Windows Vista, ASLR, DEP and OEMs


As I mentioned in a previous series of posts, we recently had all the major OEMs on campus to discuss SDL and how we can work together. My big ask of the OEMs (actually, I grovelled, it was pathetic) was to enable DEP/NX in the BIOS by default on all their shipping PCs in time for Windows Vista.


The reason for this ask is pretty simple, for ASLR to be effective, DEP/NX must be enabled by default too.


Here’s the good news, I found out yesterday that all the major OEMs (you know who they are!) have agreed to not disable DEP/NX in their BIOSs by default.


This is huge!


If you’re an OEM reading this – THANKS!


Note, you can verify if your PC has DEP enabled by following these steps.



  1. Open the Control Panel

  2. Select System & Maintenance

  3. Click System

  4. Click Advanced system Settings

  5. Click the Advanced tab

  6. Click Performance Settings

  7. Click the Data Execution Prevention tab

You should see the dialog box below. If not, check your BIOS and make sure your CPU is capable of DEP/NX, most CPUs these days support DEP/NX.



 

Comments (19)

  1. duk says:

    ASLR is indipendent by the DEP/NX.

  2. grovellee says:

    they’re agreed to *not* enable…  ???

  3. interesting says:

    The double negative had me going for a loop there for a bit.. Once I realized they were enabling DEP it was cool 🙂

  4. The wording is correct. By default CPUs and the OS support DEP/NX. But OEMs *can* disable it in their BIOS. We asked them not to disable it!!

  5. Nigel says:

    I thought that the Data Execution Prevention tab didn’t say anything (at the bottom) when hardware-based DEP was available, but did say "Your computer’s processor does not support hardware-based DEP" if it was BIOS-disabledor otherwise not available.

  6. We changed it for the final release of Windows Vista.

  7. chazz says:

    So I guess apps that don’t play nicely with DEP will yield messages like "The instruction at "0x77f41d24" referenced memory at "0x00000000." The memory could not be written." from the O/S then? I mean its the programmers that have to write better code right?

  8. ed says:

    According to Joe Wilcox at eweek, the network connection is tempermental? You are online one second and then you lose your network connection. Has this been fixed? You talk about so many things about Vista but the key feature, network stability, seems to be left out. Assumed that it is stable. Check out eweek’s podcast.

  9. calsz says:

    This news is false, because ASLR works on every CPU !!!

  10. calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective

  11. >>According to Joe Wilcox at eweek

    >>the network connection is tempermental [sic]

    I couldn’t find anything about this on the eweek site – can you pls send me the URL?

  12. Skywing says:

    However, third party binaries must still "opt-in" to full ASLR to receive image base randomizations.  Heap and stack address randomizations are globally on by default, however.  Virtually all of the Microsoft binaries that ship with Vista opt in to ASLR for image base addresses, which is absolutely a good thing, but third party software will not (by default) take full advantage of ASLR without being recompiled (technically, it is possible to flip the necessary bit in the PE header with a hex editor or the like, but I wouldn’t consider that a general use solution).

    Specifically, PE images must be linked with a new linker option that sets a new flag in the PE header which indicates to Vista that the image is ASLR aware and wants to have its base address randomized.  This extra step is required even for images that were built with base relocations, so there is still a necessary call to action for ISVs to relink their binaries with the ASLR-aware flag.  More details at Nynaeve.net: http://www.nynaeve.net/?p=100

  13. Mike says:

    What happen if the CPU does not have DEP/NX

    capability? so what happen to the ASLR now. does ASLR still protect me or is this feature turn off?

  14. Cd-MaN says:

    Why do you say that "for ASLR to be effective, DEP/NX must be enabled by default too"? As I understand it, they are completely different and independent features why try to address two key points of exploits: the fact that they usually overwrite data so if we prevent the execution from that portion of memory we prevented some exploits and the other the fact that exploits must call library functions to do their work (and don’t have the luxury of waiting for the loader to tell those addresses).

    The only point where I can see some relation between the two is the fact that it will be harder to find a JMP ESP instruction with a stable address (which is useful for stack overflow attacks – the kind DEP/NX should prevent)

  15. Cd-MaN, you answered your own question in your last paragraph!

  16. calsz says:

    Howard said: "calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective"

    DEP is NOT ASLR!!!

    ASLR works with every CPU also with DEP disabled.

  17. calsz says:

    Howard said: "calsz, this news is correct, DEP is not enabled on all CPUs. This blog post is about how DEP must be enabled for ASLR to be effective"

    DEP is NOT ASLR!!!

    DEP is NOT a requisite for ASLR!!!

    ASLR works with every CPU also with DEP disabled.

  18. [Default] Spotlight on: Visual Studio Team System for Database Professionals Visual Studio 2005 Team

  19. Eh Canadian says:

    Dear Micheal,

    I hate to rain on the parade, but I wouldn’t trust vendors (especially toshiba) to keep their word on this. Toshiba’s support and configuration is poor. They have a track record of being slow and conservative. Try accessing their support website for downloads (i.e. manuals, bios updates, drivers etc.); you’ll be lucky to get a 6KB/s download and luckier still if the download doesn’t stall. Disabling the NX/DEP is incredibly arrogant and sloppy of these vendors. Crippling a security feature like this is really wrong. BTW I just saw brand new VISTA ready Toshiba laptops and all of them had the NX/DEP disabled (with no option to turn it on in BIOS setup).