HP dx6128 Data Execution Prevention - White Paper, 2nd Edition - Page 12

Advantages of using XD/NX, Disadvantages of using XD/NX, Conclusion and Recommendation

Get HP dx6128 - Microtower PC PDF manuals and user guides View all HP dx6128 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

Advantages of using XD/NX Enabling XD/NX provides increased protection against viruses that use buffer overflow attacks. This increased protection provides the benefit of increased network security as malicious code cannot propagate or spread to infect more computers. Support staff also benefits from much improved containment and easier eradication of unwanted software. Disadvantages of using XD/NX XD/NX compatibility issues can occur for both applications and drivers. Applications that perform dynamic code generation, such as just-in-time (JIT) code generation, that do not mark the generated code with Execute permission, will experience compatibility issues. Drivers can encounter compatibility issues when running on 32-bit systems with PAE mode enabled. There are several reasons for this: • Driver does not load because it cannot perform 64-bit addressing. • Driver does not load because it assumes PAE mode requires more than 4-GB of memory. • Driver causes problem when it expects a 32-bit PTE, but instead gets a 64-bit PTE. • Driver cannot DMA properly with a 64-bit physical addresses. To a lesser extent, some drivers create code in real time. These drivers encounter the same problem as applications that create code in real time as mentioned above. Conclusion and Recommendation XD/NX is a useful computer architecture innovation that will reduce the number of viruses that exploit buffer overruns. HP encourages customers who use custom images or third-party software to test software for XD/NX compatibility. Customers have full control as to whether to use XD/NX, either by enabling or disabling XD/NX from the BIOS (F10 Setup), or from the operating system (BOOT.INI). HP is shipping the following for which the noexecute policy level in BOOT.INI will remain at the default state of OptIn: • i915 chipset desktop systems with XD disabled in F10 Setup. • i945 desktop systems with XD enabled by default in F10 Setup. • Transmeta processor bc1000 computers with NX disabled by default in BIOS. • AMD processor-based ATI desktop computers with NX enabled by default in BIOS. To manually turn off DEP, change the state to /alwaysoff in the BOOT.INI. 12

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
12
Advantages of using XD/NX
Enabling XD/NX provides increased protection against viruses that use buffer overflow attacks. This
increased protection provides the benefit of increased network security as malicious code cannot propa-
gate or spread to infect more computers. Support staff also benefits from much improved containment and
easier eradication of unwanted software.
Disadvantages of using XD/NX
XD/NX compatibility issues can occur for both applications and drivers. Applications that perform
dynamic code generation, such as just-in-time (JIT) code generation, that do not mark the generated code
with Execute permission, will experience compatibility issues.
Drivers can encounter compatibility issues when running on 32-bit systems with PAE mode enabled. There
are several reasons for this:
Driver does not load because it cannot perform 64-bit addressing.
Driver does not load because it assumes PAE mode requires more than 4-GB of memory.
Driver causes problem when it expects a 32-bit PTE, but instead gets a 64-bit PTE.
Driver cannot DMA properly with a 64-bit physical addresses.
To a lesser extent, some drivers create code in real time. These drivers encounter the same problem as
applications that create code in real time as mentioned above.
Conclusion and Recommendation
XD/NX is a useful computer architecture innovation that will reduce the number of viruses that exploit
buffer overruns. HP encourages customers who use custom images or third-party software to test software
for XD/NX compatibility. Customers have full control as to whether to use XD/NX, either by enabling or
disabling XD/NX from the BIOS (F10 Setup), or from the operating system (BOOT.INI).
HP is shipping the following for which the noexecute policy level in BOOT.INI will remain at the default
state of OptIn:
i915 chipset desktop systems with XD disabled in F10 Setup.
i945 desktop systems with XD enabled by default in F10 Setup.
Transmeta processor bc1000 computers with NX disabled by default in BIOS.
AMD processor-based ATI desktop computers with NX enabled by default in BIOS.
To manually turn off DEP, change the state to
/alwaysoff
in the BOOT.INI.