Data Execution Prevention
5/10/2007
Data Execution Prevention (DEP), also called non-execute (NX), is a Windows memory protection feature that you can use to increase the security of your run-time image.
Non-execute regions of memory prevent applications from executing code stored in a memory region marked for data only. When code attempts to be executed from a non-execute region of memory, an exception is raised.
Hardware-enforced DEP is controlled by a non-execute (NX)-enabled CPU. The NX CPU manages memory protection per virtual page by changing a bit in the page table entry.
If you do not have an NX-enabled CPU, you can use software-enforced DEP. Software-enforced DEP is designed to mitigate exploits of exception handling mechanisms in Windows. By default, software-enforced DEP only protects limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
For instructions on adding Data execution prevention to your run-time image, see Configuring the Data Execution Prevention Settings of a Run-Time Image.
For more information about NX support, see this Microsoft Web site.
See Also
Other Resources
Best Practices for Security
Network Security Considerations
Local Security Considerations