Data Execution Prevention

5/10/2007

Data Execution Prevention (DEP), also called non-execute (NX), is a Windows memory protection feature that you can use to increase the security of your run-time image.

Non-execute regions of memory prevent applications from executing code stored in a memory region marked for data only. When code attempts to be executed from a non-execute region of memory, an exception is raised.

Hardware-enforced DEP is controlled by a non-execute (NX)-enabled CPU. The NX CPU manages memory protection per virtual page by changing a bit in the page table entry.

If you do not have an NX-enabled CPU, you can use software-enforced DEP. Software-enforced DEP is designed to mitigate exploits of exception handling mechanisms in Windows. By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

For instructions on adding Data execution prevention to your run-time image, see Configuring the Data Execution Prevention Settings of a Run-Time Image.

For more information about NX support, see this Microsoft Web site.

See Also

Other Resources

Best Practices for Security
Network Security Considerations
Local Security Considerations