Modern processors have at least two levels of instruction execution privileges, we will only call these “high” and “low” privilege levels.
At the high privilege level, a processor can execute every instruction. This means that it can access any memory location as well as I/O location. Obviously, at this level, serious damage can be done, causing an OS to crash or even damage I/O devices.
At the low privilege (user) level, a processor is restricted from accessing I/O locations. Furthermore, only certain regions of memory are accessible. This means that when a process executes at a low privilege level, it cannot do much damage other than crashing itself. If a process attempts to access resources (memory or I/O locations) that are prohibited, then a special interrupt occurs to alert the OS about the situation. This interrupt is usually called a “segmentation fault” in Unix terms, or a “general protection fault” in Microsoft Windows terms.
This separation of privilege levels create an apparent dilemma. On one hand, an ISR should execute at a high privilege level so that it can access the necessary I/O locations to communicate with an I/O device. On the other hand, a user process should execute at a low privilege level so protect the rest of the system. To make the matter worse, an interrupt (event) can occur when a processor is executing code in a user (low privilege) process. This results in the ISR inheriting the low privilege level and hence not being able to access I/O locations.
The solution to this problem is surprisingly simple: automatic privilege ascending and descending. When an interrupt occurs, in addition to saving the memory location of the following instruction, a processor can also save the current (interrupted) privilege level on the stack. Then, the privilege level is automatically ascended. This means the ISR can execute code at a high privilege level.
When an ISR is finished, the special return instruction can restore the interrupted privilege level (from the stack), whatever it was. This way, an interrupted user process cannot accidentally inherit the high privilege level of an ISR.