IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [dep]

Data Execution Prevention, any technique to protect data from being executed as code, thus preventing some exploits.

Data Execution Prevention is any feature that prevents data from being executed as code. This combats some exploit techniques such as passing exploit code as input and using a vulnerability to cause a jump into the input buffer, or overflowing a data buffer so as to overwrite a code area.

Modern ARM and x86 CPUs can mark virtual memory pages as non-executable; this is known as the NX bit in page tables. Operating systems take advantage of it to a varying extent. DEP features can improve security but can be incompatible with some programs (e.g. just-in-time compilation requires programs to be able to write to a memory buffer then execute it).

Further reading

39 questions
127
votes
2 answers

How do ASLR and DEP work?

How do Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) work, in terms of preventing vulnerabilities from being exploited? Can they be bypassed?
Polynomial
  • 132,208
  • 43
  • 298
  • 379
19
votes
2 answers

How "leaking pointers" to bypass DEP/ASLR works

I was wondering if anyone could give me some clues on how "leaking pointers" to bypass DEP/ASLR work. I read here: The only way to reliably bypass DEP and ASLR is through an pointer leak. This is a situation where a value on the stack, at a…
John Smith
  • 509
  • 1
  • 5
  • 8
15
votes
3 answers

Compiling a buffer overflow example in modern Linux?

I'm trying to compile a simple buffer overflow example on a Debian i386 VM. The executable builds ok, but EIP does not get overwritten correctly despite being supplied a sufficiently large input to overflow the buffer and overwrite the pushed EIP…
B-MO
  • 313
  • 2
  • 6
11
votes
2 answers

How is the stack protection enforced in a binary?

On a linux box with an Intel CPU, lets say I compiled by binary with -fstack-protect-all. How is this encoded into the binary? (Can I see this info using readelf? ). Is it encoded into every page/segment or is it added to the binary in one place…
SFlow
  • 263
  • 1
  • 2
  • 7
10
votes
1 answer

What attacks does a W^X policy prevent against?

Write xor Execute (W^X) is a policy that a block (page) of memory cannot be marked as both writeable and executable at the same time. What attacks does W^X prevent, with and without the following: Address Space Layout Randomization (ASLR) Data…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
6
votes
1 answer

How can I check if a Mac application has NX or ASLR enabled?

According to Wikipedia, the NX bit is set for all x64 binaries: OS X for Intel supports the NX bit on all CPUs supported by Apple (from 10.4.4 – the first Intel release – onwards). Mac OS X 10.4 only supported NX stack protection. In Mac OS X…
Guest
  • 63
  • 1
  • 3
6
votes
1 answer

Hardware enforced DEP on different CPUs

Are there any differences how hardware DEP is implemented on CPUs from different manufacturers (Intel, AMD, nVidia, Texas,...)? Are there any significant differences how hardware DEP works on x86 and ARM?
StupidOne
  • 2,802
  • 21
  • 35
5
votes
2 answers

Why did it take so long to enforce memory permissions?

From the Wikipedia page on DEP. DEP was introduced on Linux in 2004 (kernel 2.6.8[2]), on Windows in 2004 with Windows XP Service Pack 2,[3] while Apple introduced DEP when they moved to x86 in 2006. Why did it take until 2004, when DEP was…
user10211
5
votes
3 answers

Did CVE-2016-2324 allowed remote code execution?

Let’s say I have this kind of code : // In revision.c char *path_name(const struct name_path *path, const char *name) // by design, name_path->len is a 32 bits int, but this doesn’t concern name { const struct name_path *p; char *n, *m; …
user2284570
  • 1,402
  • 1
  • 14
  • 33
4
votes
2 answers

How does SEH based exploit bypass DEP and ASLR?

I am new to structured exception handling based exploits. Why don't we put our return address directly in SE handler to jump to our shellcode? (with no safe SEH) Can anybody explain the reason of using pop pop ret? I read something that said SEH…
Sani
  • 41
  • 1
  • 2
4
votes
2 answers

Are buffer overflow and similar attacks still possible?

The majority of my cyber security background comes in the form of web application vulnerability testing, and whilst I do have a degree of prior experience in studying and performing application exploitations it has been several years since I last…
questioner
  • 171
  • 2
  • 11
4
votes
0 answers

Do programs run in Linux in Wine benefit from DEP and ASLR?

Do programs run in Linux in Wine benefit from mitigation techniques DEP and ASLR?
KOLANICH
  • 892
  • 6
  • 14
4
votes
1 answer

several questions about linux kernel debugging - memory examination

I've read this Does Linux kernel use DEP for kernel memory? but I'm debugging linux kernel (x86_64) on Vmware using vmware stub. I've attached gdb to my linux kernel. the kernel version is 3.x and I changed executable memory of linux kernel in one…
tigger
  • 41
  • 1
3
votes
1 answer

Bypass Full ASLR+DEP exploit mitigation

Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free.. More over, the process is not used by JIT so JIT Spraying is out of…
JDeff
  • 31
  • 2
3
votes
2 answers

Is it safe to deploy software without memory protections such as DEP/ASLR?

Several software packages on our SOE Windows machines come with DEP and ASLR memory protections off by default. More troubling is that these applications run as SYSTEM and load their own drivers. Given that these are expected memory protections and…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
1
2 3