Compartilhar via

Windows Vista, ASLR, DEP and OEMs

  • Artigo

As I mentioned in a previous series of posts, we recently had all the major OEMs on campus to discuss SDL and how we can work together. My big ask of the OEMs (actually, I grovelled, it was pathetic) was to enable DEP/NX in the BIOS by default on all their shipping PCs in time for Windows Vista.

The reason for this ask is pretty simple, for ASLR to be effective, DEP/NX must be enabled by default too.

Here's the good news, I found out yesterday that all the major OEMs (you know who they are!) have agreed to not disable DEP/NX in their BIOSs by default.

This is huge!

If you're an OEM reading this - THANKS!

Note, you can verify if your PC has DEP enabled by following these steps.

  1. Open the Control Panel
  2. Select System & Maintenance
  3. Click System
  4. Click Advanced system Settings
  5. Click the Advanced tab
  6. Click Performance Settings
  7. Click the Data Execution Prevention tab

You should see the dialog box below. If not, check your BIOS and make sure your CPU is capable of DEP/NX, most CPUs these days support DEP/NX.

Comments

  • Anonymous
    December 05, 2006
    ASLR is indipendent by the DEP/NX.

  • Anonymous
    December 07, 2006
    they're agreed to not enable...  ???

  • Anonymous
    December 07, 2006
    The double negative had me going for a loop there for a bit.. Once I realized they were enabling DEP it was cool :)

  • Anonymous
    December 07, 2006
    The wording is correct. By default CPUs and the OS support DEP/NX. But OEMs can disable it in their BIOS. We asked them not to disable it!!

  • Anonymous
    December 07, 2006
    The comment has been removed

  • Anonymous
    December 08, 2006
    We changed it for the final release of Windows Vista.

  • Anonymous
    December 09, 2006
    So I guess apps that don't play nicely with DEP will yield messages like "The instruction at "0x77f41d24" referenced memory at "0x00000000." The memory could not be written." from the O/S then? I mean its the programmers that have to write better code right?

  • Anonymous
    December 13, 2006
    According to Joe Wilcox at eweek, the network connection is tempermental? You are online one second and then you lose your network connection. Has this been fixed? You talk about so many things about Vista but the key feature, network stability, seems to be left out. Assumed that it is stable. Check out eweek's podcast.

  • Anonymous
    December 14, 2006
    This news is false, because ASLR works on every CPU !!!

  • Anonymous
    December 15, 2006
    calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective

  • Anonymous
    December 15, 2006
    >>According to Joe Wilcox at eweek >>the network connection is tempermental [sic] I couldn't find anything about this on the eweek site - can you pls send me the URL?

  • Anonymous
    December 15, 2006
    However, third party binaries must still "opt-in" to full ASLR to receive image base randomizations.  Heap and stack address randomizations are globally on by default, however.  Virtually all of the Microsoft binaries that ship with Vista opt in to ASLR for image base addresses, which is absolutely a good thing, but third party software will not (by default) take full advantage of ASLR without being recompiled (technically, it is possible to flip the necessary bit in the PE header with a hex editor or the like, but I wouldn't consider that a general use solution). Specifically, PE images must be linked with a new linker option that sets a new flag in the PE header which indicates to Vista that the image is ASLR aware and wants to have its base address randomized.  This extra step is required even for images that were built with base relocations, so there is still a necessary call to action for ISVs to relink their binaries with the ASLR-aware flag.  More details at Nynaeve.net: http://www.nynaeve.net/?p=100

  • Anonymous
    December 15, 2006
    What happen if the CPU does not have DEP/NX capability? so what happen to the ASLR now. does ASLR still protect me or is this feature turn off?

  • Anonymous
    December 16, 2006
    The comment has been removed

  • Anonymous
    December 17, 2006
    Cd-MaN, you answered your own question in your last paragraph!

  • Anonymous
    December 18, 2006
    Howard said: "calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective" DEP is NOT ASLR!!! ASLR works with every CPU also with DEP disabled.

  • Anonymous
    December 18, 2006
    Howard said: "calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective" DEP is NOT ASLR!!! DEP is NOT a requisite for ASLR!!! ASLR works with every CPU also with DEP disabled.

  • Anonymous
    December 19, 2006
    [Default] Spotlight on: Visual Studio Team System for Database Professionals Visual Studio 2005 Team

  • Anonymous
    January 23, 2007
    Dear Micheal, I hate to rain on the parade, but I wouldn't trust vendors (especially toshiba) to keep their word on this. Toshiba's support and configuration is poor. They have a track record of being slow and conservative. Try accessing their support website for downloads (i.e. manuals, bios updates, drivers etc.); you'll be lucky to get a 6KB/s download and luckier still if the download doesn't stall. Disabling the NX/DEP is incredibly arrogant and sloppy of these vendors. Crippling a security feature like this is really wrong. BTW I just saw brand new VISTA ready Toshiba laptops and all of them had the NX/DEP disabled (with no option to turn it on in BIOS setup).