www.it-ebooks.info www.it-ebooks.info ffirs.indd ii 9/29/2012 5:55:03 PM MAC OS® X AND iOS INTERNALS INTRODUCTION xxv PART I FOR POWER USERS CHAPTER Darwinism: The Evolution of OS X CHAPTER E Pluribus Unum: Architecture of OS X and iOS 17 CHAPTER On the Shoulders of Giants: OS X and iOS Technologies 55 CHAPTER Parts of the Process: Mach-O, Process, and Thread Internals 91 CHAPTER Non Sequitur: Process Tracing and Debugging 147 CHAPTER Alone in the Dark: The Boot Process: EFI and iBoot 183 CHAPTER The Alpha and the Omega — launchd 227 PART II THE KERNEL CHAPTER Some Assembly Required: Kernel Architectures 261 CHAPTER From the Cradle to the Grave — Kernel Boot and Panics 299 CHAPTER 10 The Medium Is the Message: Mach Primitives 343 CHAPTER 11 Tempus Fugit — Mach Scheduling 389 CHAPTER 12 Commit to Memory: Mach Virtual Memory 447 CHAPTER 13 BS”D — The BSD Layer 501 CHAPTER 14 Something Old, Something New: Advanced BSD Aspects 539 CHAPTER 15 Fee, FI-FO, File: File Systems and the VFS 565 CHAPTER 16 To B (-Tree) or Not to Be — The HFS+ File Systems 607 CHAPTER 17 Adhere to Protocol: The Networking Stack 649 CHAPTER 18 Modu(lu)s Operandi — Kernel Extensions 711 CHAPTER 19 Driving Force — I/O Kit 737 APPENDIX Welcome to the Machine 773 INDEX 793 www.it-ebooks.info ffirs.indd i 9/29/2012 5:55:02 PM www.it-ebooks.info ffirs.indd ii 9/29/2012 5:55:03 PM Mac OS® X and iOS Internals TO THE APPLE’S CORE Jonathan Levin www.it-ebooks.info ffirs.indd iii 9/29/2012 5:55:03 PM Mac OS® X and iOS Internal Published by John Wiley & Sons, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2013 by Jonathan Levin Published by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-11805765-0 ISBN: 978-1-11822225-6 (ebk) ISBN: 978-1-11823605-5 (ebk) ISBN: 978-1-11826094-4 (ebk) Manufactured in the United States of America 10 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2011945020 Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Wrox Programmer to Programmer, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affi liates, in the United States and other countries, and may not be used without written permission Mac OS is a registered trademark of Apple, Inc All other trademarks are the property of their respective owners John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book www.it-ebooks.info ffirs.indd iv 9/29/2012 5:55:06 PM To Steven Paul Jobs: From Mac OS’s very first incarnation, to the present one, wherein the legacy of NeXTSTEP still lives, his relationship with Apple is forever entrenched in OS X (and iOS) People focus on his effect on Apple as a company No less of an effect, though hidden to the naked eye, is on its architecture I resisted the pixie dust for 25 years, but he finally made me love Mac OS Just as soon as I got my shell prompt — Jonathan Levin www.it-ebooks.info ffirs.indd v 9/29/2012 5:55:07 PM CREDITS ACQUISITIONS EDITOR BUSINESS MANAGER Mary James Amy Knies SENIOR PROJECT EDITOR PRODUCTION MANAGER Adaobi Obi Tulton Tim Tate DEVELOPMENT EDITOR VICE PRESIDENT AND EXECUTIVE GROUP PUBLISHER Sydney Argenta Richard Swadley TECHNICAL EDITORS Arie Haenel Dwight Spivey VICE PRESIDENT AND EXECUTIVE PUBLISHER PRODUCTION EDITOR ASSOCIATE PUBLISHER Christine Mugnolo Jim Minatel COPY EDITORS PROJECT COORDINATOR, COVER Paula Lowell Nancy Rapoport Katie Crocker Neil Edde PROOFREADER James Saturnio, Word One New York EDITORIAL MANAGER Mary Beth Wakefield INDEXER FREELANCER EDITORIAL MANAGER Robert Swanson Rosemarie Graham COVER DESIGNER ASSOCIATE DIRECTOR OF MARKETING Ryan Sneed David Mayhew COVER IMAGE MARKETING MANAGER © Matt Jeacock / iStockPhoto Ashley Zurcher www.it-ebooks.info ffirs.indd vi 9/29/2012 5:55:07 PM ABOUT THE AUTHOR JONATHAN LEVIN is a seasoned technical trainer and consultant focusing on the internals of the “Big Three” (Windows, Linux, and Mac OS) as well as their mobile derivatives (Android and iOS) Jonathan has been spreading the gospel of kernel engineering and hacking for 15 years, and has given technical talks at DefCON as well as other technical conferences He is the founder and CTO of Technologeeks.com, a partnership of expert like-minded individuals, devoted to propagating knowledge through technical training, and solving tough technical challenges through consulting Their areas of expertise cover real-time and other critical aspects of software architectures, system/ kernel-level programming, debugging, reverse engineering, and performance optimizations ABOUT THE TECHNICAL EDITORS ARIE HAENEL is a security and internals expert at NDS Ltd (now part of Cisco) Mr Haenel has vast experience in data and device security across the board He holds a Bachelor of Science Engineering in Computer Science from the Jerusalem College of Technology, Israel and an MBA from the University of Poitiers, France His hobbies include learning Talmud, judo, and solving riddles He lives in Jerusalem, Israel DWIGHT SPIVEY is the author of several Mac books, including OS X Mountain Lion Portable Genius and OS X Lion Portable Genius He is also a product manager for Konica Minolta, where he has specialized in working with Mac operating systems, applications, and hardware, as well as color and monochrome laser printers He teaches classes on Mac usage, writes training and support materials for Konica Minolta, and is a member of the Apple Developer Program Dwight lives on the Gulf Coast of Alabama with his beautiful wife Cindy and their four amazing children, Victoria, Devyn, Emi, and Reid He studies theology, draws comic strips, and roots for the Auburn Tigers (“War Eagle!”) in his ever-decreasing spare time www.it-ebooks.info ffirs.indd vii 9/29/2012 5:55:07 PM www.it-ebooks.info ffirs.indd viii 9/29/2012 5:55:07 PM 10 Book Title V1 - MM/DD/2010 page management system calls – Point-to-Point Protocol socket fi lters, 694–696 page management system calls, 540–541 page table entries (PTEs), 449 #defines, 463 pageout, 495–497 pageout daemon, 448 pagers Apple protect, 491–493 Mach, 447, 480–499 policy management, 494–499 swap fi les, 488 XNU, 486 pagestuff(1), 126–127 PAGEZERO(), 107, 133–134 panic(), 333–340 _panicd_corename, 332 panic_dialog.c, 334 _panicd_ip, 332 _panicd_port, 332 panic_image.c, 334 panic-info, 193 panic_ui/genimage.c, 334 panic_ui/qtif2raw.c, 334 panic_ui/setupdialog.c, 334 Panther, Parent Process Identifier (PPID), 91–92 parent processes, 91–92 parentID, 633, 635 parent_proc, 516 parse_machfile, 523–524 Partition Boot Record, 568 partitions, 565–577 CoreStorage, 575–577 disks, APM, 570–572 GPT, 572–574 LwVM, 574–575 MBR, 568–570 PASSIVE, 528 passwords, 67 Pastboard(), 245 Payload, 217 PCSC, 39 pdp_ip, 679 PE See Platform Expert PE_i_can_has_debugger, 562 PE_init_platform, 304 PE_parse_boot_argn, 314, 331, 562 permissions, 262, 577–578, 637–639 PF_INET, 650, 677 PF_INET6, 650 PF_KEY, 650 PF_LAT, 650 PF_LOCAL, 650 pflog, 678 pflog_clone_create(), 685 PF_NDRV, 650, 651, 652 spoofi ng packets, 653–654 PF_PACKET, 653 PF_PPP, 651 PF_ROUTE, 650, 652 PF_SYSTEM, 79, 650, 651, 682 system sockets, 655–666 PF_SYSTEM/SYSPROTO_EVENT, 657–658 PFZ See Preemption Free Zone pg_members, 508 pgrp_iterate(), 508 PersistentURLTranslator.Gatekeeper, 244 personality, 755 PEs See Portable Executables PESavePanicInfo(), 336 PE_State, 202 PE_state, 304 _PE_state, 303 PE_Video, 304 pexpert, 303, 307 PF See Protocol Family PFDL See process fi le descriptor lock physical memory Mach, 462–467 VM, 448–449 PIC See Programmable Interrupt Controller PID See Process ID PIDEX(14), 170 pid_resume(), 94, 494 pid_shutdown_sockets, 94 pid_suspend(), 94, 494 PIDTR(11), 169 pinsertchild(), 516 PIPE(), 534 pipeops, 605 pkg, 217 PL See process lock , 313 Platform Expert (PE), 296, 303, 304 plist, 162, 718 plist, 229 p_listflag, 516 P_LIST_INCREATE, 516 plumbing, 677 plutil(), 28 pmap, 448–449, 463, 464–465 pmap_create(), 464 pmap_destroy(), 464 pmap_disconnect(), 465 PMAP_ENTER(), 498 pmap_enter(), 464 pmap_enter[_options](), 464 pmap_page_protect(), 464 pmap_reference(), 464 pmap_remove(), 465 pmap_switch(), 465 pmap_t, 463, 465–467 pmap_zero_page(), 464 pmc/profiling, 307 pmCPUGetDeadline(), 433 pmset(1), 68 PNG, 204 Point-to-Point Protocol (PPP), 651 817 www.it-ebooks.info bindex.indd 817 9/29/2012 5:56:57 PM Book Title V1 - MM/DD/2010 policies – PROCESSOR_NULL policies Apple policy modules, 560–563 execution, 527–528 I/O, 527–528 MAC, 559–560 Mach pagers, 494–499 policy_check, 331 poll(2), 144 Portable Executables (PEs), 187 portmapper, RPC, UNIX, 234–235 ports, 234 exceptions, 436, 439 Mach, 251–253, 357–358 messages, 349–351 tasks, 402 PORT_SET, 350 POSIX BSD, 501, 503 system calls, 284–287 FUSE, 598 Leopard, Mach, 343 network stack, 649 OS X, 45, 46 page management system calls, 540–541 semaphores, 364 system calls, 46, 283 threads, 144–145 VFS, 591 VM, 458, 540–541 posix_spawn(), 91, 132, 513, 514, 515 PostScript, power management, 751–753 Power On Self Test, 184 PowerPC, 183 PPC, 296–297, 518–519 PPID See Parent Process Identifier PPP See Point-to-Point Protocol ppp, 679 praudit(1), 60, 556 pr_ctlinput(), 671 pr_ctloutput(), 671 pr_drain(), 671 PRECEDENCE_POLICY, 421 Preemption Free Zone (PFZ), 275, 426–427 preemption modes, Mach scheduling, 418–423 explicit, 418–420 implicit, 420–423 preemptive multitasking, OS X, 420–423 prefabt, 426 PreferencePanes, 39 _PrelinkBundlePath, 722 _PrelinkExecutable*, 722 PRELINK_INFO, 109 PRELINK_INFO, 721–722 pre-linking, 713 _PrelinkInterfaceUUID, 722 pr_fasttimo(), 671 pr_init(), 671, 674 pr_input(), 671 printf(), 117, 128, 131, 313 private frameworks, 33 privileged ports, 374–377 pr_lock(), 672 probes, 147 proc, 152 PROC_ALLPROCLIST, 508 PROC_CREATE_FORK, 514, 516 PROC_CREATE_SPAWN, 514, 516 PROC_CREATE_VFORK, 514 Procedure, 353 proc_enforce, 64 processes, 91–146 BSD, 504–508 control and tracing, 525–529 creating, 512–525 lists, 507–508 software, 535 structs, 504–507 suspension and resumption, 529 CPU, 92–93 executables, 98 groups, 91 BSD, 507–508 hibernation, iOS, 547–548 information, OS X, 156–159 instances, 91 I/O, 93, 600–605 lifecycle, 92–95 pid_resume, 94 pid_suspend, 94 zombie state, 93–94 security, 97 threads, 91–92 universal binaries, 99–111 UNIX, 91 signals, 95–97 VM, 107–109 process address space, Mach-O, 130–138 process fi le descriptor lock (PFDL), 507 Process ID (PID), 91, 93, 228, 326, 515 bsdinit_task(), 325 dtruss, 150 killpg1_callback(), 535 Mach, 511–512 process lock (PL), 507 process spin lock (PSL), 507 ProcessOptions, 198–199 processor, 352, 380–384 processor_assign, 381 processor_control, 381 processor_csw_check(), 429 processor_enqueue(), 429 processor_exit, 381 processor_get_assignment, 381 processor_info, 381 processor_init(), 428 PROCESSOR_NULL, 415 818 www.it-ebooks.info bindex.indd 818 9/29/2012 5:56:58 PM 10 Book Title V1 - MM/DD/2010 processor_queue_empty – readelf processor_queue_empty(), 429 processor_queue_has_priority(), 429 processor_queue_remove(), 429 processor_queue_shutdown(), 429 processor_queue_urgent(), 429 processor_runq(), 430 processor_runq_stats_count_sum(), 430 processor_set, 352, 384–387, 408 processor_set_destroy, 385 processor_set_info, 386 processor_set_max_priority, 385 processor_set_policy_control, 386 processor_set_policy_enable, 385 processor_set_stack_usage, 386 processor_set_statistics, 385 processor_set_tasks, 385 processor_set_threads, 385 processor_start, 381 processor_ts, 382–384 process_policy(), 528 Procfs, 598 proc_info, 156–159, 527, 552 proc_iterate(), 508 proc_listallpids, 159 proc_listchildpids, 159 proc_listpgrppids, 159 PROC_PIDWORKQUEUEINFO, 552 PROC_POLICY_APP_LIFECYCLE, 528 PROC_POLICY_APPTYPE, 528 PROC_POLICY_BACKGROUND, 528 PROC_POLICY_HARDWARE_ACCESS, 528 PROC_POLICY_RESOURCE_STARVATION, 528 PROC_POLICY_RESOURCE_USAGE, 528 proc_t, 326, 515, 600 PROC_ZOMPROCLIST, 508 profile, 152 Program, 238 ProgramArguments, 238 Programmable Interrupt Controller (PIC), 270 Programmable Read Only Memory (PROM), 184 protocols See also specifi c protocols EFI, 188–191 GUIDs, UEFI, 191 interfaces, 677–678 KPI functions, 677 transport, layer IV, 668–669 Protocol Family (PF), 650 packet fi ltering, 697–698 proto_plumb(), 677 ProtoString(), 427 protosws, 669–673 prototypes, 46 pr_output(), 671 pr_slowtimo(), 671 pr_sysctl(), 672 pr_unlock(), 672 pru_sosend, 691 pr_usrreq(), 672–673 ps(1), 179, 409–411 pset_init(), 428 pset_name_self, 384 psets, 408 pseudo fi le systems, 583–587 PSL See process spin lock PTEs See page table entries Pthread, 49 pthread, 144–145 pthread_create(), 407, 510 pthread_exit(), 408 pthread_mutex_lock(), 134 ptrace(2), 148, 525–527 PubSub, 39 Puma, PureDarwin, 10 purgeable zones, 139 PurpleSystemEventPort, 253 PUSH_FUNCTION, 272 p_uthlist, 515 puts, 117 Pystar, 10 Python, Python, 39 Q qlgenerator, 18 qlmanage(), 19 QoS See Quality of Service QT(32), 167 QTKit, 39 Quality of Service (QoS), 705–707 quantum_expire(), 430 quarantine, 609 Quartz, 39 Quartz Extreme, QuartzCore, 39 QueueDirectories, 237 queue_head.t, 398 queue-iterate, 398 QuickLook, 18–19 QuickLook, 39 QuickLookGeneratorPluginFactory, 18 QuickTime, 39 R Racoon, 243 RaiseTPL, 189 RAM Disk, 199 RAMDisk, 200–201 random access, 624 RAX, 278 RB_SINGLE, 326 read(), 418 read(2), 143 readelf, 105 819 www.it-ebooks.info bindex.indd 819 9/29/2012 5:56:58 PM Book Title V1 - MM/DD/2010 Read-Only Memory – scheduling Read-Only Memory (ROM), 184 READTR(10), 169 read-write lock objects, 363 ready_heap, 706 real GID, 97 real UID, 97 realtime_setrun, 407 RECEIVE, 349 recovery mode, iBoot, 212–213 ref_count, 456 rEFIT, 194 registers ARM, 776–779 CPSR, 267–268, 777–778 CRs, 266–267, 775–776, 778–779 DRs, 775 floating point, 774, 777 Intel, 773–776 MSRs, 279 RegisterProtocolNotify, 189 regular expressions, 306 ReinstallProtocolInterface, 189 relpath, 300 Remote Procedure Call (RPC), 351 portmapper, UNIX, 234–235 REMOVE(7), 169 removeDisk, 576 Rendezvous, RENICED, 422 replay attacks, 213–214 _reply_sync, 256 ReportCrash, 243 reservation specification (RSpec), 706 ResetSystem, 192 ResizeDisk, 576 resizeStack, 576 ResizeVolume, 576 resource forks, 611–612 Resources, 28 RestoreTPL, 189 Return-Oriented Programming (ROP), 132 reverse DNS, 18–19, 30 Revision, 202 RFLAGS, 774–775 Rhapsody, rings, 266–267 RLIMIT_CORE, 170 robustness, 265 ROM See Read-Only Memory Root UUID, 199 ROP See Return-Oriented Programming Rosetta installer, 102 route(8), 652 _router_ip, 332 Routine, 353 routing sockets, 652 RPC See Remote Procedure Call rpcgen, 351 RSpec See reservation specification rtclock, 431 rtclock_timer.deadline, 432–433 rtclock_timer_t, 432 rtc_timer, 435 Ruby, Ruby, 39 RubyCocoa, 39 run queues, 412–413 RunLoopType(), 257 runtime services, 191–192 RunTimeServices, initializeConsole, 195 S -S, 143 -s, 151, 228, 326, 330 Safari, Saffron, 12 sample(1), 174 Sandboxd, 243 sandboxd, 243 SandBoxedFetch, 257 sandboxing, 65, 81–90 controlling, 82–83 enforcing, 89–90 entitlements, 83–89 iOS, 81–82 jailbreaking, 81–82 voluntary imprisonment, 82 sandbox_init(3), 82 Sandbox.kext, 561 _SandboxProfile, 257 SandboxProfileData, 86 SandboxProfileDataValidation EntitlementsKey, 86 Saved Application State, 85 sbappend(), 690 sbappendaddr(), 690 sbappendrecord(), 690 sbappendstream(), 690 SBAppTags, 248 /sbin, 22 /sbin/launchd, 227 scalable allocator, 139 SCDyamicStore, 69 SceneKit, 39 sched, 152 sched_decay_shifts, 411–412 sched_dispatch_table, 428 sched_pri, 413 sched_prim.h, 428 sched_pri_shift, 411 scheduling kernel, 262, 406–407 Mach, 389–446 algorithms, 427–430 ASTs, 423–427 continuations, 416–418 820 www.it-ebooks.info bindex.indd 820 9/29/2012 5:56:58 PM 10 Book Title V1 - MM/DD/2010 SCNetworkReachability – 64-bit dispatch table, 428–430 exceptions, 436–445 explicit preemption, 418–420 handoffs, 415–416 implicit preemption, 420–423 kernel, 406–407 ledgers, 398–399 preemption modes, 418–423 primitives, 389–408 tasks, 395–398, 422–423 task APIs, 399–404 threads, 390–395 thread APIs, 404–408 thread creation, 407–408 timer interrupts, 431–436 SCNetworkReachability, 69 SCNetworkReachabilityConfigd, 242 ScreenSaver, 39 Scripting, 39 ScriptingBridge, 39 Scripts, 217 sc_usage(1), 165 scutil(8), 67–68, 69 search, B-Tree, 624, 629–630 SECURE_KERNEL, 305 security iOS, 79–90 kernel, 262 kext, 718 Lion, OS X, 79–90 processes, 97 Security, 39 security, 307, 352 _security(), 553 security(1), 80 SECURITY(9), 167 Securityd, 243 securityd, 243 SecurityFoundation, 39 SecurityInterface, 39 SecurityServer (SL), 243 -segcreate, 109 segedit(1), 105, 721 segname, 107 select(), 418 select(2), 144 self-contained*_init(), 320 semaphores, 364–366 Mach lock objects, 364–366 POSIX, 364 semaphore_create, 365 semaphore_destroy, 365 semaphore_signal, 365 semaphore_signal_all, 365 semaphore_wait, 365 SEND, 349 SEND_ONCE, 350 serial, 313, 318, 331, 332 SERIAL_KDP, 318 ServerNotification, 39 serverperfmode, 331 servicebundle, 248 ServiceManagement, 40 ServiceType, 257 set_alarm, 380 setaudit(), 61 setaudit_addr(), 61 SETBUF(4), 169 SetConsoleMode, 200 set_dp_control_port, 376 setfsgid, 97 setfsuid, 97 setpgrp(2), 91 setPop(), 435 SETREG(8), 169 setrlimit(2), 170, 398, 515 SETRTCDEC(15), 170 SetTime, 192 SetTimer, 189 SETUP(6), 169 Setup.App, 249 setup_wqthread, 551 SetVariable, 192 SetWakeupTime, 192 severity, 70 sflt_detach(), 695 SFLT_GLOBAL, 696 sflt_register(), 694 sflt_unregister(), 694 sftl_attach(), 695 SG_PROTECTED_VERSION, 492 shared library cache, 121 shells, 246–253 shmem, 255 should_current_thread_rechoose_ processor(), 430 show regions, 458 SHSH, 213–214 SIDL, 92 signals BSD, 529–536 UNIX, processes, 95–97 SignalEvent, 189 Simple Network Management Protocol (SNMP), 56 SIMPLE_FILE_SYSTEM_PROTOCOL, 190 SIMPLE_POINTER_PROTOCOL, 190 Simpleprocedure, 353 Simpleroutine, 353 SIMPLE_TEXT_INPUT_PROTOCOL, 190 SIMPLE_TEXT_OUTPUT_PROTOCOL, 190 single UNIX specification (SUS), 502 Siri, 12 SIUResources.pkg, 216 64-bit BIOS, 184 kernel, 264 Lion, 8, 200 821 www.it-ebooks.info bindex.indd 821 9/29/2012 5:56:59 PM Book Title V1 - MM/DD/2010 size – SWI memory leaks, 176 process address space, 132–133 Snow Leopard, XNU, system calls, 283–284 size, 346 size(1), 105, 109 sizeof(void *), 286 sizeofncmds, 104 slab allocators, 545 slave_pstart(), 313, 316, 329 sleep, 328–329 sleep, 418 sleep_kernel(), 329 sleh_abort, 438 sleh_undef, 438 SMP, 316, 319, 360, 415 smp_init, 316–317 snapshots, 159–170 SNMP See Simple Network Management Protocol Snow Leopard, 7–8, 99, 130, 139, 561 so, 42 sockaddr, 691 sockets descriptors launchd, 240 layer V sockets, 660–661 domains, UNIX, 651 fi lters packet fi ltering, 694–696 XNU, 695–696 kernel mode, 667–668 layer V, 660–668 NDRV, 653 network driver, 652–654 routing, 652 statistics, 658–660 system, 556, 655–658 Sockets, 238 socket_t, 696 sock_inject_*, 695 sockkets, IPSec Key Management, 654 SOCK_RAW, 653 soft links, 578–579, 639 SoftResourceLimits, 236 SoftWare Interrupt (SWI), 275, 280 Solaris, 149 so_proto, 667 source-level compatibility, 502 specfs, 586 Spin Control, 174 spindump, 174 spinlock, Mach lock objects, 364 spllo(), 318 spoofi ng packets, 653–654 Spotlight, 6, 19–20, 75 SpotlightFS, 598 SpringBoard, 13, 248–253, 411 Springboard(), 245 SRUN, 93 SSH, 13–14, 21, 598 ssh.plist, 232–233 SSLEEP, 94 stack protector, 130 stack_collect(), 497 stack_guard, 130 stackshot(1), 160–162 stack_snapshot, 162–165 STANDARD_POLICY, 421 starblock, 639 start(), 310–311 start-stf, 655 start_time.stop_time, 59 stderr, 232, 238, 241 stdin, 232, 238, 241 , 503, 724 stdout, 232, 238, 241 std_types, 352 steal_thread(), 429 stf, 678 stf(4), 655 stfattach(), 685 STOP, 94 StopAnimation, 201 StoreKit, 40 strace, 150 string, 254 , 503 strings(1), 105 stroff, 115 struct, 201, 463 structs, BSD processes, 504–507 struct fuse_operations, 598 struct ifnet, 680–681 struct mbuf, 661 struct mount, 592–593 struct proc, 504–507 struct proclist, 507–508 struct sockbuf, 661 struct uthread, 508–510 struct vnode, 595–597 stub_helper, 118 stubs, 115 subsystems I/O Kit, 753 Mach, 352–353 sunrpc, 235 SUN-RPC, 351, 353 superblock, 592 SuperVisor Call (SVC), 275 supports_timeshare(), 429 SUS See single UNIX specification SVC See SuperVisor Call SVC, 267 swap fi les, 488 swapfile_pager_data_request(), 488–491 SWI See SoftWare Interrupt 822 www.it-ebooks.info bindex.indd 822 9/29/2012 5:56:59 PM 10 Book Title V1 - MM/DD/2010 switch – threads switch(), 272, 333 symoff, 115 synchronous interrupt, 278 synchronous kernel, 268 SyncServices, 40 SYS, 267 SYS(), 534 sys, 307 SYSCALL, 279–282 syscall, 152, 169 sysctl(), 56–57, 156 SYSCTL_*, 553, 554 sysctl(2), 169, 620, 646–647 sysctl(8), 110, 142, 171, 552–555 sysdiagnose(1), 159–160 , 566–567 sysent, 285–287 SYSENTER, 279–282 sysenter, 280 sys/kern_control.h, 656 syslog, 70 syslogd, 71, 72, 243 sys/malloc.h, 542 , 92 SYSPROTO_EVENT, 657 , 95 , 650 , 94 System, 40 /System, 23 system calls BSD, 47–48 POSIX, 284–287 diagnostic, 292–295 kernel, 261, 268, 283–295 iOS, 286–287 MAC, 63–64 Mach, 46–48 numbers, 46 POSIX, 46, 283 BSD, 284–287 prototypes, 46 UNIX, 292 XNU 64-bit, 283–284 system sockets, 556, 655–658 system sockets, 79 SystemAudioVolume, 193 SystemConfiguration, 40 SystemUIServer, 247 T tar(1), 217 target_task, 455 task, 352 tasks Mach scheduling, 395–398, 422–423 APIs, 399–404 multitasking, 4, 11, 420–423 ports, 402 threads, 397 task_access, 353 task_create(), 400 task_for_allow, 444 task_for_pid(), 462, 511 task_get_exception_ports(), 401 task_get_state(), 401 task_importance(), 401 task_info(), 400 task_policy_get(), 401 task_policy_set(), 401 task_priority(), 397–398, 401 task_resume(), 400, 529 task_sample(), 401 task_set_emulation(), 345 task_set_exception_ports(), 401 task_set_info(), 400 task_suspend(), 400, 529 task_terminate(), 400 task_threads(), 400, 405 task_zone_info(), 467 Tcl, 40 TC-shell, 21 Telluride, 12 Terminal, 20 Terminal.app, 231 _TEXT(), 107 TEXT, 134 TextEdit, 84–87 SystemConfiguration.framework, 68 /System/Library/CoreServices, 247 /System/Library/Frameworks, 33 /System/Library/LaunchAgents, 229 /System/Library/LaunchDaemons, 229 /System/Library/Sandbox/Profiles, 83 system.logger, 243 system.notification_center, 243 system_profiler(8), 159 system.Security, 609 32-bit Intel, process address space, 132 iOS, process address space, 133–134 kernel, 266 memory leaks, 176 threads, 143–146 BSD, 508–512 CPU, 408 affi nity, 415 execution, 408 hyperthreading, 408, 415 Mach scheduling, 390–395 APIs, 404–408 creation, 407–408 multithreading, 93, 786, 787 objects, BSD, 508–510 823 www.it-ebooks.info bindex.indd 823 9/29/2012 5:56:59 PM Book Title V1 - MM/DD/2010 thread_abort[_safely] – two-level namespace POSIX, 144–145 priorities, 409–412 processes, 91–92 run queues, 412–413 tasks, 397 UNIX, 143 VM, 144 vm_pageout(), 495 wait queues, 414 XNU, 512 thread_wakeup_prim, 406 THRMAP(12), 169 THROTTLE, 528 THROTTLE_APPLICATION, 423 throttling thread_abort[_safely](), 404 thread_act, 353 [thread/act]_[get/set]_state, 404 THREAD_AFFINITY_POLICY, 422 thread_assign(), 405 thread_assign_default(), 405 thread_ast_set(), 423 THREAD_BACKGROUND_POLICY, 422 THREAD_BASIC_INFO, 405 thread_bind, 406 thread_block(), 416 thread_block_parameter(), 406, 419 thread_block_reason(), 406, 418–419 thread_bootstrap(), 395 thread_bootstrap_return(), 417 thread_call_daemon, 469 thread_count, 397 thread_create(), 395, 407 thread_create_running(), 407 thread_depress_abort(), 404 thread_exception_return(), 417 THREAD_EXTENDED_POLICY, 422 thread_get_assignment(), 405 thread_get_exception_ports(), 405 thread_[get/set]_special port(), 405 thread_go, 407, 414 thread_info(), 405 thread_invoke(), 406, 419 thread_policy, 405 thread_policy_[get/set](), 405 thread_policy_set_internal(), 421 THREAD_PRECEDENCE_POLICY, 422 thread_resume(), 325–326, 404 thread_run, 406 thread_sample, 405 thread_set_exception_ports, 405, 436 thread_set_policy, 405 thread_setrun, 407, 414 thread_set_state, 408 THREAD_STANDARD_POLICY, 422 thread_suspend(), 404 thread_swap_exception_ports, 405 thread_switch(), 415–416 thread_t, 419 thread_t mach_thread(), 404 thread_template, 395 thread_terminate(), 404 thread_terminate, 408 THREAD_TIME_CONSTRAINT_POLICY, 422 thread_unblock, 414 launchd, 236–237 Mach, 412 thumb mode, 785–786 tick-less kernel, 432 Tiger, 6–7 TIME_ABSOLUTE, 378 timebase_init(), 428 TIME_CONSTRAINT_POLICY, 421 TimeOut, 59 timer interrupts, 431–436 TIMER_CALL_CRITICAL, 433 timer_call_enter, 433 TIME_RELATIVE, 378 timer_queue_expire, 434 timestamps, 578, 607–608 TinySCHEME, 82 TinyUmbrella, 214 Tk, 40 TLB See Translation Lookaside Buffer Tmp, 25 /tmp, 22, 25 top(1), 179–180 TOSTOP, 93 totalNodes, 628 tr(1), 409 TRACE(7), 167 Trace Server, 162 tracers, 147 TraditionalString(), 427 TraditionalWithPsetRun QueueString(), 427 traffic shaping, 705–707 transactions HFS+ journaling, 644–645 launchd, 236 Translation Lookaside Buffer (TLB), 144, 449 transport protocols, layer IV, 668–669 TRAP, 272, 274, 534 trap handlers Intel, 268–278 ARM, 275–278 kernel, 334 Mach, 287–291 treeDepth, 627 true, 254 truss, 150 Trusted BSD, 62 TSTOP, 93 tunneling, 682–686 TWAIN, 40 Twitter, 40 twitter.authenticate, 245 Twitterd, 245 twittered.server, 245 two-level namespace, 125 824 www.it-ebooks.info bindex.indd 824 9/29/2012 5:56:59 PM 10 Book Title V1 - MM/DD/2010 -u – uuid U -u, 441 -u mobile, 246 ubc_info, 596 ubc_info_init(), 488 UDF See Universal Disk Format UDIF See Universal Disk Image Format -udp_in 1, 70 udp_output(), 691 udp_send(), 691 UEFI See Universal Extensible Firmware Interface UGA_DRAW_PROTOCOL, 190 UID See user identifier UIKit, 40 UIKit.pasteboardd, 245 uint64, 254 ulimit(1), 512, 515 ulimit -c, 170–171 uname(1), 9, 14 UND, 268 undef, 426 Unicode, 617 Unified Buffer Cache, 484, 488, 596 Uniform Type Identifier (UTI), 18 UninstallProtocolInterface, 189 unionfs, 587 , 46, 503, 724 universal binaries executables, 98 file(1), 99 kernel, 100 Mach-O, 102–105 OS X, 99 processes, 99–111 Snow Leopard, 99 Tiger, Universal Disk Format (UDF), 582, 591 Universal Disk Image Format (UDIF), 589 Universal Extensible Firmware Interface (UEFI), 185–186, 191 Universal Page List (UPL), 484–486 Universal Plug and Play (uPNP), UNIX See also X is Not UNIX BSD, 501–502 Darwin, 5, 20–22 debugging, 178–180 directories, 22–24 iOS, 23–24 OS X, 23 domain sockets, 651 exceptions, 529–534 executables, 98 fork(), 512 FUSE, 598 INET, 234 inetd, 238 inode, 608 Leopard, load_init_program(), 326 Mach, 534 OS X, 502 permissions, 577, 639 processes, 91 RPC portmapper, 234–235 signals, processes, 95–97 system calls, 292 threads, 143 -u, 441 unix_syscall, 284–285 unpackers, cache, 121 unprotect_segment(), 492, 493 UNSPECIFIED4, 422 UN*X atd, 231 crond, 231 inetd, 232–234 launchd, 229 ldd, 114 Mach, 389 SUN-RPC, 351 xinetd, 232–234 update_priority(), 411, 430 UPL See Universal Page List upl_abort[range](), 486 upl_clear_dirty(), 486 upl_create(), 485 upl_deallocate(), 486 uPNP See Universal Plug and Play user, 56 User Data Record, 628 User Experience layer, 15, 17–20 user identifier (UID), 97 user mode BSD process creation, 512–513 involuntary transition exceptions, 269–270 interrupts, 270–271 I/O Kit, 740, 746–755 device drivers, 749–750 I/O registry, 747–749 plug and play, 750–751 network stack, 650–658 traffic shaping, 707 voluntary transition, 278–282 UserNotification, 307 /Users, 23 USER_TRAP, 272 user_trap(), 274, 438 user_trap_returns, 425 USR, 267 /usr, 22 /usr/share/sandbox, 83 utaskbootstrap(), 326 uthread, 510 UTI See Uniform Type Identifier utun, 679, 682–686 utun_control_register(), 655 utun_ctl_connect(), 684–685 uuid, 255 825 www.it-ebooks.info bindex.indd 825 9/29/2012 5:57:00 PM Book Title V1 - MM/DD/2010 ux_handler – voluntary user/kernel transition ux_handler(), 529–532 ux_handler_init(), 326, 529–530 V -v, 313 /var, 22 /var/audit, 60 /var/log/asl, 70 /var/log/install.log, 214 /var/run/lockdown.sock, 234 /var/tmp/launchd-shutdown.log, 228 Vassetd, 245 vecLib, 40 verify, 86 Version, 202 version.plist, 717 vfork(), 514, 515 VFS See Virtual FileSystem Switch vfs, 56, 307 VFS_CTL_QUERY, 647 vfs_fentry, 591–592, 593 vfs_fsadd(), 593 vfs_mountroot(), 592 VideoDecodeAcceleration, 40 VideoToolKit, 40 Virtual FileSystem Switch (VFS), 22, 577, 591–600 fsctl(2), 645–646 FUSE, 597–605 kernel, 645–648 mount entry, 592–595 struct vnode, 595–597 sysctl(2), 646–647 vnode, 595–597 virtual memory (VM) ARM, 447, 791 arm_vm_init(), 311 Intel, 791 isolated, 130 Mach, 447–500 architecture, 447–462 Mach-O, 140–143 PE, 304 physical memory plane, 448–449 POSIX, 458, 540–541 processes, 107–109 threads, 144 virtualization, 10, 262, 267 vlan, 679 VM See virtual memory vm, 56, 307 vmaddr, 107 vm_allocate, 453 vm_allocate_cpm, 375 VM_BASIC_INFO_64, 453 VM_CHECK_MEMORYSTATUS, 548 vm_check_memorystatus, 548 vm_fault(), 498 VM_FLAGS_ANWHERE, 453 vminfo, 152 VM_INHERIT_COPY, 455 VM_INHERIT_SHARE, 455 vmmap(), 135–138 vm_map(), 353, 448, 450–451, 456, 493 VM_MAP_ANWHERE, 455 vm_map_apple_protected(), 493 vm_map_behavior_set, 454 vm_map_copyin(), 454 vm_map_copyout(), 454 vm_map_copy_overwrite, 454 vm_map_enter(), 453, 457 vm_map_entry(), 448, 451–452 vm_map_inherit(), 454 vm_map_lookup_entry(), 453 vm_map_machine_attribute(), 455 vm_map_msync, 454 vm_map_object, 452 VM_MAP_OVERWRITE, 455 vm_map_page_query_internal(), 456 vm_map_protect(), 453, 457 vm_map_remap(), 455 vm_map_t, 452 VM_MEM_SUPERPAGE, 465 VM_NOT_CACHEABLE, 465 vm_object(), 448 vm_object_t, 452 vm_page(), 448, 452 vm_page_info(), 456 VM_PAGE_INFO_BASIC, 456 vm_pageout(), 319, 495, 496, 497 vm_pageout_garbage_collect, 471–473 VM_PAGE_QUERY_PAGE_*, 456 vm_page_queue_active, 495 vm_page_queue_free, 495 vm_page_queue_inactive, 495 vm_page_queue_speculative, 495 VM_PRESSURE_MINIMUM_RSIZE, 545 vm_pressure_monitor(), 545 VM_PROT_EXECUTE, 455 VM_PROT_READ, 455 VM_PROT_WRITE, 455 vm_rdwr, 521 vm_read_overwrite, 454 VM_REGION_BASIC_INFO, 458–462 vmsize, 107 vm_stat(1), 141–142, 495–496 vm_statistics, 495–497 VMWare, 10, 333 vnmap(1), 458–462 vnode, 488, 584–587, 595–597 vnode_enforce, 64 vnode_pager, 448 VNOP_LOOKUP, 597 void, 361, 464–465 /Volume, 23, 24 volume header, HFS+, 631–632 voluntary user/kernel transition, 278–282 826 www.it-ebooks.info bindex.indd 826 9/29/2012 5:57:00 PM 10 Book Title V1 - MM/DD/2010 – XPC , 236 vpro_transaction, 236 vstart(), 279, 306, 310 W wait(), 93 wait(2), 93 wait queues, 414 wait3(2), 93 wait4(2), 93 WaitForEvent, 189 waitpid(2), 93 wait_queue_assert_wait[64[_locked]], 414 wait_queue_t, 365 wait_result_t, 363, 364 WatchPaths, 237 weakly defi ned symbols, 124 Web Distributed Authoring and Versioning (WebDAV), 583 WebKit, 40 wfq_ready_heap, 706 widgets, 6, 45, 47 WildCat, 11 WindowServer, 17 work queues, 550–552 wpkernel, 331 WQOPS_QUEUE_ADD, 550 WQOPS_THREAD_RETURN, 551 WQOPS_THREAD_SETCONC, 550 wq_runitem, 551 wrappers, 122, 149, 240–241 write(2), 144 WriteProcessMemoryEx(), 407 X -x, 330 X is Not UNIX (XNU), boot arguments, 329–331 kernel, 299–340 BSD, 49–50, 501, 504 build actions, 302 Cheetah, CHUD, 155 compiling, 300–302 CONFIG_CODE_DECRYPTION, 493 CONFIG_DEBUG, 308 configuration, 305 CONFIG_ZLEAKS, 468 DEBUG, 308 domains, 675 EFI, 184 hardware extraction, kernel, 295–297 hybrid kernel, 265 Intel trap handlers, 272–275 I/O Kit, 50, 737 iOS, 12, 310 Jaguar, kdebug, 165–170 kernel, 50 architecture, 302–305 kpi_socket, 667 kqueues, 555 ledgers, 398 Lion, MAC, 560 Mach, 49 microkernels, 343 Memorystatus, 546 microkernels, 264, 343 ml_functions, 296–297 Mountain Lion, OS X, 266 osfmk/man, 345 packet fi ltering, 693, 697 pagers, 486 Panther, Puma, regular expressions, 306 runtime services, 191 sandboxing, 89 64-bit, system calls, 283–284 Snow Leopard, socket fi lters, 695–696 sources, 299–308 source tree, 305–308 stack_snapshot, 162–165 struct proclist, 507–508 system sockets, 556 threads, 512 Tiger, timer interrupts, 431–436 X Kernel, 12 xar(1), 217 xattr(1), 608, 609 XBD, 503 XCode, 20, 148, 173, 174 xcodebuild(1), 723 XCU, 503 XDR See external data representation XgridFoundation, 40 xib, 28 xinetd, 232–234 XllUser.pkg, 216 XNU See X is Not UNIX XPC, 79 Cocoa, 254 GCD, 253 iOS, 253–257 kill -9, 253 launchd, 253–257 Lion, 253–257 messages, 255–256 MIG, 256 object types, 254–255 827 www.it-ebooks.info bindex.indd 827 9/29/2012 5:57:00 PM Book Title V1 - MM/DD/2010 – Z-shell zalloc_noblock(), 544 -zc, 330 Z_CALLERACCT, 469, 544 Objective-C, 256 property lists, 257 SandBoxedFetch, 257 services, 256–257 , 255–256 xpc_connection_send_barrier, 255 xpc_connection_send_message, 255 xpc_connection_send_message_with_reply, 255 xpc_connection_set_target_queue, 257 xpc_dictionary_create_replay, 257 XPCKit, 254 xpc_main, 256 xpc_object_t, 256 XPCServices, 257 XSH, 503 XT-PICs See Legacy PICs Y yielding, 415 Z zalloc(), 470, 544 *zalloc(), 469 *zalloc_canblock(), 469 ZeroConf, Z_EXHAUSTIBLE, 469 Z_EXPAND, 469 Z_FOREIGN, 469 zfree(), 469 ZFS, 16 -zinfop, 330 zinit(), 469, 544 zlog, 330 Z_NOENCRYPT, 469 zombie state, 93–94 zones BSD, 541–544 Lion, 542 Mach, 467–473 boot, 470–471 debugging, 473 garbage collection, 471–473 OS X, 470–471 zone_bootstrap(), 470 zone_change(), 469 zone_init(), 470 -zp, 330 zprint(1), 467 zrecs, 330 Z-shell, 21 828 www.it-ebooks.info bindex.indd 828 9/29/2012 5:57:01 PM 10 www.it-ebooks.info bindex.indd 829 9/29/2012 5:57:01 PM Try Safari Books Online FREE for 15 days + 15% off for up to 12 Months* Read this book for free online—along with th thousands of others— with this 15-day trial offe offer With Safari Book Books Online, you can experience unlimited access to thousands of searchable, unlim digital media and professional technology, digit books and videos from dozens of development boo publishers With one low monthly or yearly leading publisher price, you get: subscription pric • Access to hund hundreds of expert-led instructional videos on toda today’s hottest topics • Sample code tto help accelerate a wide variety projects of software pr • Robust organiz organizing features including favorites, highlights, tag tags, notes, mash-ups and more • Mobile access using any device with a browser pre-published manuscripts • Rough Cuts pr START YOUR FREE TRIAL TODAY! Visit www.safaribooksonline.com/wrox55 to get started *Available to new subscribers only Discount applies to the Safari Library and is valid for first 12 consecutive monthly billing cycles Safari Library is not available in all countries www.it-ebooks.info badvert_.indd 710 10/16/2012 4:25:47 PM www.it-ebooks.info ... GIANTS: OS X AND IOS TECHNOLOGIES BSD Heirlooms 55 55 sysctl kqueues Auditing (OS X) Mandatory Access Control 56 57 59 62 OS X- and iOS- Specific Technologies 65 User and Group Management (OS X) System... iPhone 2 .x — App Store, 3G and Corporate Features 3 .x — Farewell, 1st gen, Hello iPad 4 .x — iPhone 4, Apple TV, and the iPad 5 .x — To the iPhone 4S and Beyond iOS vs OS X The Future of OS X Summary... Architecture of OS X and iOS 17 CHAPTER On the Shoulders of Giants: OS X and iOS Technologies 55 CHAPTER Parts of the Process: Mach-O, Process, and Thread Internals