Layers of an Operating System

Operating systems can be broken down into a number of discrete layers, each with its own privileges. This system is known as a protection ring.

What is a Protection Ring?

The operating system manages a computer’s resources, such as processing time on the CPU and access to memory. Computers are often running multiple software processes at once, and these will require differing levels of access to resources and hardware.

Processes are executed in layered “rings”, where each ring has different access rights to resources. The central ring has the highest privileges, and each subsequent layer has decreased access. A common implementation of a protection ring for x86 processors (a common type of CPU) has four rings, numbered from 0 through to 3, as described below.

Why Layers?

The layered model offers two main benefits. Firstly, it protects against system crashes. Errors in higher rings (with less access) can usually be recovered from. This is because only ring 0 has direct access to the memory and CPU, so if a process runnning in the outer ring crashes, it can be restarted without losing data or causing an error in the CPU. Secondly, it offers increased security. To execute instructions that require more access to resources, the process must request the permissions from the operating system. The OS can then decide whether to grant the request or deny it. This selection process helps to protect your system from unwanted or malicious behaviour.

The parts of the protection ring

Ring 0 (most privileged) and 3 (least privileged)

Ring 0 is accessible to the kernel, which is a central part of most operating systems and can access everything. Code running here is said to be running in kernel mode. Processes running in kernel mode can affect the entire system; if anything fails here, it will probably result in a system shutdown. This ring has direct access to the CPU and the system memory, so any instructions requiring the use of either will be executed here.

Ring 3, the least priviliged ring, is accessible to user processes that are running in user mode. This is where most applications running on your computer will reside. This ring has no direct access to the CPU or memory, and therefore has to pass any instructions involving these to ring 0.

Rings 1 and 2

Rings 1 and 2 have special privileges that ring 3 (user mode) does not. Ring 1 is used to interact with and control hardware connected to your computer. Playing a song through speakers or headphones, or displaying video on your monitor, are examples of instructions that would need to run in this ring. Ring 2 is used for instructions that need to interact with the system storage, loading or saving files. These sorts of permissions are called input and output, as they involve moving data into or out of working memory (RAM). Loading a Word document from storage, for example, would be in ring 2. Viewing and editing the document would fall into ring 3, the application layer.

Discussion

• Think of a process that could run on your computer, such as a calculator program, or playing a game. What sort of instructions would be involved, and what rings would they use?
• What do you think would happen if all code ran in ring 0?