I recently took home a build of Windows Vista for my home machine, which happens to be a dual processor 64-bit Dell machine, and it made me curious about the differences between the x86 and x64 version of Vista – specifically security differences. 

 

After doing a brief bit of research, I found three unique security benefits in Vista x64:

·  Hardware NX protection on globally by default.

·  Kernel Patch Protection aka Patchguard. 

·  Mandatory Kernel Module and Driver Signing.

 

No eXecute (aka NX, aka Data Execution Protection, or DEP) enforces protection in hardware, for CPUs that support NX, to stop code from executing in a data segment. Many traditional exploits contain code presented to the system as data but are then executed as code; NX stops that from happening.  While not a panacea, in the context of the bigger picture, this is a powerful protection.

 

On x86 systems, the default for NX is to protect code that “OptIn” to NX protection, while on x64 Vista, the default is to protect all code, thus raising the security bar a bit further.  I am going to do some of my own buffer overflow tests between my x86 laptop and my x64 home machine to get a more personal feel for this - I'll update you when I do that.

 

I see Patchguard and Mandatory Kernel Module and Driver signing as closely related and both deserve a deeper look, so I’ll follow up with a separate post on those in a day or two. 

 

In the meantime, having looked at all three of these security features in a little more detail myself, I can say I am just a bit more comfortable from a security perspective with my x64 system than I would be without it.

 

Oh, and as a side note, the newer build is definitely more polished as compared to the Beta2 build.  I've transitioned over to using Vista x64 as my primary home machine and only rarely boot up in XP anymore (largely gaming related ... ;-)

 

Regards ~ Jeff