Part 0 - Introduction

What RAM Actually Is

RAM is not just a card with some chips where I boast that having 64GB of RAM is precious. Indeed, RAM is just an electricaly component which is made up of many cells with each cell made up of 1 transistor and 1 capacitor. This is known as the 1T1C configuration.

#c #memory

0.1 — What RAM Actually Is

First, Forget Everything You Think You Know

When most people hear “memory,” they think of it like a filing cabinet. Slot 1, slot 2, slot 3. You put things in, you take things out.

That mental model will betray you the moment you need to think at the level Stuxnet was written.

So we start from the physics.

The Atom of It All — The Capacitor

DRAM — Dynamic Random Access Memory — the RAM in your machine right now — stores each bit as a charge in a capacitor.

A capacitor is two conductive plates separated by an insulator. Push electrons onto one plate, they can’t cross — so they pile up. That pile of electrons is a stored charge. Charge present = 1. Charge absent = 0.

That’s it. That’s a bit. A physical accumulation of electrons on a tiny plate etched into silicon.

Your 16GB of RAM is approximately 137 billion of these capacitors.

The Problem With Capacitors

Capacitors leak.

The charge doesn’t stay. Electrons bleed away through the insulator, slowly, constantly. Leave a capacitor alone long enough and the 1 becomes a 0. The bit is gone.

This is why it’s called Dynamic RAM.

“Dynamic” means: you must constantly refresh it.

The memory controller — hardware on your CPU die — reads every row of capacitors and rewrites them thousands of times per second. Just to keep the data from evaporating.

Right now, while you read this, your system is spending real hardware cycles doing nothing but preventing your RAM contents from physically disappearing.

This is also why RAM is volatile.

Cut the power. Refreshing stops. Capacitors drain. In milliseconds, every bit is gone. Your running processes, your variables, your stack frames — evaporated. The hardware has no memory of them.

This is not a software property. It is a physical property of the medium.

The Access Structure — Rows and Columns

Those 137 billion capacitors aren’t arranged in one long line. That would be impossibly slow to address.

They’re arranged in a grid. Rows and columns.

        COL0  COL1  COL2  COL3  ...
ROW0  [  1  ][  0  ][  1  ][  1  ] ...
ROW1  [  0  ][  0  ][  0  ][  1  ] ...
ROW2  [  1  ][  1  ][  0  ][  0  ] ...
...

To read a bit: you assert a row address — the entire row gets loaded into a row buffer (a line of fast latches, essentially SRAM). Then you assert a column address — that specific cell is read out.

This two-step process — row then column — is why DRAM accesses have latency. You’re waiting for the row to load, then waiting for the column select.

When you access memory addresses that are all in the same row — you’re fast. The row is already in the buffer.

When you jump to a different row — row miss. The old row gets written back, new row loads. That’s the expensive operation.

This is the physical reason why sequential memory access is faster than random access. Not an abstraction. Not a software property. The actual hardware geometry of your RAM chips.

Volatile — What It Actually Means

Volatile has a precise meaning:

Volatile memory loses its contents when power is removed.

No power → no refresh → no charge → no data.

This distinguishes RAM from:

  • ROM — Read-Only Memory. Data burned in at manufacture. Survives power loss. Your BIOS firmware lives here.
  • Flash / NAND — Uses floating-gate transistors to trap electrons permanently. Survives power loss. Your SSD, your phone storage.
  • SRAM — Static RAM. Uses flip-flop circuits, not capacitors. No refresh needed. Much faster. Much more expensive. Much larger per bit. This is what your CPU caches are made of.

When your machine crashes — kernel panic, power cut, whatever — everything in RAM is gone. The program state, the stack, the heap. Gone. What survives is what was written to non-volatile storage before the crash.

This is why databases obsess over fsync. Why filesystems have journals. The gap between “written to RAM” and “written to disk” is the gap between data that exists and data that merely appeared to exist.

Byte Addressability

Now the architectural layer on top of the physics.

The CPU doesn’t address individual bits. It addresses bytes — groups of 8 bits.

Every byte in RAM has a unique address — a number, starting from 0, counting up.

Address 0x0000:  [ 8 bits ]
Address 0x0001:  [ 8 bits ]
Address 0x0002:  [ 8 bits ]
Address 0x0003:  [ 8 bits ]
...
Address 0xFFFF:  [ 8 bits ]

This is byte addressability. The fundamental contract of the memory system.

When C gives you a pointer — int *p — that pointer is a byte address. Not a bit address. Not a word address. A byte address.

When you write:

int x = 42;
int *p = &x;

p holds the address of the first byte of x. Because int is 4 bytes, x actually occupies addresses p, p+1, p+2, p+3. Four consecutive bytes. Four consecutive capacitor grids, sitting next to each other in your RAM chip.

The value 42 is spread across those four bytes according to your CPU’s endianness — but that’s 0.9. For now: every variable you declare is a reservation of consecutive bytes, each with a unique numeric address.

Physical Addresses

These addresses — the actual numbers identifying bytes — are physical addresses when they refer directly to RAM chips.

Physical address 0 = the very first byte of the first RAM module. Physical address 0x100000 = byte 1,048,576.

In a system with 16GB of RAM, physical addresses run from 0 up to roughly 0xFFFFFFFF (on older systems) or higher on modern 64-bit systems.

But here’s the thing:

Your programs never see physical addresses.

The address p holds when you do int *p = &x — that is a virtual address. A fiction maintained by the OS and the hardware.

The mapping from virtual to physical is managed by the kernel and the MMU. That’s Tier 1.

For now, the point is: beneath all the abstraction, there are physical capacitors on physical silicon, each with a physical numeric address, each storing one byte.

That’s what memory is.

What This Means For You as an Attacker

When Stuxnet needed to hide code inside a running Windows process —

When it needed to patch a driver in memory without leaving traces on disk —

When it needed to inject into a PLC’s memory space —

The authors weren’t thinking about variables and functions. They were thinking about byte addresses and what lives at them.

A running process is just bytes at addresses. The stack is bytes at addresses. The heap is bytes at addresses. The kernel’s own code is bytes at addresses.

The entire edifice of software — your shell, your browser, Windows, the PLC firmware Stuxnet targeted — is capacitors holding charge, organized into bytes, each byte sitting at a specific address.

When you understand that completely — not conceptually, but viscerally — you stop seeing programs and start seeing memory.

That’s the transition Tier 0 is building toward.

Summary — What You Own After 0.1

DRAM             = capacitors storing charge (1) or no charge (0)
Volatile         = charge drains without power, data is gone
Refresh          = memory controller rewrites all rows thousands/sec
Byte             = 8 bits, the smallest addressable unit
Physical address = the actual number identifying a specific byte in RAM
Your pointer     = (eventually) maps to one of these physical addresses

One sentence:

RAM is a grid of leaking capacitors, constantly refreshed, organized into addressed bytes, that forgets everything the moment power dies.