Data Execution Prevention - Use, or not use?

[RedString]

I currently do not have DEP enabled (64 bit Win 7), but after reading this article on Darkreading.com it has made me consider turning it on.

"Another key defense mechanism is turning on data-execution protection (DEP), Guido says. The exploit packs Guido studied contain methods of compromising systems using 19 memory-corruption vulnerabilities. By turning on DEP, the exploitation of 14 of those vulnerabilities would have been prevented, he says"


Hah, just noticed his name is Guido.. Anyways, I assume most of these exploit packs are targeted at networks, which I'm not on, but still it seems a lot of exploits could be deterred by just using DEP or turning off Java. Do you guys turn DEP on? Is it a hassle? Does it use up much resources?

Thanks

 

[theevilsharpie]

I use DEP.

Some games will trigger DEP, especially if you use anything other than the vendor-provided executable. However, Windows will tell you if something triggered DEP, and it's easy to exclude certain executables.

Any computer capable of running Windows 7 64-bit should have hardware DEP, so there's shouldn't be a performance hit to using it.

 

[VirtualLarry]

Is it on by default in Win7 64-bit, or not? I should investigate.

 

[Soundmanred]

Is it on by default in Win7 64-bit, or not? I should investigate.

Yes

 

[Gamingphreek]

Data Execution Prevention's (DEP) primary use is preventing Buffer Overflow (aka Stack Smashing) and Heap Overflow attacks.

Typically, on a system without Address Space Layout Randomization (ASLR), after injecting a NOP (0x90) sled into an input field that does not check boundaries and, thus, obliterating the return value, the hacker will simply have it jump to a specific portion of code or just continue on.

In response to ASLR, among other things, people began redirecting the EIP register to other known places in the process stack/heap. DEP prevents code from running in these places.

In short what I am saying is that DEP default On in every Windows environment since XP SP3. You should leave it that way. If you encounter a program that triggers it, then you should add an exception but leave it enabled. It is an incredibly valuable security measure.

-GP

 

[RedString]

With Windows 7 I have the options:

1* Turn on DEP for essential Windows programs and services only
2* Turn on DEP for all programs and services except those I select

1 is turned on by default, should I leave it that way?

 

[Chiefcrowe]

I use this option: Turn on DEP for all programs and services except those I select

It usually doesn't affect anything but in case it does, it is easy to add an exception.

 

[Schadenfroh]

Turn it on for all programs (option 2), if it causes issues (rarely happens), then you can add an exception manually.

 

[Bill Brasky]

Turn it on for all programs (option 2), if it causes issues (rarely happens), then you can add an exception manually.

I turned on DEP option #2 because of this thread. Thanks for the heads up! There hasn't been any change in the way my computer behaves so I guess that's good.

 

[LiuKangBakinPie]

Next question. Since DEP was introduced has anyone ever had a pop from it?