Developer Security Enhancements in Windows Vista SP1

Eliot — Tue, 12 Feb 2008 23:33:00 GMT

This comes via Michael Howard's Web Log. Take a look at the full post, but here are some salient bits.

New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008

In the interests of helping secure the platform, we want more people to opt-in to using Data Execution Prevention (aka DEP aka NX), and we have lowered the barrier to entry for application developers in Windows Vista SP1, Windows XP SP3 and Windows Server 2008.

We've added some new APIs that allow a developer to set DEP on their process at runtime rather than using linker options. The new APIs also give developers some more flexibility if your application uses an older version of the Active Template Library (ATL.)

...

The most important API added is SetProcessDEPPolicy, which sets the DEP policy for the running process. You would normally use this function pretty early in main.

The function takes only one argument: the policy setting. The possible values are:

0x00000000 Turn off DEP for this process (Why are you doing this?)
PROCESS_DEP_ENABLE Enable DEP for the process.
PROCESS_DEP_ENABLE | PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION Enable DEP for the process, and disallow ATL thunks.

The last option is the killer argument - if you build an application that hosts components that might not be DEP compatible because they were built using an older version of ATL, you can still use DEP for your process.

Eliot's Blog : security

Developer Security Enhancements in Windows Vista SP1