Saturday, February 13, 2010

DEP and security benefits

Last month I wrote about the IE 0-day, the vulnerability affected IE6 and non DEP enabled IE7 & IE8. So what is DEP? In this post I will try to explain that and provide more information on why it is a good security feature.

Typical behavior of many malware codes is to entice the user to download their code,  insert that code into memory and then execute the code. Majority of buffer overflow vulnerabilities are exploited this way.

As part of XP SP2 and 2K3 Server SP1 releases, Microsoft introduced what is known as Data Execution Prevention or DEP. It is a defense-in-depth feature to protect the system from executing malicious programs. So if your anti-virus program or host IDS fails to protect you, this additional wall is there to protect you.

Beginning XP SP2, there are two separate DEP checks enforced, one by the hardware and the other by the software, where certain areas of memory is designated as non executable and if any programs tries to execute from these areas, it is intercepted and an exception is raised.

By default, when a program is launched, the system allocates memory pages and within this memory certain areas are marked as non-executable. Even though it is enabled by the hardware and the operating system, only limited system binaries are protected by this feature. Other applications enable this feature separately. This feature was enabled in IE with IE7 and MS Office in Office2010.

For corporate environment, the first step in taking advantage of this feature is to upgrade the operating systems and then the applications to support this feature. For third party applications, Microsoft warns that “Applications that perform dynamic code generation (such as Just-In-Time code generation) and do not explicitly mark generated code with execute permission may have compatibility issues on computers that are using DEP. Applications written to the Active Template Library (ATL) version 7.1 and earlier can attempt to execute code on pages marked as non-executable, which triggers an NX fault and terminates the application”

Because of this dependency and additional configuration requirement, many applications does not work well in its default configuration and this is the main reason why organizations does not upgrade to XP SP2 but they miss out on this important security feature.

As I already mentioned, with DEP enabled, organization gets automatic protection from the IE zero day. Last month's Adobe Acrobat critical vulnerabilitythat existed in a function called util.printd leads to a memory corruption causing code injection also could have been prevented if organizations had the DEP enabled on their machines.

To learn about specific DEP and DEP enabled applications, visit the below Microsoft pages

http://support.microsoft.com/kb/875352/EN-US/
http://blogs.technet.com/robert_hensing/archive/2007/04/04/dep-on-vista-explained.aspx
http://blogs.technet.com/office2010/archive/2010/02/04/data-excecution-prevention-in-office-2010.aspx

No comments: