Why Your Program Can’t Directly Control Memory or Hardware on Modern OSes

Direct Memory Management

Operating systems allocate a separate virtual address space for each process using page tables. The kernel alone can modify page‑table entries and control registers such as CR3 (which holds the physical address of the current page‑table root). If a user‑mode program could write arbitrary page‑table entries or change CR3, it could:

Map pages belonging to another process, allowing read/write of private memory.

Map kernel pages, corrupting kernel data structures or disabling protection bits.

Remove present/execute flags, causing page faults or system crashes.

Example: executing mov cr3, eax with eax pointing to another process’s page‑table would instantly switch the CPU to that address space, breaking isolation.

Privileged CPU Instructions

Instructions that affect global processor state are restricted to Ring 0. Typical privileged instructions include:

CLI / STI – clear or set the interrupt flag.

Modification of control registers ( CR0, CR2, CR3, CR4).

I/O port instructions IN and OUT.

HLT, LGDT, LIDT, MOV to model‑specific registers, etc.

Disabling interrupts with cli prevents the scheduler and device drivers from receiving timer or I/O interrupts, causing a user loop to monopolize a CPU core. Changing CR0 can clear the WP (write‑protect) bit, allowing writes to read‑only pages.

Direct Hardware I/O

Access to hardware is mediated by the kernel. Two mechanisms exist for low‑level I/O:

I/O port space accessed with in / out instructions.

Memory‑mapped I/O (MMIO) regions that appear as ordinary physical addresses.

Unrestricted use of these mechanisms can corrupt device state, cause data loss, or damage hardware. For instance, writing directly to a disk controller’s command register bypasses the file system, allowing arbitrary sector reads/writes.

Kernel Data Structures

The kernel stores critical state in structures such as: task_struct (process control block) in Linux.

File descriptor tables.

Interrupt descriptor tables.

Page‑table hierarchies.

These structures reside in kernel memory and are only reachable from Ring 0. If a user process could modify its own task_struct, it could change the uid field to 0, effectively granting root privileges.

CPU Privilege Levels

Modern x86 CPUs implement four rings (0–3). Operating systems typically use only Ring 0 (kernel) and Ring 3 (user). The CPU checks the current CPL (Current Privilege Level) before executing a privileged instruction; a violation raises a General Protection fault (#GP) which the OS handles by terminating the offending process.

This hardware‑enforced separation is the foundation of multi‑program stability and security. To perform any of the operations described above, user code must invoke a system call, allowing the kernel to execute the privileged instruction on its behalf.