Executable-space protection

Executable-space protection is a way to keep computers safe by stopping bad things from happening when someone tries to run harmful code in parts of the computer's memory that shouldn't be used for that. It works by marking certain areas of memory as "not allowed to run code." If a computer tries to run code in those areas, it stops the computer and shows an error instead.

Computers can use special parts called the NX bit to do this job easily and quickly. This is a tiny part inside the computer's hardware that helps stop bad code from running without slowing down the computer. But if a computer doesn't have this special part, software can try to do the same thing, though it might make the computer work a little slower.

This idea has been around for a long time. One of the very first computers to use it was the Burroughs large systems, starting with the Burroughs 5000 in 1961. These computers used special ways to keep code and data separate so that data couldn't be turned into harmful code. Today, our computers still use this protection to stop attacks like buffer overflow, where bad code tries to sneak into places it shouldn't. By stopping these areas from running code, computers stay safer.

OS implementations

Many operating systems have ways to protect parts of memory from being used to run code. This helps keep computers safe.

Android

Since version 2.3, Android has made sure that parts of memory that shouldn’t run code don’t, on devices that can support it.

FreeBSD

FreeBSD started supporting special protection for memory on certain processors in June 2004, and it has been part of regular releases since version 5.3.

Linux

Linux supports special memory protection on modern processors. This support was added in 2004 for 64-bit systems, and later that year for 32-bit systems running on 64-bit processors. Some Linux versions, like Fedora, Ubuntu, and openSUSE, need extra settings to use this protection well on older processors.

macOS

macOS has supported memory protection on Intel processors since 2004. By version 10.5, it protected both stack and heap memory for 64-bit programs.

NetBSD

NetBSD added memory protection for programs in December 2004. It works on many different types of processors.

OpenBSD

OpenBSD introduced a strong form of memory protection called W^X in May 2003. It marks memory areas that can change as ones that can’t run code.

Solaris

Solaris has been able to stop programs from running code in certain memory areas since 1997 on some processors, and later added more control over this.

Windows

Windows began adding memory protection starting with Windows XP Service Pack 2 in 2004. This feature, called Data Execution Prevention (DEP), stops important parts of Windows from having harmful code run in them. Later versions added more protection and ways to manage it.

Xbox

Although early Xbox systems didn’t have special hardware for memory protection, later versions of the development tools and system changed how memory was used, making old tricks to run unwanted code harder. However, new ways around this were found quickly.

Limitations

When code is created and run during the computer's operation, such as with a special type of compiler, it might be possible for someone to create harmful instructions that can bypass safety measures.

There are also clever ways to run unwanted code even when safety protections are turned on, by using small pieces of already-allowed code in new ways.