In computer science hierarchical privilege levels, often called protection rings, is a mechanism to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security.
Hardware supported rings were among the more revolutionary concepts introduced by the Multics operating system, a highly secure predecessor of today's UNIX family of operating systems. However most general-purpose UNIX systems use only two rings, even if the hardware it runs on provides more CPU modes than that.
Many modern CPU architectures (including the popular Intel x86 architecture) include some form of ring protection. Although the Windows XP operating system, like Unix, does not (fully) exploit this feature; its predecessor: OS/2 did to some extent, as it used three rings.
There has been a renewed interest in this design structure, with the proliferation of the Xen VMM software, ever ongoing discussion on monolithic- vs micro-kernel (particularly in Usenet newsgroups and Web forums), Microsoft's ring -1 design structure as part of their NGSCB initiative and hypervisors embedded in firmware such as Intel's vanderpool technology.
The original Multics system had eight rings, but many modern systems have fewer. The hardware is aware of the current ring of the executing instruction thread at all times, thanks to special machine registers. In some systems, areas of virtual memory are also assigned ring numbers in hardware, and/or the most privileged ring is given special capabilities (such as real memory addressing that bypasses the virtual-memory hardware).
The hardware severely restricts the ways in which control can be passed from one ring to another, and also enforces restrictions on the types of memory access that can be performed across rings. Typically there is a special gate or call instruction that transfers control in a secure way towards predefined entry points in lower-level (more trusted) rings; this functions as a supervisor call in many operating systems that use the ring architecture. The hardware restrictions are designed to limit opportunities for accidental or malicious breaches of security.
Ring protection can be combined with processor modes (master/kernel/privileged mode versus slave/user/unprivileged mode) in some systems. Operating systems running on hardware supporting both may use both forms of protection or only one.
Effective use of ring architecture requires close cooperation between hardware and the operating system. Operating systems designed to work on multiple hardware platforms may make only limited use of rings if they are not present on every supported platform. Often the security model is simplified to "kernel" and "user" even if hardware provides finer granularity through rings.