LLMpediaThe first transparent, open encyclopedia generated by LLMs

Data Execution Prevention

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Project Zero (Google) Hop 4
Expansion Funnel Raw 68 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted68
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Data Execution Prevention
NameData Execution Prevention
Introduced1990s
DeveloperMicrosoft Corporation, Intel Corporation, AMD
TypeHardware and software security

Data Execution Prevention Data Execution Prevention is a set of hardware and software mechanisms designed to prevent execution of code from memory regions intended to contain only data. It combines processor features, operating system controls, and compiler/runtime support to mitigate exploitation techniques used in notable incidents such as the Morris worm, Code Red and attacks against Microsoft Windows services; vendors including Microsoft Corporation, Intel Corporation, AMD and projects like Linux kernel and OpenBSD evolved defenses to address these threats.

Overview

DEP enforces non-executable attributes on memory pages, preventing control-flow hijacks that rely on executing injected payloads placed in writable areas. Major players in the field include Microsoft Corporation (with Windows NT lineage), CPU designers like Intel Corporation and AMD (with NX bit and XD bit extensions), and open-source projects such as the Linux kernel and OpenBSD that integrated similar protections. DEP complements other mitigations found in Address Space Layout Randomization, Stack canary, Control Flow Guard, and techniques articulated in publications from research groups at institutions like MIT, Stanford University, University of California, Berkeley and security teams at firms such as Symantec, McAfee and Kaspersky Lab.

History and Development

Early discussions of executable versus non-executable memory trace to processor documentation from firms like Hewlett-Packard and Intel Corporation in the 1990s, and academic works at Carnegie Mellon University and University of Washington explored buffer-overflow mitigations. Commercial adoption accelerated after high-profile worms and worms-related incidents implicating Microsoft Corporation services; Microsoft introduced NX/XD-aware behavior in releases following scrutiny by groups including CERT Coordination Center and advisories from US-CERT. Hardware support via the NX bit (No-eXecute) and Execute Disable Bit was promoted by Intel Corporation and AMD; operating systems such as Windows XP, Windows Vista, Linux kernel, FreeBSD and OpenBSD added enforcement layers, while compiler and runtime vendors including GNU Compiler Collection and Microsoft Visual C++ integrated stack and heap protection options.

Implementation and Mechanisms

At the processor level, DEP relies on page-table attributes exposed by architectures like x86-64, ARM architecture and Itanium; Intel and AMD implemented NX/XD to mark pages non-executable. Operating systems implement kernel and user-mode enforcement: Windows NT family exposes per-process policy switches, while Linux kernel uses mmap flags and SELinux policies to control execution. Language runtimes and compilers (for example, GCC, Clang, Microsoft Visual C++) add support for compile-time options and trampolines to avoid writable-executable pages. DEP interoperates with control-flow integrity proposals from academic venues such as USENIX Security Symposium and IEEE Symposium on Security and Privacy; mitigations include use of guard pages, stack canaries, and loader hardening practiced by distributors like Red Hat and Canonical Ltd..

Operating System and Hardware Support

Hardware features originated with Intel Corporation's 64-bit extensions and AMD's implementations; ARM architecture later introduced similar non-executable page support. Microsoft integrated DEP in Windows XP SP2 and expanded policies in subsequent Windows versions, including opt-in and opt-out settings exposed via system control panels and group policies in Active Directory environments. The Linux kernel implements NX handling and userland controls via execshield, PaX patches, and mainline features; BSD variants such as OpenBSD and FreeBSD enabled W^X (write xor execute) policies. Virtualization platforms from VMware, Inc., Microsoft Hyper-V, and Xen also manage NX/XD exposure to guest OSes, while firmware vendors and server OEMs like Dell Technologies and Hewlett Packard Enterprise may ship microcode updates affecting DEP behavior.

Security Impact and Effectiveness

DEP raised the bar for code-injection attacks by invalidating common exploit primitives used in worms and exploit kits tied to incidents like SQL Slammer and Blaster worm; it reduced exploitation success of stack- and heap-spray techniques documented by security vendors such as McAfee, Trend Micro, and research groups at Georgia Institute of Technology. Quantitative analyses by teams at Microsoft Research and academic studies presented at IEEE Symposium on Security and Privacy show DEP decreases successful exploitation rates but does not eliminate control-flow hijacks. DEP is most effective combined with Address Space Layout Randomization and application-level hardening used by enterprises, governments such as United States Department of Defense (through directives), and standards bodies like NIST in guidance documents.

Compatibility and Bypass Techniques

Software compatibility challenges arose with just-in-time compilers and legacy binaries requiring writable-executable memory, prompting workarounds like marking specific pages executable or using dynamic trampolines; vendors such as Adobe Systems and projects like Mozilla Foundation adapted runtimes to comply. Attackers developed bypass techniques including return-oriented programming (ROP), jump-oriented programming (JOP), and use of misconfigured executable mappings—approaches documented in academic papers from Princeton University and University of California, San Diego researchers and exploited in campaigns analyzed by FireEye and CrowdStrike. Defenses evolved: Control Flow Guard from Microsoft Corporation, Shadow Stack proposals from Google LLC and kernel-level mitigations in Linux kernel seek to harden systems against ROP/JOP.

Deployment and Configuration Practices

Enterprises deploy DEP via configuration management: group policy in Active Directory, package policies from Red Hat Satellite, and mobile device management solutions from vendors like VMware, Inc. and MobileIron. Best practices include enabling hardware-enforced DEP where supported, updating microcode and OS patches from Microsoft Corporation and kernel maintainers, recompiling critical software with NX-aware toolchains such as GCC and Clang, and combining DEP with Address Space Layout Randomization, Control Flow Guard, and intrusion-detection systems from vendors including Palo Alto Networks and Cisco Systems. Security audits by organizations like ISO and guidance from NIST inform compliance and risk assessments.

Category:Computer security