User-mode vs Kernel-mode
User-mode vs Kernel-mode
Backgroundโ
Modern operating systems are divided into 2 or more protection rings. It is actually implemented in the CPU, and the x86 architecture has 4 rings, however Windows only uses 2 (rings 0 and 3). These two protection rings are referred to as user-mode and kernel-mode.
Without this separation of privilege levels, all applications would have unrestricted access to all the computer's resources, and other applications present on the system. To add to this, a program crashing could crash the whole system. These are the issues that protection rings solve.
User-modeโ
The purpose of user-mode is to isolate user applications. It prevents an application crashing the entire system, and aims to prevent applications tampering with each other. Each user-mode process has their own virtual address space and they cannot (independently) see into other processes' memory space. Of course, with windows API you can request to use another processes memory, provided by the kernel.
Thanks to this isolated user-mode, access rights can be controlled through mechanisms such as the Windows API. On the other hand, having to request the kernel to do things, and the switch from user- to kernel-mode introduces minor overhead.
What is the kernel?โ
Simply put, the kernel is the brain of the operating system, the orchestrator of the operating system. It is the most trusted part of the operating system, and has practically limitless access to the computer's resources, and control over any process. It is the bridge between user applications and hardware. More specifically, kernel drivers bridge hardware to software, and the kernel (ntoskrnl.exe) bridges user-mode applications with drivers. In kernel-mode, all processes share a single virtual address space. On Windows the kernel is located in the high addresses, while the memory space below it is for user-mode to use.
The kernel is in charge of file I/O, memory management, thread scheduling, the use of other hardware, and more. Basically the use of all resources and hardware, and it also keeps track of every process and thread, and information about them, such as the handles they have.
A crash in the kernel is severe and will crash the entire system. It causes the infamous Blue Screen Of Death (BSOD). Good programming is essential in the kernel not only to prevent crashes, but also because a vulnerable kernel-mode component can be leveraged by malicious actors, with destructive results. Such an attack, dubbed Bring Your Own Vulnerable Driver (BYOVD), has been extremely popular with sophisticated adversaries in recent years. With kernel access, malware is able to easily shut down security products and have access to essentially everything.
In the next article we go over how user-mode applications interact with the kernel.