Section 00: Foundations — Overview

Section Purpose and Scope

This section establishes the conceptual bedrock upon which all other sections in this archive depend. Before reasoning about schedulers, file systems, or kernel exploits, you must have a precise mental model of what a kernel is, why it exists, and how hardware and software conspire to create the illusion of a well-behaved computing environment.

The scope spans the entire vertical stack from raw silicon to the system call boundary: CPU privilege rings, the hardware abstraction layer, interrupt and exception delivery, and the formal taxonomy of traps, faults, and aborts. Every topic in every subsequent section will reference concepts introduced here.

Prerequisites

Basic familiarity with a compiled language (C preferred)
Elementary understanding that programs run on CPUs and use memory
No prior OS knowledge required — this is the entry point

Learning Objectives

After completing this section you will be able to:

Define a kernel with precision and distinguish it from a general operating system
Explain the CPU privilege ring model and why hardware enforces it
Describe the full lifecycle of a system call from user space to kernel space and back
Differentiate between interrupts, traps, faults, and exceptions, and trace their delivery paths
Draw and explain the abstraction hierarchy from transistors to user processes
Articulate why hardware abstraction layers exist and what they cost
Reason about the trust boundary and attack surface created by the user/kernel split

Architecture Overview

┌──────────────────────────────────────────────────────────────────┐
│                        USER SPACE (Ring 3)                       │
│  ┌─────────────┐  ┌─────────────┐  ┌──────────────────────────┐ │
│  │  User App A │  │  User App B │  │  Standard Library (libc)  │ │
│  └──────┬──────┘  └──────┬──────┘  └────────────┬─────────────┘ │
│         │                │                        │               │
│         └────────────────┴────────────────────────┘              │
│                          │  System Call Interface                 │
├──────────────────────────▼───────────────────────────────────────┤
│                  KERNEL SPACE (Ring 0)                            │
│  ┌──────────────────────────────────────────────────────────────┐│
│  │                      System Call Table                       ││
│  ├───────────┬──────────────┬────────────────┬──────────────────┤│
│  │  Process  │    Memory    │   File System  │    Network       ││
│  │  Manager  │   Manager    │      VFS       │    Stack         ││
│  ├───────────┴──────────────┴────────────────┴──────────────────┤│
│  │              Hardware Abstraction Layer (HAL)                 ││
│  └──────────────────────────┬───────────────────────────────────┘│
└─────────────────────────────▼────────────────────────────────────┘
                    HARDWARE (Ring -1 / Firmware)
         ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐
         │   CPU    │  │   RAM    │  │  Devices │  │ Firmware │
         └──────────┘  └──────────┘  └──────────┘  └──────────┘

CPU Privilege Ring Hierarchy:
  Ring 0 — Kernel (full hardware access)
  Ring 1 — Unused on most modern OSes
  Ring 2 — Unused on most modern OSes
  Ring 3 — User applications (restricted)
  Ring -1— Hypervisor (VMX root mode, Intel VT-x)

Key Concepts

Kernel: The mandatory, privileged software component that mediates all access to hardware resources. It runs continuously in CPU Ring 0, never exits, and is loaded at boot.
User Space vs. Kernel Space: A hardware-enforced memory and privilege partition. User space code cannot directly touch hardware; it must request services from the kernel.
CPU Privilege Rings: A hardware mechanism (x86 has 4 rings, ARM has EL0–EL3) that restricts which instructions a piece of code may execute and which memory it may access.
System Call: The controlled gateway through which user-space code requests kernel services. Implemented via a software interrupt (int 0x80), syscall instruction (x86-64), or svc (ARM).
Interrupt: An asynchronous signal from hardware (NIC received a packet, timer fired, disk DMA completed) that causes the CPU to suspend current execution and invoke a kernel handler.
Trap: A synchronous, intentional transfer to the kernel — typically a system call or a breakpoint (int3). The faulting instruction can be restarted after handling.
Fault: A synchronous exception caused by an error condition (page fault, divide-by-zero) that may be recoverable. The CPU re-executes the faulting instruction after the handler resolves the condition.
Abort: A non-recoverable hardware error (machine check exception, double fault). The system typically panics.
Hardware Abstraction Layer (HAL): A software layer within the kernel that presents a uniform interface to hardware-dependent code, enabling portability across CPU architectures and chipsets.
Abstraction Hierarchy: The layered stack from transistors → logic gates → ISA → machine code → OS kernel → system libraries → applications.

Major Historical Milestones

Year	Milestone
1945	Von Neumann architecture proposed — stored-program computer separates code and data
1956	IBM 704 ships with earliest rudimentary supervisor program (precursor to OS)
1964	IBM System/360 introduces the concept of a clean hardware/software interface
1965	MULTICS project begins — first OS to systematically formalize rings and protection
1969	Unix written by Thompson and Ritchie — kernel as a small privileged core
1974	Intel 8080 introduces programmable interrupt controller concept for microcomputers
1985	Intel 80386 ships with 32-bit protected mode, hardware rings on commodity hardware
1993	Windows NT separates kernel/user mode on commodity x86 for the first time at scale
2003	AMD64 extends x86 with 64-bit long mode; `syscall`/`sysret` become the norm
2005	Intel VT-x ships — hardware virtualization adds Ring -1 (VMX root mode)
2006	Linux x86-64 switches from `int 0x80` to `syscall` for performance
2017	Meltdown/Spectre expose the cost of speculative execution across ring boundaries
2018	KPTI (Kernel Page-Table Isolation) patches deployed globally — ring boundary reinforced

Modern Relevance and Production Use Cases

Security hardening: Every container escape, kernel exploit, and privilege escalation technique depends on violating the user/kernel boundary or abusing system call paths. Understanding this section is prerequisite to understanding CVE analysis.

Performance engineering: System call overhead (context switch cost, TLB flush, cache pollution) is a first-order concern in high-throughput systems. io_uring (Linux 5.1+) exists specifically to batch syscalls and minimize ring transitions.

Virtualization: Hypervisors (KVM, Xen, VMware ESXi) are themselves Ring 0 (or Ring -1) code that intercepts hardware access from guest kernels. The guest kernel thinks it's in Ring 0 but runs in Ring 1 or a VMX non-root context.

eBPF: Modern observability and security tools (Cilium, Falco, Parca) inject verified bytecode into the kernel via a trusted syscall path — a direct application of the kernel/user trust model.

Embedded and RTOS: In bare-metal embedded systems there are no privilege rings; understanding why they exist helps you reason about the security implications of systems that lack them.

File Map

00-foundations/
├── 00-overview.md              ← This file
├── 01-what-is-a-kernel.md      ← Precise definition, kernel vs OS, minimal kernel properties
├── 02-os-theory.md             ← Resource management, abstraction, protection goals
├── 03-user-vs-kernel-space.md  ← Memory split, address spaces, kernel mappings
├── 04-cpu-privilege-rings.md   ← x86 rings, ARM exception levels, RISC-V privilege modes
├── 05-hardware-abstraction.md  ← HAL design, portability layers, driver models
├── 06-system-calls.md          ← syscall mechanics, dispatch table, VDSO optimization
├── 07-interrupts.md            ← IRQ lines, IDT, APIC, interrupt affinity, softirqs
├── 08-traps-faults-aborts.md   ← Formal taxonomy, x86 exception vectors, handler paths
├── 09-abstraction-hierarchy.md ← Full stack from silicon to application layer

Cross-References

Section 03 (Kernel Fundamentals): Expands on kernel data structures and initialization
Section 04 (Kernel Architecture): Uses the user/kernel split to motivate monolithic vs. microkernel designs
Section 06 (CPU Architecture): Deep-dives into the pipeline mechanisms referenced here
Section 26 (Security): Exploits the trust model established in this section
Section 27 (Kernel Exploits): Directly attacks the ring boundary and system call interface

Recommended Depth of Study

Essential (read everything): Files 01–04, 06–08. These are referenced constantly throughout the archive.

Deep dive recommended: File 05 (HAL) if you work on driver development, embedded Linux, or OS porting. File 09 (abstraction hierarchy) if you are new to systems thinking.

Reference use: Return to this section whenever a later section introduces a concept (e.g., page fault, IRQ affinity) that you need to ground in first principles.

Estimated study time: 8–12 hours for full comprehension with hands-on exercises.