DEP
What is DEP?
DEPData Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
DEP, sometimes called NX (No-eXecute) or W^X (Write XOR Execute), enforces that any memory page is either writable or executable but never both. The CPU's NX bit blocks instruction fetches from data pages such as the stack and heap, defeating classic shellcode-injection attacks. AMD introduced the hardware bit in 2003 and Intel followed shortly after; software DEP was added to Windows XP SP2 and to Linux via PaX/grsecurity, then mainlined. Because DEP eliminates direct code execution from data, attackers shifted to code-reuse techniques like return-to-libc and ROP, which is why DEP is paired with ASLR, CFI, and shadow stacks.
● Examples
- 01
The stack being marked NX so an attacker's shellcode crashes instead of executing.
- 02
Linux mmap rejecting PROT_WRITE | PROT_EXEC on hardened builds.
● Frequently asked questions
What is DEP?
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap. It belongs to the Application Security category of cybersecurity.
What does DEP mean?
Data Execution Prevention (also called NX or W^X) marks memory pages as non-executable so attackers cannot run shellcode injected into the stack or heap.
How does DEP work?
DEP, sometimes called NX (No-eXecute) or W^X (Write XOR Execute), enforces that any memory page is either writable or executable but never both. The CPU's NX bit blocks instruction fetches from data pages such as the stack and heap, defeating classic shellcode-injection attacks. AMD introduced the hardware bit in 2003 and Intel followed shortly after; software DEP was added to Windows XP SP2 and to Linux via PaX/grsecurity, then mainlined. Because DEP eliminates direct code execution from data, attackers shifted to code-reuse techniques like return-to-libc and ROP, which is why DEP is paired with ASLR, CFI, and shadow stacks.
How do you defend against DEP?
Defences for DEP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DEP?
Common alternative names include: NX, No-Execute, W^X.
● Related terms
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 925
Return-Oriented Programming
Return-Oriented Programming (ROP) is a code-reuse exploit technique that chains short instruction sequences ending in RET to execute arbitrary computation without injecting new code.
- appsec№ 1095
Stack Canary
A stack canary is a secret value placed between a function's local buffers and its saved return address to detect stack buffer overflows before they hijack control flow.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
- appsec№ 545
Intel CET
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
● See also
- № 1058SMEP / SMAP