Data Execution Prevention

Data Execution Prevention (DEP) refers to the security feature which is able to prevent non-executable instructions to be executed as instructions by a program, service, device driver, etc. Certain security feature is extensively used in various operating systems including Linux, Windows, OS X, Android, etc. Here, the functions of Data Execution Prevention are introduced.

Functions of Data execution prevention
Data Execution Prevention can be used to protect computer against some program errors.
Data Execution Prevention can protect computer against some malicious exploits with executable instructions stored in a data area.
Data Execution Prevention can protect computer against virus attacks to some extent, but attacks not relying on execution of instructions in the data area can not be prevented.

To perfect data prevention system, other security features such as Mandatory Integrity Control, structured exception handler and overwritten protection can be used in conjunction with Data Execution Prevention

Running modes of Data Execution Prevention
There are two kinds of running modes of Data Execution Prevention namely hardware-enforced DEP and software-enforced DEP. Unlike anti-virus applications, hardware-enforced DEP and software-enforced DEP are employed to supervise all installed programs rather than prevent malicious programs from being installed, and then ensure secure use of system memory. To monitor programs, hardware-enforced DEP will track the region of memory which is marked as non-executable. If certain program tends to execute instructions via the marked region, Windows system will automatically shut down the program so as to protect system against malicious codes. However, software-enforced DEP does not protect computer against execution of code in data pages, but counters SEH overwrite, another type of attack.

Enable and disable DEP on computer
If users want to enable Data Execution Protection on WinXP SP2, they can follow these steps:
Firstly, choose System Properties, and then click Advanced.
Secondly, find relative settings and set DEP to Enabled.

By default, only DEP for basic Windows programs and service are enabled, so users need to carry out relevant settings if they want to enable DEP for other programs. Generally, the default configuration of DEP can protect core Windows components and service. Moreover, it will minimize the influence posed on application compatibility. However, users can make some amendment to DEP configuration so as to harden computer system security, while enduring the risks to application compatibility issues.

Notices about DEP use
Some users may raise the question "Is it secure to run certain program once shut down by DEP?" Actually, as long as users enable DEP for the program, subsequent operations are secure. In such cases, Windows can track all instructions in protected region of memory, and prevent malicious attacks. Providing that the program fails in normal running, users can get another edition which can be compatible with DEP, so as to lower security risk.