Athlon64 EVP and P4 EDB vs. Buffer overflows

Discussion in 'malware problems & news' started by Devinco, Oct 30, 2005.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    We've all heard the hype from AMD about EVP (Enhanced Virus Protection formerly known as DEP Data Execution Protection).
    We've also heard the hype from Intel about EDB Execute Disable Bit.
    These with Windows XP SP2 are supposed to stop the buffer overflow vulnerabilities that allow virii and trojans to execute on the computer.

    How effective are these hardware solutions in a real world situation?
    Say you have SP2 (to enable EVP & EDB), but none of the newer patches, so there are some known buffer overflow exploits, would these exploits be blocked (only using EVP or EDB not additional security software)?
    Does it only work with OS buffer overflow exploits or other program buffer overflows (like WinZip, etc.)?

    Has anyone read any reviews, tests, or comparisons of either?
    Are EVP and EDB just hype to sell new CPUs but in actuality something that is easily bypassed or doesn't work at all?

    It would be nice to know.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i would think DEP would block some exploits but only for program its enabled on. u can choose between "Essential Windows programs and services only" or just "all services" with an available whitelist. also i have never read any reviews on this and idk hwo windows would react to an exploit. (is there a messaage/alert, BSOD,...) there are issues between DEP and some software like blackice (maybe) and looknstop (only if u enable "watch thread injection"). issues may also be present between DEP and programs like stackdefender.
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for your reply WSFuser.
    It still seems pretty confusing. You would think the people who make the tech, AMD and Intel, would have some actual tests that they could show how great it is like a before and after. The way it is, they are unclear and have a little cartoon video that really doesn't show anything. Makes one suspicious if it really does work. :doubt:
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It should be effective in many, but not all, cases.

    One reason is what this technique relies on programs specifying which parts are code and which are data. If a programmer decides not to bother and flags everything as code (an easy way to avoid any DEP-related errors), then their data area will not be excluded from being run and could be used by a knowledgable attacker.

    It is also possible to disable DEP for individual programs using the NtSetInformationProcess function and this could be used by a buffer overflow attack (see Bypassing Windows Hardware-enforced Data Execution Prevention).

    Another is that program code is not protected by DEP so a buffer overflow that tries to inject new code into a program will not be affected by DEP (see Buffer overflow attacks bypassing DEP for an example).

    Finally, it is possible for buffer overflows to bypass software DEP, see Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass.

    Essentially, simple buffer overflow attacks (inject some data, run it as code) should be blocked by DEP but they can be tweaked to get round DEP's restrictions.
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you Paranoid2000. :)
    Your excellent answer is just the information I have been searching for.

    Cheers!
     
Thread Status:
Not open for further replies.