory pages as nonexecutable. This marking consists of a bit in the
Page Table Entry (PTE), which is a data structure containing the base physical address and attributes of a
page in physical memory. When you use PAE mode, the PTEs are extended from 32 bits to 64 bits, allow­ing for the additional space required to mark an area as nonexecutable.

Why is this change important? What threats does it help mitigate?

The primary benefit of Data Execution Prevention is the prevention of code execution from data pages
such as the default heap, various stacks, and memory pools. A heap is a common pool of memory avail­able to a program. A stack is a set of hardware registers or a reserved amount of memory used for arith­metic calculations or to keep track of internal operations.

In normal system operations, code is not typically executed from the default heap and stack. Hardware­enforced DEP detects code that is running from these locations and raises an exception when execution
occurs. If the exception is unhandled, the process is terminated. Execution of code from protected memory
in kernel mode results in a bugcheck.

Although terminating a process or causing the system to fail with a bugcheck do not appear to be ideal
solutions, they help prevent malicious code from executing. Preventing malicious code from executing on
the system may prevent damage to your system or propagation of malicious code whose harmful effects
could easily exceed those of a process terminated by a bugcheck.

DEP can help mitigate against a class of security exploits. Specifically, Data Execution Prevention can pre­vent the exploit in which a virus or other attack injects a process with additional code and then attempts
to execute the injected code. On a system with DEP, execution of the injected code results in an exception.
Additionally, software-enforced DEP can help mitigate against exploits of exception handling mechanisms
within Windows.

A secondary benefit of DEP encourages good engineering and best practices for application and driver
developers. Data Execution Prevention forces developers to avoid executing code out of data pages with­out explicitly marking the pages as executable.

4

Will my NX- or XD-enabled systems protect me from virus attacks?

XD and NX are promising technologies, but they do not protect against all attacks. You should use XD
and NX with antivirus software, firewall, and other security measures to reduce the propagation of viruses
and limit the amount of damage they can create.

What are the required components for XD/NX to function?

To take advantage of the XD/NX feature, the following components must support XD/NX:

• Processor

• System BIOS

• Operating system

Processor

Intel released XD-capable processors for the desktop market starting with the E0 stepping of the “Prescott”
Pentium 4 processor. Both Intel Pentium 4 and Celeron processors have XD support. Using Intel’s new pro­cessor naming scheme, all 6xx, 7xx, and 8xx processors support XD. A majority of 5xx and 3xx proces­sors also support XD.

AMD has released a line of AMD64 processors (Athlon 64, Athlon 64 FX, Turion 64 Mobile Technology,
Mobile Athlon 64) which support NX.

Transmeta Efficeon processors using Code Morphing Software (CMS) 6.0.4 or later support NX. Both
Intel and AMD have a Windows-compatible method of implementing XD/NX, but their hardware imple­mentation is different. Transmeta Efficeon processors use a virtual implementation compatible with the
AMD implementation.

5

How do I know if I have an XD- or NX- capable processor?

The System Properties window indicates whether PAE is enabled on systems installed with Windows XP
SP2 that also have an XD- or NX-capable processor.

System BIOS

• Default XD support is disabled for Intel 915 2004 systems.

• Default XD support is enabled for Intel 945 2005 systems.

• Default NX support is enabled for AMD 2005 systems.

• Default NX support is disabled for Transmeta systems.

The BIOS for Intel 915 and Intel 945 based desktop systems uses the CPUID instruction to look for the Exe­cute Disable bit to determine if XD is supported with the installed processor. If the processor supports XD,
then the Data Execution Prevention option appears in the Security section of F10 Setup. The user
can enable or disable this feature.

AMD processors currently do not have an option to manually disable DEP in F10 Setup. Transmeta pro­cessors currently do not have an option to manually enable DEP in F10 Setup.

6

The Data Execution Prevention option is disabled by default in i915-based systems, and enabled by
default in i945-based systems. Applications and drivers run without compatibility problems when the XD
feature is not enabled.

HP uses the i915 chipset desktop BIOS family in the following product lines (not all systems available in
all regions):

• dc5100

• dx6100

• dc7100

HP uses the i945 chipset desktop BIOS family in the following product lines (not all systems available in
all regions):

• dc7600

• dx7200

HP uses the ATI Radeon Xpress 200 chipset desktop BIOS family for AMD processors in the following
product line (not all systems available in all regions):

• dx5150

The BIOS for the bc1000 disables NX support for the Transmeta processor. There is no option to
enable NX.

The following workstations and associated chipsets also support DEP (not all systems available in all
regions):

• HP Workstation xw4200 – Intel 925X chipset

• HP Workstation xw6200 – Intel E7525 chipset

• HP Workstation xw8200 – Intel E7525 chipset

These workstations disable DEP by default. However, you can manually enable DEP in BIOS.

Operating System

Microsoft implemented XD/NX support with Windows XP Service Pack 2. All future Microsoft operating
systems, including the upcoming “Longhorn” operating system, will have XD/NX support. Previous operat­ing systems do not support the XD/NX features.

7