Sunday, February 11, 2007

Hardware DEP Always On, please

Windows XP SP2 introduced Hardware DEP, which was then at first only available to 2 AMD processors and One type (Itanium) Intel processor.

IrfanView will run fine in Opt-Out mode, but NOT Always On mode (because stack pages that look like data are actually code that Irfan wants to run - unnecessarily. This is a very easy fix on Irfan's part, according to Gibson, and any other programmer familiar with Stack loading, hence the occasional overflows, but certainly critical in running bad hacks.)

Multiple Boot.ini files (or use DEPuty, a program written by PC Security Expert,

Steve Gibson

The MS Control Panel Opt-In / Opt-Out modes switch does NOT let you choose Always On or Always Off modes - which are ONLY available out-of-the-box through the BIOS settings. Some BIOSes will turn Hardware DEP to Always OFF, without the ability for you to turn in Always ON.

Live C programming is just a limited work-around, according to Gibson.

ASLR is not available for XP natively, however there is some freeware that DOES add ASLR to Windows XP SP2, and combined with Hardware DEP Always On and programmers stop sending executable code to stack pages for execution, then hackers will almost have a ZERO uptime in PC memory.

Microsoft's software DEP is NOT DEP (it will only block a very specific overflow problem, and that was so 5 years ago).

ALL processors made now and in the future will most probably have Hardware DEP and have it enabled by default as ALWAYS ON.

ALWAYS ON (Strongest - most problems)
OPT OUT (Strong - not many problems for the old-school coders using stack executable code)
OPT IN (weakest - mostly for testing malicious hacks on purpose)
ALWAYS OFF (non-existent)

<-- copyright 2005+ by Dan Prowse -->

No comments: