1
1
Coreinfo shows me a bunch of instructions my processor supports. However one that I'm interested in is DEP Data Execution Prevention. DEP is listed as something the CPU must support in Windows 2016 Server. What is it?
The docs from Microsoft seem to link it with NX What's the difference between DEP and NX and how do I find out if my processor supports DEP?
Evan Carroll
Posted 2017-09-20T00:12:30.217
Reputation: 1
1
Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns.
If we combine it with the information from your own link we determine that when combined with ASLR (which requires NX-bit) DEP becomes synonymous with NX. Specifically the ASLR implementation within Windows Server 2016 requires it.
But when it is combined with other technologies like Address Space Layout Randomization (ASLR), it helps prevent common buffer overflow vulnerabilities in Windows Internet Explorer and the add-ons that it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.
Additionally:
Microsoft added ASLR functionality in Windows Vista and Windows Server 2008. On this platform, DEP is implemented through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable.
Sources:
Ramhound
Posted 2017-09-20T00:12:30.217
Reputation: 28 517
So DEP is Microsoft's fancy name to say they compiled their software with NX support and ASLR libraries? If so, it seems kind of weird to say they require something from the CPU that's really just their own marketing wank on NX. – Evan Carroll – 2017-09-20T00:40:49.457
DEP requires PAE in later versions of Windows. The hardware requirements of Windows Server 2016 and Windows 10 (64-bit) are identical. – Ramhound – 2017-09-20T00:56:09.993
0
There's a hardware-based and software-based DEP. Reference.
Hardware-based DEP requires your CPU support the XD or NX bit. If the CPU attempts to execute code from a page where that bit is set, the CPU will throw a hardware exception and nothing will be executed.
Software-based DEP - that reference provides the following info:
An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows.
and
Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
This can be enabled and used regardless of CPU NX/XD support.
Not sure how the software DEP works but it's probably something like a stack canary used by certain system binaries - reference.
DEP is listed as something the CPU must support in Windows 2016 Server.
Windows 2016 will not run on a CPU that doesn't have hardware NX/XD support. Most if not all CPUs since 2000 (Pentium 4+) have this support, and most certainly any server-class CPU in this decade has it. On any relatively modern system you should not have to worry about this.
LawrenceC
Posted 2017-09-20T00:12:30.217
Reputation: 63 487
The author's processor was discontinued in 2004 so 13 years ago. It doesn't support NX per the specifications by Intel. The processor they wish to purchase does support it though per its own specifications by Intel. – Ramhound – 2017-09-20T01:00:20.817
@Ramhound updated with link, I'm using an HP Workstation xw6200 – Intel E7525 chipset. Wanting to know if it will support Server 2016, or if I need to upgrade. And, if I upgrade if a DELL PowerEdge R710 2 x 2.53Ghz E5540 will cover the requirements of Server 2016. I've already determined my own box does not work. It doesn't have NX, according to coreinfo. – Evan Carroll – 2017-09-20T00:36:04.003
You linked to me to a page on the E5540. I'm on the E7525. – Evan Carroll – 2017-09-20T00:41:52.573
1
So, https://ark.intel.com/m/products/28016/64-bit-Intel-Xeon-Processor-3_20-GHz-1M-Cache-800-MHz-FSB, is your current processor and it does not support NX which is required for Windows 8.1+ and Windows Server 2012 R2+
– Ramhound – 2017-09-20T00:55:11.603That's what I've been trying to say. And, I trust that as a source more so than cpu-world.com (which seems to be incorrect) – Evan Carroll – 2017-09-20T00:56:35.163
1Your wording was confusing to be honest. You listed a HP part number along with an Intel chipset identifier. – Ramhound – 2017-09-20T00:57:53.433
Because that's the chipset in the HP. I also listed a dump of coreinfo. That was your suggestion. It says clearly that
NXis not supported. I mean the question wasIs there a way to tell if my hardware supports specific instructions?and you knew the name of it and you were right: it'scoreinfo. That's easier than me poping in a live-cd and runningcat /proc/cpuinfo. Linux guys don't remember the 9,000 tools required to do basic admin on windows boxes. – Evan Carroll – 2017-09-20T01:00:30.660I did not until I looked up the HP product number know which processor you currently have. Don't blame me for my confusion due to confusing statement and formatting of your question – Ramhound – 2017-09-20T01:01:34.813