Quiz Entry - updated: 2026.07.14
How does the OS isolate processes from each other and from the kernel?
Each process runs in its own virtual address space and may run only "safe" instructions; anything touching hardware or another process must go through the kernel.
The CPU's user mode blocks privileged instructions, and the MMU translates every memory access through the process's own page table — so one process literally cannot name another's memory or reach a device on its own.
Process restrictions:
- Direct CPU access, but only "safe" instructions allowed
- Seemingly direct memory access, but actually virtual (translated by MMU)
- No direct access to other processes' memory (unless explicitly shared)
- No direct access to I/O devices (disk, network, display)
What processes can access:
| Resource | Access Method |
|---|---|
| CPU | Direct (safe instructions only) |
| Memory | Virtual addresses (translated by MMU) |
| Files | System calls (open, read, write) |
| Network | System calls (socket API) |
| Other devices | System calls |
Memory split (32-bit Linux):
- User space: 3GB (accessible to process)
- Kernel space: 1GB (invisible to process)
Go deeper:
Protection ring (Wikipedia) — user vs kernel mode as the privilege boundary that keeps processes out of the kernel.
Memory management unit (Wikipedia) — address translation that stops one process reading or writing another's memory.