Once the valid bit confirms a page is present, the CPU must still answer: Is this access allowed? Can user-mode code read this kernel page? Can a process write to read-only code? Can the stack be executed as code?

The protection bits in each Page Table Entry form an access control matrix that the hardware checks on every single memory access—billions of times per second. These bits are the front line of security, enforcing process isolation, preventing code injection, and protecting the kernel from user-mode attacks.

Understanding protection bits is essential for systems programmers, security researchers, and anyone who wants to comprehend how modern operating systems maintain integrity despite running untrusted code.

Memory protection implements an access control matrix in hardware. For each memory page, we define what operations are permitted by whom. The three primary dimensions are:

Access Types:

• Read (R): Load data from this page
• Write (W): Store data to this page
• Execute (X): Fetch instructions from this page

Privilege Levels:

• User mode (Ring 3): Normal application code
• Supervisor/Kernel mode (Ring 0): Operating system code

The page table entry contains bits that encode this matrix. The MMU checks these bits against the current CPU mode and access type, faulting if the access is denied.

Important Nuances:

1. Kernel can access user pages: On most architectures, kernel mode can access any user-accessible page (though SMAP changes this on x86)

2. Read implies execute (historically): Before NX/XD bits, read permission implied execute permission—data could be executed

3. Hierarchy matters: In multi-level page tables, permission bits at each level are combined (typically AND logic)

4. TLB caches permissions: Protection violations can be detected from TLB entries without walking page tables

The Read/Write (R/W) bit controls whether a page can be modified. Despite its name, it doesn't control read access—a page with R/W=0 can still be read, just not written.

Semantics on x86:

• R/W = 0: Page is read-only; writes cause protection fault
• R/W = 1: Page is read-write; both reads and writes permitted

Use Cases for Read-Only Pages:

Write Protection Fault Handling:

When a write occurs to a read-only page, the CPU generates a protection fault (different from a page-not-present fault). The fault handler examines:

1. Was this a user or kernel mode access?
2. Is the VMA marked writable? If not → SIGSEGV
3. Is this a copy-on-write page? If so → copy and make writable
4. Is this legitimate kernel write to RO area? → likely a bug → kernel oops

The ability to distinguish 'not present' from 'present but protected' is crucial for implementing COW efficiently.

The User/Supervisor (U/S) bit controls privilege-level access—whether user-mode code can access a page at all.

Semantics on x86:

• U/S = 0: Supervisor (kernel) only; user-mode access causes protection fault
• U/S = 1: User accessible; both user and kernel mode can access

This is the primary defense between user space and kernel space. Every kernel page has U/S=0, making it inaccessible to user code even if the user knows the virtual address.

Why Kernel is Mapped in User Page Tables:

1. Fast system calls: No page table switch needed when entering kernel
2. Easy parameter passing: Kernel can directly read user buffers
3. Unified addressing: Kernel always sees same virtual addresses

SMAP and SMEP: Kernel Self-Restriction:

Modern CPUs provide additional protection against kernel accessing user pages:

• SMEP (Supervisor Mode Execution Prevention): Prevents kernel from executing user-mode code. Blocks attacks that redirect kernel execution to user-controlled code.

• SMAP (Supervisor Mode Access Prevention): Prevents kernel from reading/writing user-mode pages. Kernel must use special instructions (STAC/CLAC) to temporarily enable user access. Blocks attacks that trick kernel into dereferencing user-controlled pointers.

The No-Execute (NX) bit (Intel calls it XD for Execute Disable) is perhaps the most important security addition to page table entries. It allows marking pages as non-executable, preventing code injection attacks.

Historical Context:

Before NX (pre-2004 on x86):

• All readable pages were implicitly executable
• Stack, heap, data segments could all execute code
• Buffer overflow attacks were trivial: inject code, jump to it

With NX:

• Stack and heap pages can be marked NX (data-only)
• Code pages remain executable but can be read-only
• Injection into data areas doesn't allow execution

The W^X Principle:

W^X (Write XOR Execute) is a security principle: no memory region should be both writable and executable simultaneously.

• If you can write it, you can't execute it (can't inject code)
• If you can execute it, you can't write it (can't modify code)

This is enforced by combining R/W and NX bits:

• Data pages: R/W=1, NX=1 (writable, not executable)
• Code pages: R/W=0, NX=0 (executable, not writable)

Exceptions to W^X:

1. JIT Compilers: JavaScript engines, .NET, Java HotSpot need to generate code at runtime
2. Trampolines: Some FFI/callback mechanisms use executable stacks
3. Legacy software: Old code may rely on executable stack

These must carefully manage permissions, switching between W and X as needed.

In multi-level page tables, each level has its own protection bits. This creates an interesting question: what happens when upper levels have different permissions than lower levels?

x86-64 Behavior:

The effective permission is the most restrictive combination across all levels:

• If any level has U/S=0, the page is supervisor-only
• If any level has R/W=0, the page is read-only (for that level's scope)
• If any level has NX=1, the page is non-executable

Mathematically: Effective = Level1 AND Level2 AND Level3 AND Level4

Practical Implications:

Bulk Permission Setting: To make a large region kernel-only, set U/S=0 in the upper-level entry. Individual pages don't need separate protection—they inherit the restriction.

Avoid Mixed Mappings: A single 2MB huge page (or 1GB gigantic page) shares one set of permission bits. All 4KB sub-regions must have the same permission. This limits flexibility with huge pages.

Sharing Upper-Level Tables: If two processes share a PDPT (for shared library mappings), they must have the same permissions for that region. Protection can differ only at levels where page tables diverge.

TLB Caches Effective Permissions: The TLB stores the final computed permissions. Hardware checks are fast—no need to re-walk levels on each access.

Intel Memory Protection Keys (MPK/PKU) extend the protection model with 4 additional bits in each PTE, allowing up to 16 different protection domains within a single process. This enables fine-grained access control without changing page tables.

How Protection Keys Work:

1. Each PTE contains a 4-bit protection key (bits 59-62 in x86-64)
2. A special register (PKRU) holds 32 bits: 2 bits per key (access disable + write disable)
3. On each access, hardware checks PKRU[key] to allow/deny
4. PKRU can be changed with user-mode instructions (WRPKRU) without system calls!

Use Cases for Protection Keys:

1. Intra-process isolation: Isolate parts of a process (e.g., cryptographic keys from main code)
2. JIT security: Disable write to JIT code except during compilation
3. Safe speculation: Disable access to secrets during speculative execution
4. Library isolation: Prevent libraries from accessing each other's data
5. Light-weight sandboxing: Faster than separate address spaces

Performance Advantage:

Changing PKRU is ~20-30 cycles. Changing page table entries requires TLB flushes, typically thousands of cycles. For frequently-switched protection (like enabling/disabling JIT write access), this is a huge win.

When access violates protection bits, the CPU generates a protection fault (formally, still #PF on x86, but with different error code). Understanding fault handling is crucial for both OS implementation and security.

x86 Page Fault Error Code:

The error code pushed on stack contains:

Key Distinctions:

Present vs Protection Fault:

• P=0: Page not present (demand paging, swap-in needed)
• P=1: Page present but access denied (true protection violation)

Legitimate vs Illegitimate Protection Faults:

• COW: Write to shared read-only → create private copy → continue
• True violation: Access denied by policy → SIGSEGV

User vs Kernel:

• User fault + bad access → SIGSEGV to process
• Kernel fault + bad access → kernel bug (oops/panic)

Protection bits are fundamental to system security, but they're not infallible. Modern attacks and mitigations reveal both the power and limitations of page-level protection.

Attack Vectors:

Modern Mitigations:

1. ASLR (Address Space Layout Randomization): Randomize where code/data is loaded. Even if attacker knows address, it's unpredictable at runtime.

2. KPTI (Kernel Page Table Isolation): Use separate page tables for user/kernel. Kernel pages aren't even in user page tables, not just marked U/S=0.

3. KASLR (Kernel ASLR): Randomize kernel location. Even with KPTI bypass, attackers don't know where kernel is.

4. CFI (Control-Flow Integrity): Validate indirect jumps go to expected targets. Mitigates ROP/JOP.

5. Shadow Stacks (CET): Separate stack for return addresses. Can't overwrite with buffer overflow.

6. MTE (Memory Tagging): ARM feature that tags pointers and memory. Mismatch causes fault. Catches use-after-free, overflow.

Protection bits form the hardware-enforced access control layer for virtual memory. Let's consolidate the key insights:

What's Next:

We've now covered PTE structure, the valid bit, and protection bits. The final piece is where page tables themselves are stored—the page table location. This includes how the OS finds the page table, how tables are stored in memory, and the kernel/user space split.