Coreinfo shows me a bunch of instructions my processor supports. However one that I'm interested in is DEP Data Execution Prevention. DEP is listed as something the CPU must support in Windows 2016 Server. What is it?
The docs from Microsoft seem to link it with NX What's the difference between DEP and NX and how do I find out if my processor supports DEP?
Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns.
If we combine it with the information from your own link we determine that when combined with ASLR (which requires NX-bit) DEP becomes synonymous with NX. Specifically the ASLR implementation within Windows Server 2016 requires it.
But when it is combined with other technologies like Address Space Layout Randomization (ASLR), it helps prevent common buffer overflow vulnerabilities in Windows Internet Explorer and the add-ons that it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.
Additionally:
Microsoft added ASLR functionality in Windows Vista and Windows Server 2008. On this platform, DEP is implemented through the automatic use of PAE kernel in 32-bit Windows and the native support on 64-bit kernels. Windows Vista DEP works by marking certain parts of memory as being intended to hold only data, which the NX or XD bit enabled processor then understands as non-executable.
Sources:
There's a hardware-based and software-based DEP. Reference.
Hardware-based DEP requires your CPU support the XD or NX bit. If the CPU attempts to execute code from a page where that bit is set, the CPU will throw a hardware exception and nothing will be executed.
Software-based DEP - that reference provides the following info:
An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows.
and
Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
This can be enabled and used regardless of CPU NX/XD support.
Not sure how the software DEP works but it's probably something like a stack canary used by certain system binaries - reference.
DEP is listed as something the CPU must support in Windows 2016 Server.
Windows 2016 will not run on a CPU that doesn't have hardware NX/XD support. Most if not all CPUs since 2000 (Pentium 4+) have this support, and most certainly any server-class CPU in this decade has it. On any relatively modern system you should not have to worry about this.
