Executable-space protection

Executable-space protection is a way to keep computers safe. It stops harmful code from running in parts of the computer's memory that should not be used for that.

It works by marking certain areas of memory as "not allowed to run code." If a computer tries to run code in those areas, it stops and shows an error.

Computers can use special parts called the NX bit to help do this quickly. This is a tiny part inside the computer's hardware. If a computer does not have this part, software can try to do the same thing, but it might slow the computer down a little.

This idea has been around for a long time. One of the first computers to use it was the Burroughs large systems, starting with the Burroughs 5000 in 1961. These computers kept code and data separate so data could not become harmful code. Today, computers still use this protection to stop attacks like buffer overflow. By stopping these areas from running code, computers stay safer.

OS implementations

Many operating systems have ways to protect parts of memory from being used to run code. This helps keep computers safe.

Android

Since version 2.3, Android has made sure that parts of memory that shouldn’t run code don’t, on devices that can support it.

FreeBSD

FreeBSD started supporting special protection for memory on certain processors in June 2004, and it has been part of regular releases since version 5.3.

Linux

Linux supports special memory protection on modern processors. This support was added in 2004 for 64-bit systems, and later that year for 32-bit systems running on 64-bit processors. Some Linux versions, like Fedora, Ubuntu, and openSUSE, need extra settings to use this protection well on older processors.

macOS

macOS has supported memory protection on Intel processors since 2004. By version 10.5, it protected both stack and heap memory for 64-bit programs.

NetBSD

NetBSD added memory protection for programs in December 2004. It works on many different types of processors.

OpenBSD

OpenBSD introduced a strong form of memory protection called W^X in May 2003. It marks memory areas that can change as ones that can’t run code.

Solaris

Solaris has been able to stop programs from running code in certain memory areas since 1997 on some processors, and later added more control over this.

Windows

Windows began adding memory protection starting with Windows XP Service Pack 2 in 2004. This feature, called Data Execution Prevention (DEP), stops important parts of Windows from having harmful code run in them. Later versions added more protection and ways to manage it.

Xbox

Although early Xbox systems didn’t have special hardware for memory protection, later versions of the development tools and system changed how memory was used, making old tricks to run unwanted code harder. However, new ways around this were found quickly.

Limitations

When code is created and run while the computer is working, it might be possible for someone to make harmful instructions that can get past safety measures.

There are also smart ways to run unwanted code even when safety protections are on, by using small pieces of allowed code in new ways.