January 23rd, 2006

Guide to hardware-based DEP protection

Posted by George Ou @ 2:00 am

Categories: Security

Tags:

When the WMF exploit hit the wild and existing workarounds were tacky and the official Microsoft patch a week away, the DEP or Data Execution Prevention feature shined through when it was completely enabled and supported by NX or XD capable hardware.  While NX and XD also support other operating systems like Windows 2003 Server with SP1, BSD, and Linux, the vast majority of users will use it through Windows XP SP2.  The down side to DEP protection in Windows XP SP2 is that it isn’t completely enabled by default and most older computers don’t have NX or XD capability from their AMD or Intel processor.  Fixing the first issue is just a few clicks away but fixing the second issue is a bit trickier because it involves having the right hardware.

Hopefully, you have a CPU that already has NX or XD capability.  The easiest way to verify this if you have Windows XP SP2 is to simply look at your DEP settings.  You do this by right-clicking on "My Computer" and then selecting "Properties".  In the "System Properties", go to the "Advanced" tab as shown here:

Then you click on the "Settings" button and you’ll get the "Performance Options" window as shown here:

Jump to the "Data Execution Prevention" tab and you should "turn on DEP protection for all programs and services except those I select".  This allows DEP to work on all applications and services.  This is also where you verify if you have an NX or XD capable processor.  If you see the warning message at the bottom where it tells you that your computer’s processor does not support hardware-based DEP, then you don’t have an NX or XD capable processor.

If you don’t have hardware-based DEP, then your only choice is to get a new Processor that has AMD NX or Intel XD capability or buy a new computer with the NX or XD CPU built in.  If you go the Processor upgrade route, that usually means you need a new motherboard too.  Fortunately, price isn’t a big issue since I’ve seen $80 deals where you get both an AMD Sempron 2800+ NX capable CPU and a motherboard.  I’ve also seen similar deals with Intel Pentium 4 2.66 CPUs and a free motherboard for around $110.  The tricky part is recognizing which CPUs have NX or XD capability and which do not.  To help you figure this out, I’ve compiled a list processors from both Intel and AMD that support hardware-enforced DEP.

Intel Processors with XD support:

AMD processors with NX support:

* Except AMD64 based on Clawhammer-512 core rev. C0

It’s fairly safe to assume all of the newest CPUs from Intel and AMD will support this feature in the future.  All of the newest server chips from Intel or AMD that weren’t listed here also support hardware-enforced DEP.  Intel’s newest dual-core Duo and single-core Solo CPUs will definitely support XD.   Only the low-end AMD Socket A and end-of-life Socket 940 CPUs don’t have this feature.  All you need to do is follow the steps above and enable DEP and you’ll be a lot more secure.  However, DEP by itself should never be considered a complete substitute for other forms of security and should only be treated as an extra layer of protection.