Volume 3 — Security and Insecurity — v1.6.4, some typos

Errare est humanum. Any typos, inaccuracies, editorial mistakes, big or small - please post here.

Volume 3 — Security and Insecurity — v1.6.4, some typos

Postby PeterU » Tue Jun 18, 2019 8:32 pm

I'm back...

A lot of this is capitalisation and other such issues of minor importance, but "big or small" was asked for... ;)

Disclaimer — explictly — explicitly
p11 — directly, but inspecting — by
p16 — PAM and opendirectory — Open Directory
p16 — millenium — millennium
p16 — [context evaulatePolicy] — evaluatePolicy
p18 — /System/LibraryCoreServices — /CoreServices
p19 — objective-C — Objective-C
p19 — was is in the framework — (remove ‘is’)
p19 — coreauthd, mMessages — coreauthd, messages
p19 — /System/Library/Accounts.. — (remove second ‘.’)
p25 — AUE_SESSION — (mono font)
p25 — aqua — Aqua
p34 — which were blocked the reporting — blocked by the reporting
p41 (Fig 3-6)— Deny VNODE_EXEUCTED — VNODE_EXECUTE ?
p44 — (period after footnote missing)
p45 — enabling kauth debugging — KAuth
p49 (Fig 4-1) — mach trap — Mach
p51 (Listing 4-5): enty point — entry
p56 — Although each system call tends to call a dedicated callout — Each
p59 — (period after footnote missing)
p61 — in syscall #380, label argument should have _ prefix
p62 — disallowed.. for all but — remove ..?
p63 — TN 2206 — TN2206 (remove space)
p63 — The user mode — the
p66 — (period after footnote missing)
p73 — Apple uses java(!) — Java
p73 — And/or/Not — Or
p74 — (period after footnote missing)
p74 — And Banned — banned
p75 — App store apps — Store
p78 — In all but a few cases — in
p83 — Jekyll App — app
p83 — until the Application — application
p83 — The App fully collaborates — app
p83 — entitlements on the App — app
p83 — App-Store — App Store
p83 — with Jekyll Apps — Jekyll apps
p83 — reviewing an App — app
p84 — Jekyll-App scenario — Jekyll app
p85 — discuessed — discussed
p87 — objective-c classes — Objective-C
p87 — daemons and Apps — apps
p87 — Apple Daemons — daemons
p87 — forEventitlement — forEntitlement
p88 — jtool most useful features — jtool’s
p89 — (period after footnote missing)
p89 — D-Script or D script? Inconsistent.
p92 — at /var/db — /var/db/auth.db
p93 — ActivityMonitor — Activity Monitor (x2)
p99 — may them — then
p100 — the App is registered as a LaunchAgent — app
p100 — Xprotect — XProtect (throughout on bundle contents)
p102 — GateKeeper — Gatekeeper
p102 — in 10.14.. — (remove ..)
p102 — be inside gke.bundle’s Resources — being ; (add period after footnote)
p103 — (period after footnote missing)
p105 — by GateKeeper — Gatekeeper
p105 — white list — whitelist
p107 — how tranlocation actually works — translocation
p107 — (period after footnote missing)
p108 — loaded onto %rax — (monospace %rax)
p109 — Group Policy Options — Objects
p109 — of the restrictions — restrictions.
p111 — roleof — role of
p111 — registered to launched — either ‘to be launched’ or ‘to launchd’
p111 — (period after footnote missing)
p112 — debug airplay mirroring — AirPlay
p113 — had 29 messages — messages.
p113 — App — app (x multiple)
p113 — Mach Port — Mach port (x multiple)
p113 — before user login** — **.
p114 — to the App — app (x2)
p114 — Contents/plugins — Contents/PlugIns
p114 — LaunchEvents, — remove ,
p115 — Mach Msg — msg
p115 — OpenDirectory — Open Directory
p115 — with those from open directory — Open Directory
p116 — (period after footnote missing)
p121 — Jailbreakers — jailbreakers
p120 — (SIP), in 10.11 — 11.
p121 — Jailbreaks — jailbreaks
p124 — (period after footnote missing)
p125 — risk; It is uninteresting — it is uninteresting
p125 — Applications using — applications
p126 — The main body of the hook, for cases where the mapping is writable — In the main body of the hook ??
p128 — the App can use this — app
p130 — A call to codeDirectory… — a call is made to ??
p133 — (buf after processing and extracting the entitlements — but
p134 — For Applications outside — applications
p134 (footnote) — different MIG messages — messages.
p134 — AMFI.kext — (smaller font?)
p137 — MIG, The functions — the
p138 — AppStore apps — App Store
p139 — Internal and/or universal — Universal
p140 — objective-C class — Objective-C
p141 — When the App is submitted — app
p141 — If the App is approved — app
p141 — in output 7-26 — Output
p147 — by Jailbreakers — jailbreakers
p148 — an App
p149 — a-priori — (space replace hyphen)
p149 — binaries - Once — once
p151 — The SandBox — Sandbox
p151 — sandboxd, containermanagerd fonts
p152 — Mac AppStore apps — App Store
p152 — initial “seatbelt” — (consistency in capitalization)
p152 — AppleEvents — Apple Events
p153 — CFBundleIdentifier, in unicode — Unicode
p154 — about its Sandboxing status — sandboxing (we’re talking generically now)
p154 — guaranteed to be containerized - Because — because
p154 — App-Store— App Store
p154 — then the App sandbox setup — Sandbox
p154 — and the App is marked with the — app
p155 — shown in figure 8-4 — Figure
p155 — Apps on MacOS — apps
p155 (Output 8-5): rocess 44690 — process
p155 — for an App store App — App Store app
p157 — , Apps were installed — apps
p157 — App static data — app
p157 — Apps was so strict — apps
p157 — separate from App code — app
p157 — in iOS 8* — *.
p157 — face swift execution — (I’d pick a different word for ‘execution’, since we mean ‘killed’ here)
p157 — of this trilogy — trilogy.
p158 — Application static data — application
p158 — iOS10 — iOS 10
p158 — at the root every container — of every container
p159 — sandbox profile language — Sandbox Profile Language
p159 — multiple parentheses — parentheses.
p159 — the notification center — Notification Center
p159 — debugging of sandbox profiles — Sandbox profiles.
p159 — output back scheme — Scheme
p160 — Exploring sandbox profiles — Sandbox
p161 — The sandbox hooks — Sandbox
p162 — indexes vs indices — (my British sensibilities would demand indices, but in any case, consistency on the choice of which is not present!)
p164 — and the error is an out parameter — err
p164 — filename containing a — Filename
p164 — third party Applications — applications
p164 — an App is launched — app
p165 — a sandbox profile — Sandbox
p165 — the sandbox evolves — Sandbox
p166 — for most App-Store Apps — App Store apps
p166 — Applications with the same — applications
p166 — the same team-identifier — (monospace)
p166 — App’s own — app’s own (x2)
p166 — App’s UUID — app’s
p166 — Allow IPC between Apps of the same — apps
p166 — Apple’s own Apps — apps
p168 — When an Application — application
p168 — that App’s extension list — app’s
p169 — the sandbox — Sandbox (x multiple)
p169 — Plenty of Apps in MacOS — apps
p170 — the sandbox — Sandbox
p170 — returns TRUE — (font)
p171 — suspend all — Suspend
p171 — resume all — Resume
p171 — containermanagerd — (font mono)
p172 — later in this chapter. — chapter).
p172 — its end of the initialization — the end of its initialization
p178 — third party Apps — apps
p178 — profile.Apple — profile. Apple
p178 — (period after footnote missing)
p178 — the Application can read — application
p179 — App to access — app to access
p179 — Mach Ports — Mach ports
p180 — different implementation — implementations
p181 — The sandbox daemon — Sandbox
p182 — returns 5 — Returns
p183 — understandibly — understandably
p185 — a sandbox profile — Sandbox
p186 — protected by entitlement) — ).
p186 — not the sandbox — Sandbox
p188 — operations - Much in the — much
p188 — an App may somehow
p191 — parses, applies — Parses
p193 — and Apps — apps
p193 — making sure Applications — applications
p197 — for an App — app
p197 — parameterized query of the form … is carried — This is carried
p197 — objective-C class — Objective-C
p198 — MacOS12 — MacOS 12
p198 — set access (granted) to service — Set
p198 — iOS9 — iOS 9
p199 — by daemons or Applications — applications
p201 — own Apps and daemons — apps
p201 — of ethernet board — Ethernet
p201 — MAC Address — MAC address
p201 — (period after footnote missing)
p202 — IOregistry — IORegistry
p202 — daemons and Apps — apps
p202 — over XPC — XPC.
p202 — i-device — i-Device
p206 — ThunderBolt — Thunderbolt
p206 — Tweakble — Tweakable
p209 — /var/db.forceODFESynchronize — /var/db/
p209 — OpenDirectory — Open Directory (x2)
p211 — do not call the Kext — kext
p213 — the class D key also comes in handy — Class D
p213 — (And eventually got — and
p214 — class C — Class C
p214 — class D — Class D
p214 — class A — Class A
p215 — (period after footnote missing)
p215 — effacable storage — Effacable Storage (x multiple)
p215 — metadata decryption** — **.
p216 — the iOS Data protection — Protection
p217 — Rather than wiping — rather
p217 — This author — this author
p217 — Fake Obliteration — obliteration
p217 — Safe Wife — Wipe
p217 — XPC model: It is — it
p218 — the class D key — Class D
p218 — a malicious App — app
p218 — as well as two Apps — apps
p220 — all possesses — possess
p220 — (period after footnote missing)
p221 — objective-C abstraction — Objective-C
p222 — aside from objc_retain — objc_retain)
p223 — Although The Security.framework — the
p224 — The Kext is one of a few — kext
p224 — advanced Silicon — silicon
p224 — 64-Bit devices — 64-bit
p224 — The AppleKeystore is linked — AppleKeyStore
p224 — The Keystore kext — KeyStore
p226 — another App — app
p226 — that App’s keychain — app’s
p226 — identifiers of other Apps — apps
p226 — provided for Applications — applications
p226 — - The APIs in Listing — the
p227 — KeyChain structure — Keychain structure
p229 — Inspecting KeyChain internals — Keychain
p233 — (period after footnote missing)
p233 — check — Check (x2)
p236 — Objective-c class — Objective-C
p236 (Figure 12-3) — objective-C — Objective-C
p239 — (period after footnote missing)
p240 — unfeasible — infeasible
p246 — : A server and a client — a
p247 — [12] — [12].
p248 — Javascript — JavaScript (x2)
p248 — solution - The shared — the
p250 — vulnerability: Its — its
p250 — libFontValidation.dylib — dylib -
p251 — lies in the Daemon’s — daemon’s
p251 — [Submitter sendToServerData:overrides] — (font)
p252 — : There is no arbitrary — there
p253 — for Worse bugs still — worse
p253 — One function, with unending bugs — one
p255 — Jailbreaking community — jailbreaking
p255 — foundations of Jailbreaking — jailbreaking
p256 — is that Jailbreaking — jailbreaking
p256 — villify — vilify
p256 — factitious — fictitious ??
p256 — Jailbreaking “eliminates security layers — jailbreaking
p256 — new life with Applications
p257 — would be kept secret — secret.
p257 — After numerous — after
p257 — deploy an App on the device — app
p258 — webkit — WebKit
p258 — to Execute unsigned code — execute
p258 — Webkit’s JIT — WebKit’s
p258 — Eleveate Privs — Elevate
p258 — Malware wouldn’t need to — malware
p259 — previous page), the stages are neither — previous page). The stages are neither
p259 — way to the App store — App Store
p259 — built-in Apps are rarely used — apps
p259 — in MobileSafari — (font)
p260 — for App distribution — app
p261 — This adds random to the kernel — randomness
p263 — Patch finders look for two — patch
p263 — 5s — 5S (or swap p262 for 5s)
p263 — Not only can they be easily located — not
p265 — any ones desired . — (remove space)
p265 — conditions. Listing 13-4 — (remove Listing 13-4 extra text)
p265 — left this it open in its initial — (remove ‘it’)
p268 — (footnote period is on its own line)
p270 — around this; The LwVM patch — the
p271 — (period after footnote missing)
p271 — Figure 13-9 it’s clear — 9,
p283 — GitHUB repository — GitHub
p284 — the App has no external — app
p285 — known to Springboard — SpringBoard
p285 — of the App’s existence — app’s
p285 — the App. Only it’s not an actual App — app; app
p285 — That an App executable — app
p286 — (period after footnote missing)
p286 — the App has expired its usefulness — app
p286 — the fake App launch — app
p286 — The App is run as — app
p286 — the user launches the App — app
p289 — boot - And that is the untether — and
p291 (Output 14-12) — Callaback Handler — Callback
p296 — code execution: At the — at
p296 — exploitation: Constructing — constructing
p296 — discussed: In previous versions — in
p298 — construct they use - Descriptors — descriptors
p298 — contents of the mach message — Mach
p298 — ipc_kmsg_copying_body, — ),
p299 — (period after footnote missing)
p299 — to jump - The kernel is slid — the
p299 — Evasi0n can’t afford to incorrectly — evasi0n
p300 — specific pattern: Beginning — beginning
p300 — This is described Volume 1 — described in Volume 1
p300 — known: It is the — it
p300 — address evasi0n control — controls
p301 — sextuble — sextuple
p302 — primitive: It is used — it
p305 — apt: Similar — similar
p305 — removal of this App — app
p306 — Evasi0n / Evad3rs — evasi0n / evad3rs
p306 — once again an App — app
p307 — the App used in the World Wide — app
p307 — any App used by naturally is — app
p307 — MacOS 10.9 — Mac OS X (this is in the User Agent string, which should remain literal ‘Mac OS X’)
p307 — the App is installed — app
p307 — to installing the App — app
p307 — the App is installed, however — app
p307 — to all the trouble, just to — (remove ,)
p308 — Apple’s SandBox mechanism — Sandbox
p309 — what more the soft link — what’s
p309 — var/mobile/Library/Preferences — /var
p309 — Evasi0n — evasi0n (x multiple)
p311 — for iOS6 — iOS 6
p313 — Evasi0n has guaranteed — evasi0n
p315 — Evasi0n — evasi0n
p318 — (pgrp) owning this tty — (font)
p319 — operations in Evasi0n 7 — evasi0n
p320 — The Evad3rs — evad3rs (x2)
p321 — Evasi0n / Evad3rs — evasi0n / evad3rs
p323 — Evasi0n7 — evasi0n 7
p324 — Evasion7 — evasi0n 7
p324 — The pangu Loader — Pangu
p324 — The App is entirely — app
p327 — panguaxe in the root — panguaxe,
p327 — Evasi0n — evasi0n
p328 — g_needoTinstall — g_needToInstall
p328 — set g_isIpod internally — g_isIPod
p328 — ~/mobile/Media — ~mobile/Media
p329 — ff ff) — ).
p334 — user client or UserClient ??
p334 — The IOUserclient — IOUserClient
p334 — users space — user space
p334 — to the Evasi0n case — evasi0n
p334 — The modified set — the
p335 — user client or UserClient ??
p335 — IOKit Families — families
p335 — pivotal role for Jailbreaks — jailbreaks
p337 — some - but not all of — - of
p341 — from an App container — app
p341 — only one: No other — no
p343 — with previous Jailbreaks — jailbreaks
p343 — first r-x segment — (font)
p348 — 8.1.1 — (remove space)
p350 — i-device — Device
p351 — Evasi0n 7 — evasi0n
p355 — final steps — Final
p357 — kernel exploit used by taig — TaiG
p357 — taig chose to obfuscate — TaiG
p358 — in Evasi0n 6 — evasi0n
p369 — 4480: Is the — is
p373 — This Chapter — chapter
p374 — /usr/libexec by Taig2 — TaiG
p375 — this slice looks strikingly — This
p377 — in the listing: The — the
p377 — &header-gt;fat_header — &header->fat_header
p382 — his/her code . — (remove space)
p383 — setLength: It will — it
p383 — call getReport() — (font)
p383 — shown in Figure 19-19 — Listing
p383 — HID Descriptors are — descriptors
p389 — App launch — app
p389 — over ssh — SSH
p390 — but two Apps on the device — apps
p390 — App (Pangu) — app
p390 — a favorite in Jailbreaking — jailbreaking
p390 — Evasi0n 7 — evasi0n
p390 — neither App will launch — app
p390 — Airplane mode — Airplane Mode (x2)
p390 — device settings - The — the
p390 — during the App launch — app
p390 — launching the App — app
p391 — Airplane mode — Airplane Mode
p391 — actual Jailbreak to take place — jailbreak
p391 — Photo library — photo
p391 — side effects: The — the
p392 — interest in any phoots! — photos
p392 — arbitrary read (srcPath) — (font)
p392 — Pangu’s App — app
p393 — code-signing — (space) (x2)
p393 — installed App and provisioning profile — app
p394 — the Jailbreak payload — jailbreak
p394 — of the App, including Mac versions — app
p395 — Kernel-Mode exploit — (space)
p395 — after freed - A textbook — a
p396 — IOHIDFamily’s open sources, — ),
p397 — one argument - So that its first — so
p398 — boon: All IOObjects derive — all
p398 — Feng-Shui: The — the
p399 — a fake ioservice object — IOService
p399 — isn’t really an issue: Patches — patches
p400 — follow along on a Pangu9 jailbroken — Pangu 9
p401 — not the same: It — it
p403 — to the Jailbreak payload library — jailbreak
p403 — If the untether is to be dymically — dynamically
p403 — tracing - Starting by — starting
p403 — (or, in later versions, the 270th function — 270th)
p405 — with a Jailbreak for iOS 9.1 — jailbreak
p405 — Author’s iOS Binary pack — author’s / binary
p405 — surprise - Although — although
p405 — activating a single App — app
p405 — virtually any App — app
p407 — vpnagent in iOS 10 - AMFI — 10)
p409 — the unicode character in the name — Unicode
p410 — however, user mode application — applications
p411 — in context: The — the
p411 — at offset 392.. — (remove second .)
p412 — The Exploit primitive — Primitive
p412 — adjacanet one — adjacent
p412 — IOMFBSwapIOReqst structures — Request
p413 — handy: Before returning — before
p413 — (by pointing to a gadget in kernel mode. — mode).
p414 — as trivial: A single validation — a
p415 — A human rights activist — a
p415 — selected Apps such as — apps
p415 — device - All this — all
p415 — LookOut Security — Lookout
p416 — obfuscated javascript file — JavaScript
p417 — - around 80k, — ( , replace with - )
p423 — however - How does one convince — how
p423 — /System/Library/Daemons — LaunchDaemons ?
p423 — signing enforcement, It is not — it
p424 — persistence: By — by
p424 — since it’s a javascript environment — JavaScript
p424 — with the malicious javascript — JavaScript
p424 — repeating stage2 and stage3 — Stage (x2)
p424 — Javascript payload — JavaScript Payload
p424 — The javascript payload used by — JavaScript
p424 — is the javascript code not obfuscated — JavaScript
p424 Fig 22-8 — new Javascript function objects — JavaScript
p424 — so as /to get libdyld — (remove /)
p425 — the javascript exploit scours — JavaScript
p426 — to WebKit and OSUnserializeXML — OSUnserializeBinary ??
p427 — a kickstarter campaign — Kickstarter
p428 — &result;conn and &result;iter — (HTML entity problems)
p433 — 1024 mach ports — Mach
p433 — fake port: The offset — the
p433 — Calling pid_for_task on the — calling
p433 — ipc_space_t: In a similar manner — (font) / in
p433 — to get kernel_task: At this point — (font) / at
p433 Fig 22a-8 — Spray and free arbitrary point pointers — port ?
p437 — this Author’s — author’s
p437 — and not to Applications — applications
p437 — execution of an App on a device — app
p438 — The App installed — app
p439 — (period after footnote missing)
p441 — The App, however, still maintains — app
p441 — the exploiting App — app
p441 — the App still holds the — app
p442 — exploiting App to usurp — app
p442 — callers: As discussed — as
p442 — power of attorney: Something — something
p442 — almost always so; On 32-bit — on
p442 — the Author found the value — author
p443 — .. Only to be resurrected — only
p443 — the exploiting App — app
p443 — that the App already has — app
p446 — UaF condition: The — the
p446 — the beginning: He — he
p446 — kernel_task — (inconsistent fonts)
p447 — , however - In order to — in
p447 — (period after footnote missing)
p447 — mounting problem — problem.
p451 — no mere feat: Although — mean / although
p455 — iOS9 — iOS 9
p455 — (period after footnote missing, initial capital missing)
p456 — ingenious: The KPP code — the
p458 — full jailbreak: The flow — the
p460 — challenge of a the pointer value — (remove ‘a’)
p462 — it effectively overwrite the header — overwrites
p462 — XNU’s internals - This technique — this
p462 — iOS 10 (For earlier — for
p464 — mapping: An 8k mapping of — an
p469 — twice: First it receives — first
p470 — uptdate — update
p471 — soon” . — (breaks over line)
p472 — necessary prequisite — prerequisite
p472 — an uparalleled amount — unparalleled
p473 — important: There is no — there
p473 — buffersize is deliberately smaller — (font)
p473 — maximum amounts which can be — amount
p474 — destroyed - This is why — this
p474 — beer can immediately free the port — Beer
p475 — 10.2: Constructed — constructed
p481 — Profile Evalutation — Evaluation
p484 — surfaces - Entitlements — entitlements
p485 — path is clear: We have to — we
p486 — AMFI’s mac slot — MACF
p489 — in “task conversion_eval" — task_conversion_eval
p489 — csblob_get_platform_binary(). bestow — (),
p490 — in chapter 7 — Chapter
p490 — entitlements - But Apple does not — but
p490 — execution model: The daemon — the
p492 — found in KExt — kext
p494 — by Jailbreakers — jailbreakers
p494 — signed App on every boot — app
p494 — Of Jailbreaks? — jailbreaks
p494 — extent of iOS Targeted — targeted
p494 — (This malware was later — this
p494 — , including the lowly watch could — watch,
p494 — book - have demonstrated — (remove -)
p495 — fix this? probably — Probably
p495 — step in the right direction — direction.
p495 — java-coded frameworks — Java-coded
p495 — written in pointer-less java —Java
p496 — Jailbreaks, have eventually adopted — jailbreaks / (remove ,)
p496 — key components of iOS encrypted — unencrypted
p496 — openness - Quite — quite
p497 — disabling Javascript in the browser — JavaScript
p498 — conclusion: Vulnerabilities — vulnerabilities
p498 — As figure A-1 demonstrates — Figure
p499 — it is successfully: Few — few
p499 — over os_log — os_log.
p503 — SSH sessions — sessions.
p504 — Macbooks — MacBooks
p504 — USB, BlueTooth — Bluetooth (x2)
p506 — mach traps — Mach
p506 — amuck — amok
p507 — propertyl list. — property list).
p507 — inconsistent fonts with alf.log / appfirewall.log
p507 — appfirewall.log — appfirewall.log.
p507 — Volume II’s Note — note
p508 — as the service ) — (remove space)
p508 — SSH or SSL — SSL.
p508 — little snitch” and “big brother” — Little Snitch / Big Brother
p511 — discussed in WWDC’s sessions) This is presently opt-in — this
p511 — features: Specifying — specifying
p512 — GateKeeper — Gatekeeper (x2)
p513 — root and/or iPhone — Root
p513 — like prove a pain — likely
p513 — SandBox — Sandbox
p513 — kernel extensions is now TCC-aware — kernel extension
p514 — side effect - As the — as
p514 — fine point - The APFS.kext — the
p517 — training - Both the — both
PeterU
 
Posts: 3
Joined: Sun Apr 28, 2019 8:44 pm

Re: Volume 3 — Security and Insecurity — v1.6.4, some typos

Postby morpheus » Tue Jun 18, 2019 8:46 pm

Excellent timing! I'm submitting a new batch and you caught me in the nick of time! thank you! (Although amuck is proper spelling - just American..) and one of those ".." was on purpose as a hint to astute readers :-P and btw, factitious is a word. In the exact meaning I had in mind :-)

P.S - you're now officially mentioned in Volume I as of v1.3 , and in the ChangeLog :-)
morpheus
Site Admin
 
Posts: 698
Joined: Thu Apr 11, 2013 6:24 pm

Re: Volume 3 — Security and Insecurity — v1.6.4, some typos

Postby PeterU » Wed Jun 19, 2019 9:35 pm

It seems quite fitting that there are some meta-errata here. :)

(There's a good chance I've spelt something wrong while trying to spell something wrong as well as the points you mention!)
PeterU
 
Posts: 3
Joined: Sun Apr 28, 2019 8:44 pm


Return to Errata

Who is online

Users browsing this forum: No registered users and 0 guests