person Tute World Team schedule Updated April 28, 2026

Virtual Address Space

Every process runs in its own private virtual address space. From the process's perspective, it owns all of memory and nothing else can touch it. This isolation is one of Linux's most important security and stability features.

The Illusion of Private Memory

How can 200 processes each "own" 128TB of address space when I only have 32GB of RAM? Virtual addresses are just numbers — they don't correspond to physical RAM until a process actually accesses them. The kernel's page tables map virtual addresses to physical pages on demand. Two different processes can have the same virtual address (say 0x7fff0000) but they map to completely different physical pages.

Typical Process Memory Layout (x86-64)

High address (top of user space: 0x7fffffffffff)
  ┌─────────────────────────────┐
  │  Stack (grows downward)     │ ← local variables, function calls
  │  ↓                          │
  │  ...free space...           │
  │  ↑                          │
  │  Heap (grows upward)        │ ← malloc(), new
  ├─────────────────────────────┤
  │  BSS segment                │ ← uninitialized global variables
  │  Data segment               │ ← initialized global variables
  │  Text segment (code)        │ ← read-only, executable
Low address (near 0x400000)
  ┌─────────────────────────────┐
  │  KERNEL SPACE               │ ← same for all processes, not accessible
High address (near 0xffff...)

Shared libraries (libc, etc.) are mapped somewhere in the middle by the dynamic linker — between heap and stack, exact location randomized by ASLR.

Reading /proc/PID/maps

You can see every virtual memory region of any process:

cat /proc/self/maps
# address           perm offset  dev   inode  pathname
# 55a1b2c00000-55a1b2c22000 r--p 00000000 08:01 123456 /bin/bash
# 55a1b2c22000-55a1b2cb4000 r-xp 00022000 08:01 123456 /bin/bash
# 55a1b2cb4000-55a1b2ce4000 r--p 000b4000 08:01 123456 /bin/bash
# 7f1234000000-7f1237fff000 rw-p 00000000 00:00 0      [heap]
# 7ffd12000000-7ffd12021000 rw-p 00000000 00:00 0      [stack]
# perms: r=read w=write x=execute p=private s=shared

ASLR — Address Space Layout Randomization

Why do stack and heap addresses change between runs? ASLR (Address Space Layout Randomization) randomizes where the stack, heap, and libraries are loaded. This makes exploiting memory vulnerabilities much harder — attackers can't predict where their shellcode will land. Run the same program twice and addresses differ.

# Check ASLR status
cat /proc/sys/kernel/randomize_va_space
# 0 = disabled, 1 = partial, 2 = full (default)

# Disable temporarily for debugging
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.