Enhanced Virus Protection (EVP) / Execute Disable (XD) bit is a
feature that prevents execution of malicious code in program data
memory. The feature works only when it is supported by an operating
system. Worms and other malware programs often use buffer overrun
method to get unauthorized access to protected system resources, such
as local or privileged computer accounts. This method targets
programs that accept input data from untrusted sources, store the
data in program's memory, and do not verify the length of stored
data. Such programs can be easily exploited:
- Malware provides very long text (called "payload") as input
data for a program. This text is always longer than the size of
memory allocated for input data, and it always contains malicious
executable code. When the program stores the payload in program's
data memory, it overwrites part of program's data memory that was not
supposed to be overwritten.
- The payload is usually crafted in such a way that, when stored
in program's data memory, it changes how control is transferred between
different parts of the program. As a result, instead of proceeding
with normal program execution, at some point the program transfers
control to the malicious code stored in the payload.
Enhanced Virus Protection and Execute Disable bit features allow the
operating system to mark program data memory as non-executable. So,
when program control is transferred to the malicious code in
program's data memory, the microprocessor stops program execution and
transfers control back to the operating system.
Enhanced Virus Protection, sometimes called NX-bit, is a name
used by AMD. Intel uses Execute Disable bit name. Both
features are compatible with each other.
|
