Quiz Entry - updated: 2026.07.14
What can a Ring 3 (user mode) program NOT do directly?
It can't touch hardware directly, read other processes' memory, or run privileged instructions — it must ask the kernel via system calls.
* x86 protection rings put the all-powerful kernel at the centre and user applications on the outermost, least-privileged ring. *
Forbidden actions (must go through OS):
| Cannot Do Directly | Why | How to Do It |
|---|---|---|
| Read/write disk | Hardware access | System call (read, write) |
| Send network packet | Hardware access | System call (socket API) |
| Allocate memory | Resource management | System call (mmap, brk) |
| Access other process | Isolation | Shared memory via OS |
| Change page tables | Would break isolation | Only kernel can |
| Disable interrupts | Would hang system | Only kernel can |
Privileged instructions (Ring 0 only):
hlt- halt the processorin/out- direct I/O port accessmov cr3, ...- change page table basecli/sti- disable/enable interruptswbinvd- flush all caches
What Ring 3 CAN do:
- Normal computation (add, multiply, compare)
- Access its own memory (within its virtual address space)
- Execute most CPU instructions
- Request services from kernel via system calls
Security implication: This is why exploitation often aims for "privilege escalation" - getting code to run in Ring 0.
Go deeper:
Protection ring (Wikipedia) — ring 0 vs ring 3, privileged instructions, and the fault that fires when user code oversteps.
System call (Wikipedia) — the controlled trap a ring-3 program uses to ask the kernel to do what it may not do itself.