Tag Archives: SUSE Linux

Execute Disable Bit – The BIOS Optimization Guide

Execute Disable Bit

Common Options : Enabled, Disabled

 

Execute Disable Bit Quick Review

This BIOS feature is a toggle for the processor’s Execute Disable Bit option. In fact, the acronym XD is short for Execute Disable and is specific to Intel’s implementation. AMD’s implementation is called NX, short for No Execute.

When enabled, the processor prevents the execution of code in data-only memory pages. This provides some protection against buffer overflow attacks.

When disabled, the processor will not restrict code execution in any memory area. This makes the processor more vulnerable to buffer overflow attacks.

It is highly recommended that you enable this BIOS feature for increased protection against buffer overflow attacks.

However, please note that the Execute Disable Bit feature is a hardware feature present only in newer Intel processors. If your processor does not support Execute Disable Bit, then this BIOS feature will have no effect.

In addition, you must use an operating system that supports the Execute Disable Bit feature. Currently, that includes the following operating systems :

  • Microsoft Windows Server 2003 with Service Pack 1, or later.
  • Microsoft Windows XP with Service Pack 2, or later.
  • Microsoft Windows XP Tablet PC Edition 2005, or later.
  • SUSE Linux 9.2, or later.
  • Red Hat Enterprise Linux 3 Update 3, or later.

Incidentally, some applications and device drivers attempt to execute code from the kernel stack for improved performance. This will cause a page-fault error if Execute Disable Bit is enabled. In such cases, you will need to disable this BIOS feature.

 

Execute Disable Bit Details

Buffer overflow attacks are a major threat to networked computers. For example, a worm may infect a computer and flood the processor with code, bringing the system down to a halt. The worm will also propagate throughout the network, paralyzing each and every system it infects.

Due to the prevalence of such attacks, Intel enhanced their processor architecture with a feature called Execute Disable Bit, which is designed to protect the computer against certain buffer overflow attacks. First released for the 64-bit Intel Itanium processor in 2001, this feature only appeared in Intel desktop and workstation processors from November 2004 onwards. Intel mobile processors with Execute Disable Bit only started shipping in February, 2005.

Processors that come with this feature can restrict memory areas in which application code can be executed. When paired with an operating system that supports the Execute Disable Bit feature, the processor adds a new attribute bit (the Execute Disable Bit) in the paging structures used for address translation.

If the Execute Disable Bit of a memory page is set to 1, that page can only be used to store data. It will not be used to store executable code. But if the Execute Disable Bit of a memory page is set to 0, that page can be used to store data or executable code.

The processor will henceforth check the Execute Disable Bit whenever it executes code. It will not execute code in a memory page with the Execute Disable Bit set to 1. Any attempt to execute code in such a protected memory page will result in a page-fault exception.

So, if a worm or virus inserts code into the buffer, the processor prevents the code from being executed and the attack fails. This also prevents the worm or virus from propagating to other computers on the network.

[adrotate group=”1″]

This BIOS feature is a toggle for the processor’s Execute Disable Bit option. In fact, the acronym XD is short for Execute Disable and is specific to Intel’s implementation. AMD’s implementation is called NX, short for No Execute.

When enabled, the processor prevents the execution of code in data-only memory pages. This provides some protection against buffer overflow attacks.

When disabled, the processor will not restrict code execution in any memory area. This makes the processor more vulnerable to buffer overflow attacks.

It is highly recommended that you enable this BIOS feature for increased protection against buffer overflow attacks.

However, please note that the Execute Disable Bit feature is a hardware feature present only in newer Intel processors. If your processor does not support Execute Disable Bit, then this BIOS feature will have no effect.

In addition, you must use an operating system that supports the Execute Disable Bit feature. Currently, that includes the following operating systems :

  • Microsoft Windows Server 2003 with Service Pack 1, or later.
  • Microsoft Windows XP with Service Pack 2, or later.
  • Microsoft Windows XP Tablet PC Edition 2005, or later.
  • SUSE Linux 9.2, or later.
  • Red Hat Enterprise Linux 3 Update 3, or later.

Incidentally, some applications and device drivers attempt to execute code from the kernel stack for improved performance. This will cause a page-fault error if Execute Disable Bit is enabled. In such cases, you will need to disable this BIOS feature.

Go Back To > The BIOS Optimization Guide | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!