Thread: Data Execution Prevention (DEP)
View Single Post
  #8  
Old October 14th 18, 08:01 PM posted to alt.windows7.general
Brian Gregory[_2_]
external usenet poster
  
Posts: 166
Default Data Execution Prevention (DEP)
On 14/10/2018 14:57, Mayayana wrote:
"Jeff Barnett" wrote

| Several years ago it was difficult to use the DEP capability provided by
| modern hardware because both older programs and the OS played silly
| tricks to save a microsecond here and there. I, like most of you I
| presume, only turned on DEP capability for OS functions. My question is
| what is recommended for today given that I'm no longer running all those
| old 95, 98, and XP programs that I thought I couldn't live without?
|

You say you no longer use those programs, so what
does it matter? In that case, why not enable DEP
globally? If you decide to use one of the mentioned programs
then why not just exempt it? DEP doesn't have to be
set all or nothing.

On the one hand, software should have dealt with
DEP a long time ago. I wrote some DEP-ignoring
software at one time based on code from Matthew
Curland, a top Microsoft programmer. He'd written
that code before DEP. It wasn't silly. It was very
clever stuff. But it conflicted when DEP was instituted.
I had to change that code more than 10 years ago.

On the other hand, DEP addresses a very minor security
issue that's likely to be relevant *maybe* in rare cases
with browsers. It's about running executable
code from RAM assigned for data storage. Anything that's
already running on your computer can already execute,
so DEP is for avoiding things like buffer overrun bugs
in browsers. And any malware attacks that depend on
DEP being disabled are not going to work very well.

You could turn it off except for software that goes
online. Personally I've had DEP disabled for years. But
I'm also very careful online. I don't see any reason not
to enable it globally if it doesn't cause problems. Why
not? For good measure if nothing else.

I just don't think it matters much one way or the other.
Do what works. I assume it's already enabled in Win7 and
you're not having any problems. So why worry about it?
The only problem I can think of would be if you installed
something non-DEP-aware and it kept crashing. I'm not
sure you'd be able to figure out that the problem was
DEP. I don't think it would ever occur to me.


I disagree that DEP addresses a minor security issue.

Without DEP many buffer overflow exploits are trivial to exploit
compared with the situation with DEP where things get tricky, especially
when there is also ASLR and the like to make successful exploit of
buffer overflow even harder. But disable DEP and ASLR becomes largely
irrelevant and the exploit is easy again.

--

Brian Gregory (in England).
Ads