We have already discussed various exploits and processor technologies that act as countermeasures. Two predominant technologies to look for in CPU and OS facilities include non-execution memory and address space layout randomization. Both types of technologies are meant to burden or prevent buffer-overflow and stack-overrun types of malware injection:

• Non-execution or executable space protection: This is a facility enabled by the hardware used by the operating system to mark areas of memory as non-executable. The intent is to map only areas where verified and legitimate code resides to be the only regions of addressable memory that can execute an operation. If an attempt is made to implant malware through a stack-overflow type of attack, the stack will be marked as non-executing and an attempt to force the instruction pointer to execute there would result in a machine exception. Non-executable memory uses an NX bit as a means to map the region as non-executable (through the translation lookaside buffer). Intel uses the XD bit (execute Disable) and ARM uses an XN bit (eXecute Never). Most operating systems such as Linux, Windows, and several RTOSs support such features.
• Address space layout randomization: While more of an operating system treatment of virtual memory space than a hardware feature, it is important to consider ASLR. This type of countermeasure targets buffer-overflow as well as return-to-libc attacks. These attacks are based on an attacker understanding the layout of memory and forcing calls to certain benign code and libraries. Calling these libraries becomes particularly laborious if the memory space is randomized on each boot. Linux provides the ASLR ability using the PAX and Exec Shield patches. Microsoft provides protection for heap, stack, and process blocks as well.