4
What is PAE?
The XD and NX features require that the processor run in Physical Address Extension (PAE)
mode. A 32-bit
processor, such as the Intel Pentium 4 (IA32 family), is usually limited to addressing a maximum of 4-GB
of memory. This limitation is due to 32 bits of address capability, as follows:
2
32
= 4,294,967,296 (4 GB)
To address more than 4-GB of memory, Intel created PAE mode. PAE uses an additional 4 bits of address-
ing, creating a 36-bit address, thereby allowing for the addressing of up to 64-GB of memory, as follows:
2
36
= 68,719,476,736 (64 GB)
A processor with XD or NX marks memory pages as nonexecutable. This marking consists of a bit in the
Page Table Entry (PTE), which is a data structure containing the base physical address and attributes of a
page in physical memory. When you use PAE mode, the PTEs are extended from 32 bits to 64 bits, allow-
ing for the additional space required to mark an area as nonexecutable.
Why is this change important? What threats does it help mitigate?
The primary benefit of Data Execution Prevention is the prevention of code execution from data pages
such as the default heap, various stacks, and memory pools. A heap is a common pool of memory avail-
able to a program. A stack is a set of hardware registers or a reserved amount of memory used for arith-
metic calculations or to keep track of internal operations.
In normal system operations, code is not typically executed from the default heap and stack. Hardware-
enforced DEP detects code that is running from these locations and raises an exception when execution
occurs. If the exception is unhandled, the process is terminated. Execution of code from protected memory
in kernel mode results in a bugcheck.
Although terminating a process or causing the system to fail with a bugcheck do not appear to be ideal
solutions, they help prevent malicious code from executing. Preventing malicious code from executing on
the system may prevent damage to your system or propagation of malicious code whose harmful effects
could easily exceed those of a process terminated by a bugcheck.
DEP can help mitigate against a class of security exploits. Specifically, Data Execution Prevention can pre-
vent the exploit in which a virus or other attack injects a process with additional code and then attempts
to execute the injected code. On a system with DEP, execution of the injected code results in an exception.
Additionally, software-enforced DEP can help mitigate against exploits of exception handling mechanisms
within Windows.
A secondary benefit of DEP encourages good engineering and best practices for application and driver
developers. Data Execution Prevention forces developers to avoid executing code out of data pages with-
out explicitly marking the pages as executable.