DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
What do you have when you take a kernel out of an operating system? If you don’t know, don’t feel bad. It’s perfectly normal for a Windows or macOS user not to know what the kernel is or what it does.
Kernel operations are a behind-the-scenes thing that most people don’t ever think about, let alone understand. Still, if you remove a kernel, your device becomes an expensive paperweight.
So, what does the kernel of an operating system do? Let’s find out.
What Is Kernel?
The kernel is a critical component of an operating system. It manages the computer’s operations and acts as a bridge between the applications and the hardware.
It controls devices, memory, process management, input/output communication, and interrupt handling. It also provides drivers for keyboards, mice, monitors, network adapters, printers, and storage devices.
Most kernels are released under the general public license (GNU), meaning they can be freely copied, modified, and distributed. Various distributions of Linux are examples of a kernel released under the GPL.
How Does Kernel Work?
The kernel loads the necessary drivers and programs into memory and then manages all operating system services on the computer. It also provides an interface for applications to interact with hardware devices.
Kernels are usually written in low-level languages such as C or Assembly. This method allows them to be close to the hardware and gives them more control over the computer’s operations.
When a user runs an application, the kernel loads the necessary drivers and programs into memory and then manages the application’s resources. The kernel also mediates between applications and hardware devices such as keyboards, mice, monitors, network adapters, printers, and storage devices.
To help you understand what the kernel does and how it works, we’ll use a Windows operating system bootup procedure as an example.
Windows Booting Up
You should first know that the kernel is not a piece of firmware or a component of a basic input/output system (BIOS). When you turn on the PC, the BIOS starts and performs a power-on self-test (POST). Everything is fine if there are no beeps or flashes, and the procedure will continue.
The BIOS then runs a bootloader that checks the designated storage devices (HDD or SSD) for the operating system and kernel. Once it locates the kernel, it loads it into protected memory and hands the reins of the system over to it.
A portion of random-access memory (RAM) is designated as protected memory. It is not accessible to applications to prevent kernel interruptions that might lead to system instability. In a way, the RAM gets split into designated kernel space and user space.
The first thing the kernel does is decompress itself and set up basic data structures in memory. The BIOS also passes information about the system hardware to the kernel to load the appropriate drivers. The kernel initializes devices like disk controllers, network cards, and graphics cards.
Then, it loads any additional drivers required for hardware like printers and scanners. This is all done so the operating system can finally start loading. Once all that is done, the kernel hands control over to the user interface, which could be a graphical desktop or a command-line interface.
The kernel’s work isn’t done when the operating system loads up. It keeps working in the background to keep everything running smoothly. For example, when you open a file, the kernel bridges the application and the storage device.
It ensures that the data is read from or written to the correct location on the disk. It also allocates memory for the application to use when opening the file.
When you connect to a network, the kernel manages the connection and routes data between your computer and the web. It also addresses security by controlling access to various parts of the system.
Different kernels work differently, but this should give you a basic idea of the kind of work the kernel does.
Kernel Mode vs. User Mode
The terms “user space” and “kernel space” refer to the areas of memory where code can execute. User space is the area of memory where applications run. Kernel space is the area of protected memory where the kernel runs.
In kernel mode, a unique operating way, the entirety of the computer’s system is accessible to the code running it. No matter where it is located, it can reference any memory address and execute any CPU instruction.
User mode is a restricted operating mode where code can only access the assigned memory regions. User mode codes cannot execute specific instructions or reference certain memory addresses.
Types of Kernels
There are five main types of kernels:
- Monolithic Kernel
- Hybrid Kernel
A monolithic kernel structure holds both kernel and user space in one location. The kernel image contains the entire operating system, all system services, and device drivers.
Because everything is in one place, communication between systems and devices is faster, but it comes at a cost. If any errors occur, it can crash the whole system.
In addition to errors throwing a wrench in the works and crashing the system, the monolithic kernel code is rigid. It requires more work because it must include drivers for everything. However, due to its simplistic architecture, it has less source code, reducing the number of system bugs.
A microkernel structure only holds the essential components of the computer kernel in protected memory. The non-essential parts, such as device drivers, file systems, and network stacks, are moved to the user space.
Because this means using user and kernel space separately, everything that happens in user space, including any errors or bugs, won’t interfere with kernel space or cause a complete system failure. The trade-off is slower communication compared to a monolithic kernel.
A hybrid kernel type is a mix of the monolithic and microkernel types. It’s created by taking a monolithic kernel and moving specific components to user space while keeping some, such as file systems and network stacks, in kernel space. This approach combines the best of both worlds: a monolithic kernel’s rigidity with a microkernel’s stability.
The most famous uses of the hybrid kernel system are Microsoft Windows and macOS operating systems.
A nanokernel is a stripped-down version of a microkernel. It holds the bare minimum in kernel space and relies heavily on user-space components. It’s more challenging to develop and debug.
The most famous use of the nanokernel was the now-discontinued Extremely Reliable Operating System, or EROS for short.
An Exokernel is an operating system kernel that exposes resources to applications without using high-level abstractions. This allows developers more flexibility and control in how they use hardware resources, making it an attractive option for systems that must be optimized for performance.
It should be noted that this type of kernel is still in the experimental stage. Even though the concept was introduced around 1994, it has yet to see large-scale commercial use. MIT Parallel and the Distributed Operating Systems group developed it.
The most famous uses of the exokernel are ExOS and Nemesis.
Common malware can be a pain to get rid of, so imagine how bad it gets when it infects the heart of the machine. If the kernel is compromised, an attacker can gain full access to the system and wreak havoc.
When the device gets infected on kernel level or rings 0, even the best malware removal tools won’t be able to detect it, let alone remove it. The only way to disinfect the machine is to format the hard drive and reinstall the operating system. How does that happen?
Kernel Rootkit Infection
Malware delivery methods have become more sophisticated over the years. In the past, attackers would send out emails with attachments containing malware or host malicious websites that would infect visitors’ computers. Nowadays, attackers use more sophisticated methods to deliver their payloads, such as drive-by downloads and social engineering tactics like spear phishing.
The simplest way to insert malware is to disguise it as device drivers, executed directly at the kernel computer level. Now, this is more challenging than it seems. Microsoft has implemented a mandatory signature key for all device drivers.
Therefore, the drivers won’t be installed if the malware has no valid signature key. Yes, there is still a way to run it, but if you get an Adobe update that throws an error, you’ll know something is wrong.
Sadly, if the attacker manages to get their hands on a legit signature key, like with the Stuxnet worm attack, they could install malware without anyone realizing it. Even without it, though, there are other methods of corrupting the kernel operating system.
Memory infection is one of them. The attacker must use the system memory map object to get the malicious code into the kernel-protected memory space. This description is vague because there are many “it depends” moments, and it would require a very technical article to cover everything.
There is one thing you should know, though. Microsoft already anticipated such a scenario and implemented memory integrity checks on ring 0. As some guides suggest, please don’t turn it off to improve performance. That extra fraction of a second when booting the system up isn’t worth the risk.
Instead of infecting protected memory, the attacker can try to alter the kernel file on the storage drive. The malware has to obtain root privileges to modify the NTLDR program used to run an integrity check on the ntoskrnl.exe file. Once that is achieved, though, it has free reign in the system.
Thankfully, both of these methods aren’t easy to perform, and in most cases, the best they can do is cause a BSOD crash.
How Kernel Infection Works
The whole machine becomes compromised when an infection occurs at the kernel level. The attacker can do anything, from listening in on conversations and recording keystrokes to remotely controlling the device, but how does that happen?
When the program wants to request a service from the kernel, it has to make a system call to it. The programs can’t access services run by the kernel directly. As a result, whenever the application demands a service the kernel provides, it sends a system call to the system call table, which maps the code branch for each system call inside the kernel.
When the malicious code infects the system call table, it’ll alter it to point all requests to the malicious kernel. As a result, the attacker can intercept all system calls before they reach their destination and redirect them.
In other words, the malware can see everything happening on the machine, including what the user is doing. Even your antivirus uses the kernel to scan for threats, which is why kernel-level malware is so challenging to detect and remove.
Next to ransomware, kernel-level malware is the scariest type of malicious code out there. It has complete control over the machine and is hard to detect and remove. As you have probably figured out by now, you do not want malware ever to reach the kernel of the OS. But how do you protect it?
The best way to protect your machine from kernel-level malware is to keep your operating system up to date. Often, these types of malware take advantage of vulnerabilities already patched by the manufacturer.
Use an antivirus program because they use heuristics and signature analysis to spot suspicious activity and even thwart some zero-day attacks. Additionally, a good firewall will block all incoming connections from unknown sources.
The kernel is the beating heart of your computer’s operating system. While it may not be as glamorous as other aspects of an OS, its importance should not be underestimated.
It’s responsible for managing all of the resources on your device and ensuring that everything runs smoothly.
While you may not need to know about every detail of how it works, it’s essential to understand what this key component does. Just be sure to keep your device safe. All the drivers and OS components are updated regularly, and everything will be a-okay.