LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What can a Ring 3 (user mode) program NOT do directly?

It can't touch hardware directly, read other processes' memory, or run privileged instructions — it must ask the kernel via system calls.

Concentric x86 protection rings: at the centre Ring 0 is the kernel with all instructions (most privileged); Rings 1 and 2 are rarely-used driver levels; the outermost Ring 3 holds applications with only safe instructions (least privileged).

* x86 protection rings put the all-powerful kernel at the centre and user applications on the outermost, least-privileged ring. *

Forbidden actions (must go through OS):

Cannot Do Directly Why How to Do It
Read/write disk Hardware access System call (read, write)
Send network packet Hardware access System call (socket API)
Allocate memory Resource management System call (mmap, brk)
Access other process Isolation Shared memory via OS
Change page tables Would break isolation Only kernel can
Disable interrupts Would hang system Only kernel can

Privileged instructions (Ring 0 only):

  • hlt - halt the processor
  • in/out - direct I/O port access
  • mov cr3, ... - change page table base
  • cli/sti - disable/enable interrupts
  • wbinvd - flush all caches

What Ring 3 CAN do:

  • Normal computation (add, multiply, compare)
  • Access its own memory (within its virtual address space)
  • Execute most CPU instructions
  • Request services from kernel via system calls

Security implication: This is why exploitation often aims for "privilege escalation" - getting code to run in Ring 0.

Go deeper:

From Quiz: REVE1 / Overview of Computer Systems | Updated: Jul 14, 2026