NX and You - How NX works
(Page 2 of 4 )
With all this discussion on NX, we should go into the details of how it works. If, as Intel and Microsoft would want it, you were basing purchasing decisions on this, you ought to know exactly what you're buying into, and why Microsoft thinks it is such a great thing.
Some of the most recent viruses that have been extremely destructive to corporations, such as Blaster and Slammer, operate because of something called a buffer overflow. Simply put, buffer overflows happen when a program tries to allocate memory and then uses more than it was supposed to. For example, a program could have a small subroutine that pops up a dialog box with a space to type in a username and set aside 8 bytes for it, but not force the user to only type in 8 characters. In order for the processor to run the subroutine, it needs to bookmark where it was so that it can pick up where it left off. That bookmark is saved before the 8 bytes are allocated.
If the user typed in 9 characters, the ninth byte is written into memory, possibly overwriting other data. When a buffer overflow exploit is done, the data that is overwritten is the bookmark. The address that is pointed to by the bookmark can be anywhere in memory - in the program's executable code or data. Worm writers use this to change the address to point to its own code, forcing the operating system to think its executing the program when its actually executing the worm.
Operating systems know what areas of memory have code and what areas have data for a particular program. These areas are called pages. When the overwritten bookmark points to a data page, most operating systems continue to execute the code that they were pointed to. If an operating system knows that a page is supposed to contain data and has an NX supporting processor, the operating system marks the page to say that the page has no executable code. That way, if the operating system tells the processor to execute code from a data page, the processor can check for the mark placed by the operating system and tell the operating system that something is wrong and refuse. In Windows, these messages usually result in the monitor having a blue background, white text and a general feeling of death.
In essence, worms can be stopped at the hardware level because the worm's code won't be executed. Keep in mind that, theoretically, if a worm injects its code into a page marked for executable data (possible, but not terribly likely), the operating system and the processor won't know better and happily allow the spread of the worm. If the processor doesn't support NX, Microsoft's DEP almost does nothing for you - there is a very limited software NX 'implementation' in XP SP2 - which is why I said that for most people, it has no benefit.
The limited software NX implementation in Windows XP SP2's s does provide some protection. Microsoft says that SP2 allows Microsoft to improve the security of core libraries and executables, and this is enabled by default on all computers capable of installing SP2. This, along with the fact that Microsoft used a new stack-checking compiler on the core as well, and the probability of Windows core getting corrupted drops significantly.
Next: If you have it all, what do you get? >>
More Computer Systems Articles
More By Quantum Skyline
