Mac OS X and iOS Internals: To the Apple's Core

Appendix A (Beat the System) is online here.

The following is the complete table of contents for the book.

Chapter 1: Darwinism -The Evolution of OS X

The Pre-Darwin Era: Mac OS Classic
The Prodigal Son: NeXTSTEP
Enter: OS X
OS X Versions, to Date
- 10.0 - Cheetah and the First Foray
- 10.1 - Puma: a Stronger Feline, but . . .
- 10.2 - Jaguar: Getting Better
- 10.3 - Panther and Safari
- 10.4 - Tiger and Intel Transition
- 10.5 - Leopard and UNIX
- 10.6 - Snow Leopard
- 10.7 - Lion
- 10.8 - Mountain Lion
iOS - OS X Goes Mobile
- 1.x - Heavenly and the First iPhone
- 2.x - App Store, 3G and Corporate Features
- 3.x - Farewell, 1st gen, Hello iPad
- 4.x - iPhone4, Apple TV, and the iPad 2
- 5.x - To the iPhone 4S and Beyond
iOS vs. OS X
The Future of OS X
References
Summary

Chapter 2: E Pluribus Unum: Architecture of OS X and iOS

OS X Architectural Overview
The User Experience Layer
- Aqua
- Quicklook
- Spotlight
Darwin: The UNIX Core
The Shell
The File System
UNIX System Directories
OS X Specific Directories
iOS File System Idiosyncrasies
Interlude: Bundles
Applications and Apps
- Info.plist
- Resources
- NIB Files
- Internationalization with .lproj Files
- Icons (.icns)
- CodeResources
Frameworks
- Framework Bundle Format
- List of OS X and iOS Public Frameworks
Libraries
Other Application types
System Calls
POSIX
Mach System Calls
A High-Level View of XNU
- Mach
- The BSD Layer
- libkern
- I/O Kit
Summary
References

Chapter 3: On the Shoulders of Giants - OS X and iOS Technologies

BSD heirlooms
- sysctl
- kqueues
- Auditing (OS X)
- Mandatory Access Control
OS X and iOS Specific Technologies
- User and Group Management (OS X)
- System Configuration
- Logging
- Apple Events and AppleScript
- FSEvents
- Notifications
- Additional APIs of interest
OS X and iOS Security Mechanisms
- Code signing
- Compartmentalization (Sandboxing)
- Entitlements: Making the Sandbox Tighter Still
- Enforcing the Sandbox
Summary
References

Chapter 4: Parts of the Process: Mach-O, Process and Thread Internals

A Nomenclature Refresher
Processes and threads
The Process Lifecycle
UNIX Signals
Executables
- Universal Binaries
- Mach-O Binaries
- Load Commands
- Dynamic Libraries
- Launch-Time Loading of Libraries
- Runtime Loading of Libraries
- dyld Features
Process Address Space
- The process entry point
- Address Space Layout Randomization
- 32-Bit (Intel)
- 64-Bit
- 32-Bit (iOS)
- The Commpage
Process Memory Allocation (User Mode)
Virtual Memory—The sysadmin Perspective
Threads
Unraveling threads
References

Chapter 5: Non Sequitur - Process Tracing and Debugging

DTrace
- The D Language
- dtruss
- How DTrace Works
Other Profiling mechanisms
The Decline and Fall of CHUD
AppleProfileFamily: The heir apparent
Process Information
- sysctl
- proc_info
- Process and System Snapshots
- system_profiler(8)
- sysdiagnose(1)
- allmemory(1)
- stackshot(1)
- The stack_snapshot system call
Kdebug
- Kdebug-based utilities
- Kdebug codes
- Writing kdebug messages
- Reading kdebug messages
Application Crashes
Application Hangs and Sampling
Memory Corruption Bugs
Memory Leaks
- heap(1)
- leaks(1)
- malloc_history(1)
Standard UNIX Tools
- Process listing with ps(1)
- System-Wide View with top(1)
- File Diagnostics with lsof(1) and fuser(1)
Using GDB
- GDB Darwin extensions
- GDB on iOS
- LLDB
Summary
References and Further Reading

Chapter 6: Alone in the Dark: The Boot Process-EFI and iBoot

Traditional Forms of Boot
OS X and EFI Boot
- EFI demystified
- The EFI Services
- NVRAM Variables
- Inside Apple’s boot.efi
- Flow of boot.EFI
- Booting the Kernel
- Kernel Callbacks into EFI
- Boot.EFI Changes in Lion
- Boot Camp
- Count Your Blessings
- Experiment: Running EFI programs on a Mac
iOS Boot
- Precursor: The Boot ROM
- Normal boot:
- Recovery Mode:
- Device Firmware Update (DFU) Mode:
- Downgrade and replay attacks
Installation Images
- OS X Installation process
- iOS File System Images (.ipsw)
Summary
References and Further Reading

Chapter 7: Alpha and Omega : LaunchD and User Mode Boot

Launchd
- Starting Launchd
- Daemons and Agents
- The many faces of Launchd
  - init
  - Per-User initialization
  - atd/crond
  - inetd/xinetd
  - mach_init
  - Transaction Support
  - Resource Limits and Throttling
  - Autorun Emulation and File System Integration
  - I/O Kit Integration
  - Experiment: Setting up a Custom LaunchD Wrapper
Lists of LaunchDaemons
- iOS LaunchDaemons
- lockdownd
GUI Shells
- Finder (OS X)
- SpringBoard (iOS)
XPC (Lion & iOS)

Chapter 8: From the Cradle to the Grave - Kernel Boot and Panics

The XNU Sources
- Getting the Sources
- Making XNU
- One kernel, multiple architectures
- The XNU Source Tree
Booting XNU
- The bird's eye view
- OS X: vstart
- iOS: start
- [i386|arm]_init
- i386_init_slave()
- machine_startup
- kernel_bootstrap
- kernel_bootstrap_thread
- bsd_init
- bsdinit_task
- Sleeping and Waking Up
Boot Arguments
Kernel Debugging
Don't Panic
- Implementation of Panic
- Panic Reports
Summary
References:

Chapter 9: Some Assembly Required: Kernel Architectures

Kernel Basics
Kernel Architectures
User Mode versus Kernel Mode
- Intel Architecture - Rings
- ARM Architecture - CPSR
Kernel/User Transition Mechanisms
- Trap Handlers on Intel
- Trap Handlers on ARM
- Voluntary kernel transition
System Call processing
- POSIX/BSD System calls
- Mach Traps
- Machine Dependent Calls
- Diagnostic calls
XNU and hardware abstraction
Summary
References

Chapter 10: The Medium is the Message – Mach Primitives

Introducing: Mach
- The Mach Design Philosophy
- Mach Design Goals
Mach Messages
- Simple messages
- Complex messages
- Sending messages
Ports
The Mach Interface Generator (MIG)
IPC, in Depth
- Behind the Scenes of Message Passing
Synchronization Primitives
- Lock group objects
- Mutex object
- Read-Write Lock Object
- Spinlock object
- Semaphore Object
- Lock Set object
Machine Primitives
- Clock Object
- Processor Object
- Processor Set Object
Summary
References

Chapter 11: Tempus Fugit - Mach Scheduling

Scheduling Primitives
Run Queues
Threads
Tasks
Task and Thread APIs
- Getting the Current Task and Thread
- Task APIs
- Thread Control APIs
- Thread Creation
Scheduling
- The High-Level View
- CPU Affinity
- The Mach Implementation
- Mach Scheduling Primitives
- Context Switching in Mach
- Continuations
- Preemption Modes
- Explicit Preemption
- Implicit Preemption
- Asynchronous Software Traps (ASTs)
Exceptions
- The Mach Exception Model
- Implementation Details
- Exception-Handling Exercises
Mach Task Scheduling
- Interrupt-Driven Scheduling
- Timer Interrupt Processing in XNU
- Scheduling Algorithms
Summary

Chapter 12: Commit to Memory - Mach Virtual Memory

Virtual Memory Architecture
- The 30,000-Ft View of Virtual Memory
- The Bird's Eye view
- The User Mode view
- Physical Memory Management
Mach Zones
- The Mach Zone structure
- Zone Setup During Boot
- Zone Garbage Collection
- Zone Debugging
Kernel Memory Allocators
- kernel_memory_allocate()
- kmem_alloc() and Friends
- kalloc
- OSMalloc
Mach Pagers
- The Mach Pager interface
- Universal Page Lists
- Pager Types
- Paging Policy Management
- The Pageout Daemon
- Handling page faults
- The dynamic_pager(8) (OS X)
Summary

Chapter 13: BS"D - The BSD Layer

Introducing BSD
- BSD and POSIX
- One Ring to Bind Them
- What’s in the POSIX Standard?
- Implementing BSD
- XNU Is Not Fully BSD
Processes and Threads
- BSD Process Structs
- Process Lists and Groups
- Threads
- Mapping to Mach
Process Creation
The User Mode Perspective
The Kernel Mode Persepctive
Loading and Executing Binaries
Mach-O Binaries
Process Control and Tracing
- ptrace (#26)
- proc_info (#336)
- Policies:
  - iopolicysis (#322)
  - process_policy (#323)
  - Process Suspension/Resumption (iOS)
Signals
- The UNIX Exception Handler
- Hardware Generated Signals
- Software Generated Signals
- Signal Handling by Victim
Summary

Chapter 14: Something Old, Something New: Advanced BSD Aspects

Memory Management
- POSIX Memory and Page Management System Calls
- BSD Internal Memory Functions
- Memory Pressure
- Jetsam
- Kernel Address Space Layout Randomization
sysctl
Kernel WorkQueues and GCD Internals
Mandatory Access Control
MAC Policies
Apple's policy modules
References

Chapter 15: Fee, FI-FO, File – File Systems and the VFS

Prelude: Disk Devices and Partitions
Partitioning Schemes
Generic File System Concepts
- Files
- Extended Attributes
- Permissions
- Timestamps
- Shortcuts and Links
File Systems in the Apple Ecosystem
- Native Apple File Systems
- DOS/Windows File Systems
- CD/DVD File Systems
- Network-Based File Systems
- Pseudo File Systems
Mounting File Systems (OS X only)
Disk Image Files
Booting from a Disk Image (Lion)
The Virtual File System Switch
- The File System Entry
- The Mount Entry
- The Vnode object
- Experiment: View All File Systems in Kernel
FUSE—File Systems in USEr Space
File I/O from Processes
Summary
References and Further Reading

Chapter 16: To B(-Tree) or not to Be: HFS+

HFS+ File System Concepts
Time stamps
Access Control Lists
Extended Attributes
Forks
Compression
Unicode Support
Finder Integration
Case Sensitivity (HFSX)
Journaling
Dynamic Resizing
Metadata Zone
Hot Files
Dynamic Defragmentation
HFS+ Design Concepts
HFS+ Components
- The Catalog File
- Catalog Lookup
- Catalog Insertions
- Catalog Deletions
- File and Folder Record Data
- Permissions
- Hard and Soft Links
- Fork Allocation
The Extent Overflow
Attribute B-Tree
Hot-File B-Tree
Allocation File
The Extent Overflow
HFS+ Journaling

VFS and Kernel Integration

Summary

References and Further Reading

Chapter 17: Adhere to Protocol: The Networking Stack

User mode Revisited
- UNIX Domain Sockets
- IPv4 Networking
- Routing Sockets
- Network Driver Sockets
- IPSec Key Management Sockets
- IPv6 Networking
- System Sockets
Socket and protocol statistics
Layer V: Sockets
- Socket descriptors
- mbufs
- Implementing the Socket API
- Sockets in Kernel Mode
Layer IV: Transport Protocols 23
Layer III: Network protocols
Layer II: Interfaces
Interfaces in OS X and iOS
- The Data Link Interface Layer (DLIL)
- The ifnet structure
- Case Study: utun
Putting it all together: The Stack
- Receiving data
- Sending data
Packet Filtering
- Socket Filters
- ipfw(8)
- The PF Packet Filter (Lion and iOS)
- IP Filters
- Interface Filters
- The Berkeley Packet Filter
Traffic Shaping and QoS
- The Integrated Services Model
- The Differentiated Services Model
- Implementing dummynet
- Controlling Parameters from User Mode
Summary
References and Further Reading

Chapter 18: Modu(lu)s Operandi - Kernel Extensions

Extending the Kernel
Securing Modular Architecture
Kernel Extensions (kexts)
Kext Structure
KEXT Security Requirements
Working with Kernel Extensions
Kernelcaches
Multi-Kexts
A Programmer's View of KEXTs
Kernel Kext Support
Summary

Chapter 19: Driving Force - I/O Kit

Introducing I/O Kit
The Constraints of Device Driver Programming
I/O Kit Is..
I/O Kit isn't
LibKern: The I/O Kit Base Classes
I/O Kit from User Mode
Plug and Play (Notification Ports)
I/O Kit Diagnostics
I/O Kit Kernel Drivers
- The I/O Kit Families
- The I/O Kit Driver Model
- The IOWorkLoop
- Interrupt Handling
- I/O Kit Memory Management
- I/O Kit Power Management
Summary
References and Further Reading

Appendix A: Beat the System

Table of OS X/iOS System calls
Table of Mach Traps

Appendix B: Welcome to the Machine

XNU on the Intel Architecture
XNU on the ARM Architecture