Back to DAG

Privilege Rings (Ring 0/3)

os

Hardware Protection Rings

Prerequisites(2)
OS KernelISA (x86, ARM, RISC-V)
Builds on to(1)
System Calls

Modern CPUs enforce a hardware-level separation between trusted OS code and untrusted application code using protection rings. The x86 architecture defines four privilege levels (rings 0 through 3), though in practice only two are commonly used.

Ring 0: Kernel Mode

Ring 0 is the most privileged level. Code running at ring 0 has unrestricted access to all hardware:

  • Execute any CPU instruction, including privileged instructions (hlt, lgdt, mov to control registers, in/out for port I/O).
  • Access any physical memory address.
  • Configure the MMU, page tables, and interrupt handlers.
  • Enable/disable interrupts.

The OS kernel runs at ring 0. A bug here (e.g., a faulty device driver) can crash the entire system.

Ring 3: User Mode

Ring 3 is the least privileged level. Application code runs here with significant restrictions:

  • Cannot execute privileged instructions (attempting to do so triggers a general protection fault, an exception the kernel handles by typically killing the offending process).
  • Cannot directly access I/O ports or hardware devices.
  • Can only access memory that the page table marks as user-accessible (the U/S bit).
  • Cannot modify its own page tables or interrupt descriptor table.

The Mode Bit

The CPU's current privilege level (CPL) is stored in the lowest 2 bits of the CS (Code Segment) register. When CPL = 0, the CPU is in kernel mode. When CPL = 3, it is in user mode. The hardware checks the CPL on every instruction and memory access.

Ring 1 and Ring 2

x86 technically supports rings 1 and 2 for intermediate privilege levels (originally intended for device drivers and OS services). In practice, virtually no modern OS uses them. Both Linux and Windows use only ring 0 and ring 3. The reasons:

  • Portability: other architectures (ARM, RISC-V) only have two privilege levels, so using rings 1/2 would make the OS x86-specific.
  • Complexity: managing four rings adds complexity with minimal practical benefit.
  • Virtualization: hypervisors (VMware, KVM) originally used ring 1 to run guest kernels (ring de-privileging), but hardware virtualization extensions (VT-x) made this unnecessary.

ARM Equivalent: Exception Levels

ARM processors use Exception Levels (EL0-EL3):

Levelx86 EquivalentPurpose
EL0Ring 3User applications
EL1Ring 0OS kernel
EL2(no direct equivalent)Hypervisor
EL3(no direct equivalent)Secure monitor (TrustZone)

ARM's EL2 and EL3 provide dedicated levels for virtualization and security that x86 handles through extensions (VT-x, SMM).

Mode Switch

Transitioning from user mode (ring 3) to kernel mode (ring 0) occurs via controlled entry points:

  • Trap/syscall instruction: the user program deliberately requests a kernel service (e.g., syscall on x86-64, svc on ARM).
  • Hardware interrupt: an external device (keyboard, disk, timer) signals the CPU.
  • Exception/fault: the CPU encounters an error (division by zero, page fault, invalid opcode).

In all cases, the CPU automatically switches to ring 0, saves the user-mode state, and jumps to a handler address defined in the Interrupt Descriptor Table (IDT). The reverse transition (iret or sysret) restores the user-mode state and drops back to ring 3.

Why Ring 3 Restrictions Matter

Real-World Example

Consider what would happen if applications ran at ring 0:

  • A malicious program could read any process's memory (passwords, encryption keys), modify kernel data structures, or install rootkits.
  • A buggy program with a buffer overflow could overwrite kernel memory, crashing the entire system instead of just the faulty process.
  • A game could directly program the disk controller, bypassing the file system and corrupting data belonging to other programs.

With ring 3 enforcement:

  • The buggy program triggers a segmentation fault. The kernel kills only that process; everything else continues.
  • The malicious program cannot read other processes' memory because the page table (controlled by the kernel at ring 0) marks those pages as inaccessible from ring 3.
  • The game must ask the kernel (via system calls) to perform I/O, and the kernel enforces file permissions.

Real-world example: the Meltdown vulnerability (2018) was so severe because it allowed ring 3 code to read ring 0 memory by exploiting speculative execution. The fix (KPTI -- Kernel Page Table Isolation) unmaps kernel pages from user-space page tables, adding overhead to every mode switch.

x86 Protection Rings

Ring 3 User Applications Ring 2 (unused) Ring 1 (unused) Ring 0 Kernel Browsers, editors, games, compilers No privileged instructions trap / syscall / interrupt iret / sysret ARM Exception Levels EL3: Secure Monitor TrustZone firmware EL2: Hypervisor VM management (KVM) EL1: OS Kernel Full hardware access EL0: User Apps Restricted access ARM has dedicated hypervisor and secure levels, unlike x86 which uses VT-x extensions.
Step 1 of 2