Skip to content

DEP

links: ED TOC - Exploit Mitigations - Index


Claim

DEP prevents the execution of uploaded code.

General

Data Execution Prevention (DEP) makes sure that certain memory regions are no longer executable by adding a permission model to them. DEP is a runtime exploit mitigation. Therefore each memory region has flags for reading (R), writing (W) and executing (X) data inside the specific region. The program will only run code, when it is located inside a memory region having the X-flag enabled. In practice the code segment having the X-flag enabled, will have the W-flag not set. Like this an attacker cannot write to the memory region where the executable code lies. Therefore they won't be able to inject shellcode. Generally it is a bad idea to have memory regions which have set the X- and W-flag for this reason.

(De-)Applying DEP

DEP is active by default in all modern platforms. If we for some reason want to disable the protections provided by DEP we must tell the compiler to not protect the stack and set the X-flag for the memory region. Using GCC this works as following: gcc [..] -z execstack [..]. Executing readelf -l [exec-name] will show, that the X-flag is set for the stack (probably the flag will be E. It is the same as X but they messed up the flag names).

Example:

# with DEP
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x10

#without DEP
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10

Breaking DEP

To break DEP, the attacker can use Return Oriented Programming (ROP) or Ret2PLT.


links: ED TOC - Exploit Mitigations - Index