Mac OS X and iOS Internals : To the Apple's Core

Jonathan Levin is a longtime trainer and consultant focusing on the system and kernel levels of the 'Big Three'—Windows, Linux, and OS X, as well as their mobile derivatives. He is the founder and CTO of Technologeeks.com, a partnership of experts delivering advanced training on systems/kernel programming, debugging, and profiling.

PART I: FOR POWER USERS

CHAPTER 1: DARWINISM: THE EVOLUTION OF OS X 3

The Pre-Darwin Era: Mac OS Classic 3

The Prodigal Son: NeXTSTEP 4

Enter: OS X 4

OS X Versions, to Date 5

10.0 — Cheetah and the First Foray 5

10.1 — Puma — a Stronger Feline, but . . . 6

10.2 — Jaguar — Getting Better 6

10.3 — Panther and Safari 6

10.4 — Tiger and Intel Transition 6

10.5 — Leopard and UNIX 7

10.6 — Snow Leopard 7

10.7 — Lion 8

10.8 — Mountain Lion 9

iOS — OS X Goes Mobile 10

1.x — Heavenly and the First iPhone 11

2.x — App Store, 3G and Corporate Features 11

3.x — Farewell, 1st gen, Hello iPad 11

4.x — iPhone 4, Apple TV, and the iPad 2 11

5.x — To the iPhone 4S and Beyond 12

iOS vs. OS X 12

The Future of OS X 15

Summary 16

References 16

CHAPTER 2: E PLURIBUS UNUM: ARCHITECTURE OF OS X AND IOS 17

OS X Architectural Overview 17

The User Experience Layer 19

Aqua 19

Quicklook 20

Spotlight 21

Darwin — The UNIX Core 22

The Shell 22

The File System 23

UNIX System Directories 24

OS X–Specifi c Directories 25

iOS File System Idiosyncrasies 25

Interlude: Bundles 26

Applications and Apps 26

Info.plist 28

Resources 30

NIB Files 30

Internationalization with .lproj Files 31

Icons (.icns) 31

CodeResources 31

Frameworks 34

Framework Bundle Format 34

List of OS X and iOS Public Frameworks 37

Libraries 44

Other Application Types 46

System Calls 48

POSIX 48

Mach System Calls 48

A High-Level View of XNU 51

Mach 51

The BSD Layer 51

libkern 52

I/O Kit 52

Summary 52

References 53

CHAPTER 3: ON THE SHOULDERS OF GIANTS: OS X

AND IOS TECHNOLOGIES 55

BSD Heirlooms 55

sysctl 56

kqueues 57

Auditing (OS X) 59

Mandatory Access Control 62

OS X- and iOS-Specifi c Technologies 65

User and Group Management (OS X) 65

System Confi guration 67

Logging 69

Apple Events and AppleScript 72

FSEvents 74

Notifi cations 78

Additional APIs of interest 79

OS X and iOS Security Mechanisms 79

Code Signing 80

Compartmentalization (Sandboxing) 81

Entitlements: Making the Sandbox Tighter Still 83

Enforcing the Sandbox 89

Summary 90

References 90

CHAPTER 4: PARTS OF THE PROCESS: MACH-O,

PROCESS, AND THREAD INTERNALS 91

A Nomenclature Refresher 91

Processes and Threads 91

The Process Lifecycle 92

UNIX Signals 95

Executables 98

Universal Binaries 99

Mach-O Binaries 102

Load Commands 106

Dynamic Libraries 111

Launch-Time Loading of Libraries 111

Runtime Loading of Libraries 122

dyld Features 124

Process Address Space 130

The Process Entry Point 130

Address Space Layout Randomization 131

32-Bit (Intel) 132

64-Bit 132

32-Bit (iOS) 133

Experiment: Using vmmap(1) to Peek Inside a Process’s

Address Space 135

Process Memory Allocation (User Mode) 138

Heap Allocations 139

Virtual Memory — The sysadmin Perspective 140

Threads 143

Unraveling Threads 143

References 146

CHAPTER 5: NON SEQUITUR:

PROCESS TRACING AND DEBUGGING 147

DTrace 147

The D Language 147

dtruss 150

How DTrace Works 152

Other Profi ling mechanisms 154

The Decline and Fall of CHUD 154

AppleProfi leFamily: The Heir Apparent 155

Process Information 156

sysctl 156

proc_info 156

Process and System Snapshots 159

system_profi ler(8) 159

sysdiagnose(1) 159

allmemory(1) 160

stackshot(1) 160

The stack_snapshot System Call 162

kdebug 165

kdebug-based Utilities 165

kdebug codes 166

Writing kdebug messages 168

Reading kdebug messages 169

Application Crashes 170

Application Hangs and Sampling 173

Memory Corruption Bugs 174

Memory Leaks 176

heap(1) 177

leaks(1) 177

malloc_history(1) 178

Standard UNIX Tools 178

Process listing with ps(1) 179

System-Wide View with top(1) 179

File Diagnostics with lsof(1) and fuser(1) 180

Using GDB 181

GDB Darwin Extensions 181

GDB on iOS 182

LLDB 182

Summary 182

References and Further Reading 182

CHAPTER 6: ALONE IN THE DARK:

THE BOOT PROCESS: EFI AND IBOOT 183

Traditional Forms of Boot 183

EFI Demystifi ed 185

Basic Concepts of EFI 186

The EFI Services 188

NVRAM Variables 192

OS X and boot.efi 194

Flow of boot.efi 195

Booting the Kernel 201

Kernel Callbacks into EFI 203

Boot.efi Changes in Lion 204

Boot Camp 204

Count Your Blessings 204

Experiment: Running EFI Programs on a Mac 206

iOS and iBoot 210

Precursor: The Boot ROM 210

Normal Boot 211

Recovery Mode 212

Device Firmware Update (DFU) Mode 213

Downgrade and Replay Attacks 213

Installation Images 214

OS X Installation Process 214

iOS File System Images (.ipsw) 219

Summary 225

References and Further Reading 225

CHAPTER 7: THE ALPHA AND THE OMEGA — LAUNCHD 227

launchd 227

Starting launchd 227

System-Wide Versus Per-User launchd 228

Daemons and Agents 229

The Many Faces of launchd 229

Lists of LaunchDaemons 241

GUI Shells 246

Finder (OS X) 247

SpringBoard (iOS) 248

XPC (Lion and iOS) 253

Summary 257

References and Further Reading 258

PART II: THE KERNEL

CHAPTER 8: SOME ASSEMBLY REQUIRED:

KERNEL ARCHITECTURES 261

Kernel Basics 261

Kernel Architectures 262

User Mode versus Kernel Mode 266

Intel Architecture — Rings 266

ARM Architecture: CPSR 267

Kernel/User Transition Mechanisms 268

Trap Handlers on Intel 269

Voluntary kernel transition 278

System Call Processing 283

POSIX/BSD System calls 284

Mach Traps 287

Machine Dependent Calls 292

Diagnostic calls 292

XNU and hardware abstraction 295

Summary 297

References 297

CHAPTER 9: FROM THE CRADLE TO THE GRAVE —

KERNEL BOOT AND PANICS 299

The XNU Sources 299

Getting the Sources 299

Making XNU 300

One Kernel, Multiple Architectures 302

The XNU Source Tree 305

Booting XNU 308

The Bird’s Eye View 309

OS X: vstart 310

iOS: start 310

[i386|arm]_init 311

i386_init_slave() 313

machine_startup 314

kernel_bootstrap 314

kernel_bootstrap_thread 318

bsd_init 320

bsdinit_task 325

Sleeping and Waking Up 328

Boot Arguments 329

Kernel Debugging 332

“Don’t Panic” 333

Implementation of Panic 334

Panic Reports 336

Summary 340

References 341

CHAPTER 10: THE MEDIUM IS THE MESSAGE: MACH PRIMITIVES 343

Introducing: Mach 344

The Mach Design Philosophy 344

Mach Design Goals 345

Mach Messages 346

Simple Messages 346

Complex messages 347

Sending Messages 348

Ports 349

The Mach Interface Generator (MIG) 351

IPC, in Depth 357

Behind the Scenes of Message Passing 359

Synchronization Primitives 360

Lock Group Objects 361

Mutex Object 362

Read-Write Lock Object 363

Spinlock Object 364

Semaphore Object 364

Lock Set Object 366

Machine Primitives 367

Clock Object 378

Processor Object 380

Processor Set Object 384

Summary 388

References 388

CHAPTER 11: TEMPUS FUGIT — MACH SCHEDULING 389

Scheduling Primitives 389

Threads 390

Tasks 395

Task and Thread APIs 399

Task APIs 399

Thread APIs 404

Scheduling 408

The High-Level View 408

Priorities 409

Run Queues 412

Mach Scheduler Specifi cs 415

Asynchronous Software Traps (ASTs) 423

Scheduling Algorithms 427

Timer Interrupts 431

Interrupt-Driven Scheduling 431

Timer Interrupt Processing in XNU 432

Exceptions 436

The Mach Exception Model 436

Implementation Details 437

Experiment: Mach Exception Handling 440

Summary 446

References 446

CHAPTER 12: COMMIT TO MEMORY:

MACH VIRTUAL MEMORY 447

Virtual Memory Architecture 447

The 30,000-Foot View of Virtual Memory 448

The Bird’s Eye View 449

The User Mode View 452

Physical Memory Management 462

Mach Zones 467

The Mach Zone Structure 468

Zone Setup During Boot 470

Zone Garbage Collection 471

Zone Debugging 473

Kernel Memory Allocators 473

kernel_memory_allocate() 473

kmem_alloc() and Friends 477

kalloc 477

OSMalloc 479

Mach Pagers 480

The Mach Pager interface 480

Universal Page Lists 484

Pager Types 486

Paging Policy Management 494

The Pageout Daemon 495

Handling Page Faults 497

The dynamic_pager(8) (OS X) 498

Summary 499

References 500

CHAPTER 13: BS”D — THE BSD LAYER 501

Introducing BSD 501

One Ring to Bind Them 502

What’s in the POSIX Standard? 503

Implementing BSD 503

XNU Is Not Fully BSD 504

Processes and Threads 504

BSD Process Structs 504

Process Lists and Groups 507

Threads 508

Mapping to Mach 510

Process Creation 512

The User Mode Perspective 512

The Kernel Mode Perspective 513

Loading and Executing Binaries 516

Mach-O Binaries 522

Process Control and Tracing 525

ptrace (#26) 525

proc_info (#336) 527

Policies 527

Process Suspension/Resumption 529

Signals 529

The UNIX Exception Handler 529

Hardware-Generated Signals 534

Software-Generated Signals 535

Signal Handling by the Victim 536

Summary 536

References 537

CHAPTER 14: SOMETHING OLD, SOMETHING NEW:

ADVANCED BSD ASPECTS 539

Memory Management 539

POSIX Memory and Page Management System Calls 540

BSD Internal Memory Functions 541

Memory Pressure 545

Jetsam (iOS) 546

Kernel Address Space Layout Randomization 548

Work Queues 550

BSD Heirlooms Revisited 552

Sysctl 552

Kqueues 555

Auditing (OS X) 556

Mandatory Access Control 558

Apple’s Policy Modules 560

Summary 563

References 563

CHAPTER 15: FEE, FI-FO, FILE: FILE SYSTEMS AND THE VFS 565

Prelude: Disk Devices and Partitions 565

Partitioning Schemes 567

Generic File System Concepts 577

Files 577

Extended Attributes 577

Permissions 577

Timestamps 578

Shortcuts and Links 578

File Systems in the Apple Ecosystem 579

Native Apple File Systems 579

DOS/Windows File Systems 580

CD/DVD File Systems 581

Network-Based File Systems 582

Pseudo File Systems 583

Mounting File Systems (OS X only) 587

Disk Image Files 589

Booting from a Disk Image (Lion) 590

The Virtual File System Switch 591

The File System Entry 591

The Mount Entry 592

The vnode Object 595

FUSE — File Systems in USEr Space 597

File I/O from Processes 600

Summary 605

References and Further Reading 605

CHAPTER 16: TO B (-TREE) OR NOT TO BE —

THE HFS+ FILE SYSTEMS 607

HFS+ File System Concepts 607

Timestamps 607

Access Control Lists 608

Extended Attributes 608

Forks 611

Compression 612

Unicode Support 617

Finder integration 617

Case Sensitivity (HFSX) 619

Journaling 619

Dynamic Resizing 620

Metadata Zone 620

Hot Files 621

Dynamic Defragmentation 622

HFS+ Design Concepts 624

B-Trees: The Basics 624

Components 630

The HFS+ Volume Header 631

The Catalog File 633

The Extent Overfl ow 640

The Attribute B-Tree 640

The Hot File B-Tree 641

The Allocation File 642

HFS Journaling 642

VFS and Kernel Integration 645

fsctl(2) integration 645

sysctl(2) integration 646

File System Status Notifi cations 647

Summary 647

References 648

CHAPTER 17: ADHERE TO PROTOCOL: THE NETWORKING STACK 649

User Mode Revisited 650

UNIX Domain Sockets 651

IPv4 Networking 651

Routing Sockets 652

Network Driver Sockets 652

IPSec Key Management Sockets 654

IPv6 Networking 654

System Sockets 655

Socket and Protocol Statistics 658

Layer V: Sockets 660

Socket Descriptors 660

mbufs 661

Sockets in Kernel Mode 667

Layer IV: Transport Protocols 668

Domains and Protosws 669

Initializing Domains 673

Layer III: Network Protocols 676

Layer II: Interfaces 678

Interfaces in OS X and iOS 678

The Data Link Interface Layer 680

The ifnet Structure 680

Case Study: utun 682

Putting It All Together: The Stack 686

Receiving Data 686

Sending Data 690

Packet Filtering 693

Socket Filters 694

ipfw(8) 696

The PF Packet Filter (Lion and iOS) 697

IP Filters 698

Interface Filters 701

The Berkeley Packet Filter 701

Traffi c Shaping and QoS 705

The Integrated Services Model 706

The Diff erentiated Services Model 706

Implementing dummynet 706

Controlling Parameters from User Mode 707

Summary 707

References and Further Reading 708

CHAPTER 18: MODU(LU)S OPERANDI — KERNEL EXTENSIONS 711

Extending the Kernel 711

Securing Modular Architecture 712

Kernel Extensions (Kexts) 713

Kext Structure 717

Kext Security Requirements 718

Working with Kernel Extensions 719

Kernelcaches 719

Multi-Kexts 723

A Programmer’s View of Kexts 724

Kernel Kext Support 725

Summary 735

References 735

CHAPTER 19: DRIVING FORCE — I/O KIT 737

Introducing I/O Kit 738

Device Driver Programming Constraints 738

What I/O Kit Is 738

What I/O Kit Isn’t 741

LibKern: The I/O Kit Base Classes 742

The I/O Registry 743

I/O Kit from User Mode 746

I/O Registry Access 747

Getting/Setting Driver Properties 749

Plug and Play (Notifi cation Ports) 750

I/O Kit Power Management 751

Other I/O Kit Subsystems 753

I/O Kit Diagnostics 753

I/O Kit Kernel Drivers 755

Driver Matching 755

The I/O Kit Families 757

The I/O Kit Driver Model 761

The IOWorkLoop 764

Interrupt Handling 765

I/O Kit Memory Management 769

BSD Integration 769

Summary 771

References and Further Reading 771

APPENDIX: WELCOME TO THE MACHINE 773

INDEX 793

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.