This processor does not offer 64-bit modes of operation. This means that this system will not be able to run the significantly more secure 64-bit versions of Microsoft's XP or Vista operating systems.
However, since 64-bit Windows systems experience significant application and driver compatibility challenges, especially with older "legacy" hardware, it is not clear how practical running 64-bit Windows on older systems would be anyway.
[64Bits]
64-Bit Processing Available
This processor does offer 64-bit modes of operation. This means that this system is able to run the significantly more secure 64-bit versions of Microsoft's Windows XP and Vista operating systems.
The biggest challenge for 64-bit Windows systems is the fact that existing 32-bit device drivers cannot be used by the 64-bit operating system kernel. So if you do plan to try switching to 64-bit Windows, you should be sure to have a means for reverting to 32-bit operation if your system's hardware turns out to be incompatible with 64-bit operation. Many people have reverted to 32-bit operation after bravely giving 64-bits a try for a short time.
[YesDEP]
Hardware DEP Available
This processor does support hardware-based data execution prevention (DEP).
When hardware DEP support is teamed up with a properly configured operating system (and that part is crucial), computer security mistakes involving the deliberate overrunning of communications buffers can be automatically detected and prevented throughout the entire computer system. This makes data execution prevention, when available and active, the single most promising improvement for PC security ever. Really.
It is very important to note, however, that hardware support for DEP is only one of several enabling requirements that must be met before any benefit can be obtained. GRC will be following up the release of SecurAble with another powerful tool, DEPuty, that will help to properly configure, test and verify the operation of your system's critical DEP subsystem.
[NoDEP]
Hardware DEP not Available
This processor does not offer Data Execution Prevention.
Unfortunately, this system's hardware is unable to assist in the prevention of the execution of code deliberately injected into communications buffers as a means for remotely infecting systems during Internet communications.
Properly written software could and should prevent this - and most software certainly does. But years of experience with widely exploited "buffer overrun" vulnerabilities, even years after they had been clearly and repeatedly identified as the biggest security problem in the PC industry, proves that adding hardware-enforced system-wide prohibition against the inadvertent execution of data can do more for system security than any other technology the industry has created.
DEP technology is such a powerful solution to this largest of all Internet-related security problems that you should verify that any future systems you acquire absolutely offer hardware DEP support.
This free SecurAble utility may be used to quickly and easily verify any system's hardware DEP support at any time.
[DEPdisabled]
Hardware DEP Disabled!!
This processor does offer hardware support for valuable Data Execution Prevention (DEP) ... but it has been disabled.
Hardware DEP support is so important and powerful that Microsoft has obtained the commitment from all system manufacturers to begin enabling DEP support in all system BIOSes. However, early BIOSes either disabled hardware DEP in the interest of compatibility, or allow their users to optionally enable it through BIOS setup screens ... but still disable it by default.
SecurAble has confirmed that this system's processor does offer valuable support for hardware DEP, but that it has been deliberately disabled by the BIOS. You should shutdown and restart this system, and enter the BIOS setup screens as the system restarts. Then locate and enable the system's support for "Execution Disable" or "No Execute Bit" or something similarly named. Then restart your system and re-run this utility to verify that hardware DEP support has been enabled. (And please also click the Hardware D.E.P. icon again to receive additional help for the next steps to take.)
If you are unable to locate anything in your BIOS to allow hardware DEP support to be enabled please keep an eye out for our follow-on utility, DEPuty, which will provide solutions for users having very stubborn BIOSes.
[Win64]
Hardware DEP Disabled?
Although hardware DEP is not currently available to the operating system, this motherboard BIOS might be disabling the processor's hardware DEP support at boot time.
32-bit Windows applications, such as this SecurAble utility, run under 64-bit version of Windows inside of a 32-bit emulation system known as WOW64 (Windows On Windows). This prevents SecurAble from determining whether this system's processor actually does support hardware DEP.
You should shutdown and restart this system, then enter the BIOS setup screens as the system restarts. Locate and enable the system's support for "Execution Disable" or "No Execute Bit" or something similarly named. Then restart your system and re-run this utility to verify that hardware DEP support has been enabled. (And please also click the Hardware D.E.P. icon again to receive additional help for the next steps to take.)
[Win9x]
Hardware DEP Disabled?
Although hardware DEP is not currently available to the operating system, this motherboard BIOS might be disabling the processor's hardware DEP support at boot time.
While running under Windows 95/98/ME, this program cannot determine whether this system's processor actually does support hardware DEP, but even if it did, this operating system is unable to take advantage of it to protect from malicious buffer overruns.
You should shutdown and restart this system, then enter the BIOS setup screens as the system restarts. Locate and enable the system's support for "Execution Disable" or "No Execute Bit" or something similarly named. Then restart your system and re-run this utility to verify that hardware DEP support has been enabled. (And please also click the Hardware D.E.P. icon again to receive additional help for the next steps to take.)
[NoAdmin]
Hardware DEP Disabled?
Although hardware DEP is not currently available to the operating system, this motherboard BIOS might be disabling the processor's hardware DEP support at boot time.
If you will run this application with administrative privileges, it will be able to run some test code in the operating system's kernel to allow it to determine whether the BIOS is deliberately suppressing the availability of hardware DEP support.
[NoVirt]
No Hardware Virtualization
This processor does not offer advanced hardware support for hardware virtualization.
There is some suggestion that future operating systems of all sorts (Linux, Mac, Windows, etc.) may be able to use hardware virtualization to indirectly enforce greater security upon the operating system's "kernel" by preventing it from being modified as a means for thwarting dangerous "root kit" style exploits.
The idea is that our future operating systems would always be running inside a virtual machine under the watchful eye of an OS "hypervisor." This has not been practical before now, without hardware support for virtualization, because virtualization required too much real-time involvement of software which introduced an unacceptable amount of overhead and slowed everything down. Hardware virtualization means that virtual machines - and even the entire operating system running inside a virtual machine container - would be able to run at 100% full speed, thus making a persistent security-oriented OS "hypervisor" practical for the first time.
But don't hope for this to ever help with the security of 32-bit Windows platforms. Due to the amount of kernel modification already being done by benign kernel drivers in 32-bit versions of Windows, "hypervisory kernel locking" could only ever be implemented under 64-bit versions of Windows where kernel modification has always been actively prohibited. And due to serious compatibility problems inherent in 64-bit systems, it's also not at all clear (at the start of 2007) how quickly, or even whether, 64-bit Windows will become practical on the desktop.
However, the other current and real security-related application for hardware virtualization is for running your own virtual machines - at 100% full speed - on top of your host operating system. This is possible today with commercial and completely free software from Microsoft, VMware and Parallels. This has an indirect, though strongly positive, impact upon security since possibly unsafe activities such as Internet surfing or peer-to-peer file sharing can be 100% contained within the virtual environment to make online activities much safer.
This can still be done, of course, without hardware virtualization support, but the virtual machine environment as well as the hosting operating system will be running at substantially less than full speed.
[YesVirt]
Hardware Virtualization
This processor does offer advanced hardware support for hardware virtualization!
There is some suggestion that future operating systems of all sorts (Windows, Linux, Mac, etc.) may be able to use hardware virtualization to indirectly enforce greater security upon the operating system's "kernel" by preventing it from being modified as a means for thwarting dangerous "root kit" style exploits.
The idea is that our future operating systems would always be running inside a virtual machine under the watchful eye of an OS "hypervisor." This has not been practical before now, without hardware support for virtualization, because virtualization required too much real-time involvement of software which introduced an unacceptable amount of overhead and slowed everything down. Hardware virtualization means that virtual machines - and even the entire operating system running inside a virtual machine container - would be able to run at 100% full speed, thus making a persistent security-oriented OS "hypervisor" practical for the first time.
But don't hope for this to ever help with the security of 32-bit Windows platforms. Due to the amount of kernel modification already being done by benign kernel drivers in 32-bit versions of Windows, "hypervisory kernel locking" could only ever be implemented under 64-bit versions of Windows where kernel modification has always been actively prohibited. And due to serious compatibility problems inherent in 64-bit systems, it's also not at all clear (at the start of 2007) how quickly, or even whether, 64-bit Windows will become practical on the desktop.
However, the other current and real security-related application for hardware virtualization is for running your own virtual machines - at 100% full speed - on top of your host operating system. This is possible today with commercial and completely free software from Microsoft, VMware and Parallels. This has an indirect, though strongly positive, impact upon security since possibly unsafe activities such as Internet surfing or peer-to-peer file sharing can be 100% contained within the virtual environment to prevent any "contamination" from leaking into the host system.
This can still be done, of course, without hardware virtualization support, but the virtual machine environment as well as the hosting operating system will be running at substantially less than full speed.
[YesVirtNoAdmin]
Hardware Virtualization
This processor does offer advanced hardware support for virtualization. However, this program needs to be run with administrative rights in order to determine whether Intel's VMX virtual machine extensions are being locked on, locked off, or neither. Since there's a chance that your system's BIOS may be deliberately disabling support for hardware virtualization (some do) you should re-run this program, if possible, with administrative privileges under a 32-bit version of NT, XP, or Vista. That will allow SecurAble to run a bit of kernel-mode code in order to determine exactly what's going on. (Note that you can also poke around in your system's BIOS to see whether you're able to find any references to "hardware virtualization" or "VMX", etc.)
[YesVirtWin9x]
Hardware Virtualization
This processor does offer advanced hardware support for virtualization. However, while running under Win 95/98/ME, this program cannot execute its 32-bit kernel code to determine whether Intel's VMX virtual machine extensions are being locked on, locked off, or neither. Since there's a chance that your system's BIOS may be deliberately disabling support for hardware virtualization (some do) you should re-run this program, if possible, with administrative privileges under a 32-bit version of NT, XP, or Vista. That will allow SecurAble to run a bit of kernel-mode code in order to determine exactly what's going on. (Note that you can also poke around in your system's BIOS to see whether you're able to find any references to "hardware virtualization" or "VMX", etc.
[YesVirtWin64]
Hardware Virtualization
This processor does offer advanced hardware support for virtualization. However, while running under a 64-bit version of Windows this program cannot execute its 32-bit kernel code to determine whether Intel's VMX virtual machine extensions are being locked on, locked off, or neither. Since there's a chance that your system's BIOS may be deliberately disabling support for hardware virtualization (some do) you should re-run this program, if possible, with administrative privileges under a 32-bit version of NT, XP, or Vista. That will allow SecurAble to run a bit of kernel-mode code in order to determine exactly what's going on. (Note that you can also poke around in your system's BIOS to see whether you're able to find any references to "hardware virtualization" or "VMX", etc.
[LockedOff]
Virtualization Locked Off
This processor's advanced hardware support for virtualization has been disabled and "locked off" by some external influence - most likely by this system's BIOS as the system was booting. Since enabling hardware virtualization will allow faster and more secure virtual machines and their hosting operating systems to run at 100% full speed, you may wish to poke around in your system's BIOS to see whether you're able to find any references to "hardware virtualization" or "VMX", etc.
[LockedOn]
Virtualization Locked On
This processor's advanced hardware support for virtualization has been enabled and "locked on" to prevent virtual machine penetration compromise. This was probably done by your system's BIOS or by whatever desktop virtual machine system you are using, if any. But if neither are the case you may wish to determine what has done this since it could be a sign of an advanced root kit compromise.
[About]
About SecurAble
This "SecurAble" GRC freeware was an outgrowth from several "Security Now!" podcasts with Leo Laporte. These MP3 audio files are freely available for download from GRC's web site in both smaller-sized 16 kbps and higher-quality 64 kbps versions, and textual transcripts of the programs are also available:
http://www.GRC.com/SecurityNow
The following episodes will be of particular interest:
# 66 - Windows Vista Security # 67 - Kernel Patch Protection # 71 - SecurAble
What is "SecurAble" ?
Future PC security will increasingly rely upon specific hardware capabilities offered by modern processors:
As Windows makes the painful move from a 32-bit kernel to a new kernel running in 64-bit mode, Microsoft is working to avoid repeating mistakes made during the 32-bit era. Consequently, 64-bit versions of Windows will offer significantly stronger security than was ever available to Windows 32-bit operating systems.
Most modern computer vulnerabilities arise from communications buffers that can be overrun with malicious data. This allows remote attackers to inject their own code into vulnerable computers across the Internet. Modern processors incorporate explicit hardware controls to prevent the mistaken execution of remotely supplied data. This "data execution prevention" (DEP), when available and active, enables the most promising improvement in PC security ever seen.
To improve the performance of systems running "virtual machines" (VMs), modern processors added hardware support to allow securely encapsulated VMs to run at the same speed as non-VM systems. This benefits security by increasing the robustness of, and removing all performance penalties from, the continuous use of virtual machine technology. Since virtual machines allow "supervision" by their hosting environment, this supervision can be used to dramatically increase the system's overall security.
For the reasons described above, these three modern processor characteristics will play an important role in enhancing personal computing security in the future. But it's not readily clear from "outside the box" which features individual systems may contain. So I created this little "SecurAble" utility to allow anyone to quickly and easily determine which of these useful capabilities their system's processor supports.
Note: When running SecurAble, be sure to click on each of the three displayed items to receive additional details about the meaning of the display and the security-related implications of each processor feature.
