Memory Isolation

The core mechanism enabling memory isolation. Each process operates within its own virtual address space, a private, linear range of memory addresses. The Memory Management Unit (MMU) and operating system translate these virtual addresses to physical RAM locations via page tables. This creates the illusion of exclusive memory ownership, as one process's address 0x1000 maps to a different physical location than another process's 0x1000.

• Key Benefit: Processes are isolated by design; they cannot directly address another process's physical memory.
• Example: A web browser and a text editor run simultaneously, each believing it has access to memory starting at address zero, while the OS manages the distinct physical mappings.

CPU architectures implement privilege levels, or rings, to isolate kernel memory from user processes. The operating system kernel runs in a privileged mode (Ring 0 on x86, EL1/EL2 on ARM), granting it access to all memory and hardware instructions. User applications run in an unprivileged mode (Ring 3, EL0), where attempts to execute privileged instructions or access kernel memory space trigger a hardware fault.

• Mechanism: The MMU uses permission bits (Read, Write, Execute) in page table entries to enforce access. Kernel pages are marked as inaccessible to user-mode code.
• Consequence: A buggy or malicious user process cannot corrupt the kernel's memory, ensuring system stability.

Within a process's virtual address space, memory is further segmented into distinct regions with specific permissions, enforced by the OS and MMU. This internal isolation protects different parts of the process from itself.

Common segments include:

• Text/Code Segment: Contains executable instructions. Marked as Read-Only and Executable to prevent self-modifying code.
• Data Segment: Stores initialized global and static variables. Typically Read-Write.
• Heap: Dynamically allocated memory (via malloc, new). Grows upwards. Read-Write.
• Stack: Stores local variables and function call metadata. Grows downwards. Read-Write.
• Guard Pages: Inaccessible pages placed between key segments (e.g., between stack and heap) to catch overflow errors.

The controlled gateway through which isolated user processes request services from the privileged kernel. Since processes cannot access kernel memory or hardware directly, they must make system calls (e.g., read, write, fork).

• Mechanism: A software interrupt or dedicated instruction (like syscall on x86-64) triggers a context switch from user mode to kernel mode.
• Isolation Role: The kernel validates all parameters passed from user space, copies data between kernel and user buffers, and performs the requested operation safely. This prevents a user process from passing a malicious pointer that tricks the kernel into accessing another process's memory.

Higher-level abstractions that build upon hardware memory isolation to provide stronger environmental separation.

• Containers (e.g., Docker): Use kernel features like namespaces to provide processes with isolated views of system resources, including a private set of process IDs, network interfaces, and filesystems. All containers share the host OS kernel, but memory isolation between containers is still enforced via the standard virtual memory system.
• Virtual Machines (e.g., VMware, KVM): Provide full machine abstraction. A hypervisor allocates physical memory to each VM and uses nested page tables (AMD-V NPT, Intel EPT) to translate guest-virtual addresses to host-physical addresses. This provides stronger isolation, as a guest OS and its kernel run in a de-privileged mode, unable to access host or other VM memory.

A modern hardware-assisted mechanism for efficient, fine-grained memory protection within a single address space. It allows user-space software to assign a small protection key (e.g., 4-bit on x86) to regions of memory and quickly disable access (write or all access) to those regions by modifying a CPU register.

• Use Case: Ideal for isolating sensitive data within a large, monolithic process. For example, a web server could use MPK to temporarily make cryptographic key buffers inaccessible during non-crypto operations, mitigating certain side-channel attacks.
• Advantage over Page Tables: Changing protection via MPK is much faster than modifying page table entries, which requires a TLB flush and can be costly.

The fundamental architectural separation in an operating system that enforces memory isolation at the highest level.

• Kernel Space: A protected, high-privilege region of virtual memory reserved for the operating system kernel and its core components. It has direct access to hardware and all system memory.
• User Space: The memory area where all user-mode applications execute. Processes in user space cannot directly access kernel memory or hardware; they must make system calls, which are controlled gateways into kernel space. This separation is critical for system stability, security, and preventing application crashes from affecting the entire OS.