Memory Isolation

Within a process's virtual address space, memory is further segmented into distinct regions with specific permissions, enforced by the OS and MMU. This internal isolation protects different parts of the process from itself.

Common segments include:

• Text/Code Segment: Contains executable instructions. Marked as Read-Only and Executable to prevent self-modifying code.
• Data Segment: Stores initialized global and static variables. Typically Read-Write.
• Heap: Dynamically allocated memory (via malloc, new). Grows upwards. Read-Write.
• Stack: Stores local variables and function call metadata. Grows downwards. Read-Write.
• Guard Pages: Inaccessible pages placed between key segments (e.g., between stack and heap) to catch overflow errors.

The controlled gateway through which isolated user processes request services from the privileged kernel. Since processes cannot access kernel memory or hardware directly, they must make system calls (e.g., read, write, fork).

• Mechanism: A software interrupt or dedicated instruction (like syscall on x86-64) triggers a context switch from user mode to kernel mode.
• Isolation Role: The kernel validates all parameters passed from user space, copies data between kernel and user buffers, and performs the requested operation safely. This prevents a user process from passing a malicious pointer that tricks the kernel into accessing another process's memory.

Higher-level abstractions that build upon hardware memory isolation to provide stronger environmental separation.

• Containers (e.g., Docker): Use kernel features like namespaces to provide processes with isolated views of system resources, including a private set of process IDs, network interfaces, and filesystems. All containers share the host OS kernel, but memory isolation between containers is still enforced via the standard virtual memory system.
• Virtual Machines (e.g., VMware, KVM): Provide full machine abstraction. A hypervisor allocates physical memory to each VM and uses nested page tables (AMD-V NPT, Intel EPT) to translate guest-virtual addresses to host-physical addresses. This provides stronger isolation, as a guest OS and its kernel run in a de-privileged mode, unable to access host or other VM memory.

A modern hardware-assisted mechanism for efficient, fine-grained memory protection within a single address space. It allows user-space software to assign a small protection key (e.g., 4-bit on x86) to regions of memory and quickly disable access (write or all access) to those regions by modifying a CPU register.

• Use Case: Ideal for isolating sensitive data within a large, monolithic process. For example, a web server could use MPK to temporarily make cryptographic key buffers inaccessible during non-crypto operations, mitigating certain side-channel attacks.
• Advantage over Page Tables: Changing protection via MPK is much faster than modifying page table entries, which requires a TLB flush and can be costly.

The fundamental architectural separation in an operating system that enforces memory isolation at the highest level.

• Kernel Space: A protected, high-privilege region of virtual memory reserved for the operating system kernel and its core components. It has direct access to hardware and all system memory.
• User Space: The memory area where all user-mode applications execute. Processes in user space cannot directly access kernel memory or hardware; they must make system calls, which are controlled gateways into kernel space. This separation is critical for system stability, security, and preventing application crashes from affecting the entire OS.