Notes from iOS 13/MacOS 15 Preview
Jonathan Levin, http://newosxbook.com/ - 06/13/15
0. Changelog
6/13/18: | First version |
7/31/18: | Updates for beta 5 |
About
Continuing an ongoing tradition
This is a VERY rough listing, which tracks what I do to figure out diffs. Commands are raw and largely unedited. This is not meant to be A) comprehensive B) overly legible. You want a simple explanation of diffs, wait for an update to MOXII 2. You want raw findings, read on. Feedback welcome.
1. Both (XNU)
- xnu 6041 - a HUGE leap from 4903 - biggest I've ever recorded
- Memory management updated (There will be no Armageddon!). Finer kalloc.12k, kalloc.16k.
- MIG changes: (from
jtool2 --analyze
on the iPad8 kernelcache
-- Note: The mach_port MIG subsytem contains more messages (39) than I expected (37)
_mach_port_guard_with_flags
_mach_port_swap_guard
-- Note: The memory_entry MIG subsytem contains more messages (3) than I expected (2)
-- Note: The task MIG subsytem contains more messages (54) than I expected (52)
{ "task_get_exc_guard_behavior", 3452 },\
{ "task_set_exc_guard_behavior", 3453 }
> /* Version 0 trust caches: No defined sorting order (thus only suitable for small trust caches). > * Used for loadable trust caches only, until phasing out support. */Hallelujah!
circle_queue.h: apparently not a disgrace to everything Knuth taught us, anymore.. mpqueue.h: ? mpsc_queue.h: multi-producer single-consumer queue. - Damn it, AAPL, how can I finish Volume II when you keep throwing more data structures at me? restartable.h: for new 8,000 subsystem (task_restartable)The new schedulers: sched_amp_common.h: ??? sched_clutch.h ??? (have to see these in kernel binary first) arcade_upcall subsystem - NEW, supporting AAPL Arcade, with heavy Fairplay interaction (unsurprising). ARCADE_REG is likely new ipc port type
#define MACH_MSG_GUARDED_PORT_DESCRIPTOR 4
(update Vol.1 Ch11)- check_unix_syscall
{ "nspace_handle", 867800 },\ { "nspace_resolve_cancel", 867801 },\ { "nspace_resolve_path", 867802 }
.. 218: _lstatv - retired (now enosys @0xfffffff007f95d78) 219: _fstatv - retired (now enosys @0xfffffff007f95d78) .. 532: NEW SYSCALL possibly detected @0xfffffff007f9e24c (_coalition_ledger) 533: NEW SYSCALL possibly detected @0xfffffff007f9abb8 (_log_data) 534: NEW SYSCALL possibly detected @0xfffffff007f8779c ( _memorystatus_available_memory)
proc_info
got three new flavors - 30 (4 bytes, still working on this one),31 (1040 bytes, pathname and slide(!)),32 (ipc table info - table_size (4 bytes) and table_free (4 bytes) - 8 bytes)
And 217 is repurposed (sneaky!) as _fsgetpath_ext
- pipes are still 192 bytes, but allocated in tandem into the pipe.zone in a 400 byte element
- knotes shrunk from 144 to 128 and simplified
- Uthreads shrunk from 840 to 808, again messing up fields. Xn00p modified, though still not sure about all fields removed.
- proc struct field shuffling.. again. At some point I'll highlight the changed fields, but for now this is a ctfdump (Note my useful tip about this in Volume I's v1.3 changelog), and I highlighted offets of some fields - so you can work out the rest. In beta 1
proc
was 1,192 - but somewhere in 2 or 3 and later, it got a new field -p_original_ppid
, changing it to 1,200 bytes.STRUCT proc (1200 bytes) p_list type=5875 off=0 task type=49 off=128 p_pptr type=6687 off=192 p_ppid type=78 off=256 p_original_ppid type=30 off=288 // BETA 2 and later. Why, AAPL, Why? p_pgrpid type=30 off=320 .. p_hash type=5875 off=1280 p_evlist type=6629 off=1408 p_persona type=3915 off=1536 p_persona_list type=5875 off=1600 p_fdmlock type=24 off=1728 p_ucred_mlock type=24 off=1856 ... p_nice type=16 off=5872 p_resv1 type=14 off=5880 p_comm type=345 off=5888 /* 0x2e0 */ p_name type=347 off=6024 ... p_cpusubtype type=378 off=6624 syscall_filter_mask type=379 off=6656 NEW - for Macf hook probably p_platform type=41 off=6720 NEW - caches TF_PLATFORM p_sdk type=41 off=6752 NEW - SDK version (from LC_BUILD_VERSION) p_aio_total_count type=3 off=6784 ... p_dispatchqueue_serialno_offset type=27 off=8256 p_dispatchqueue_label_offset type=27 off=8320 NEW p_return_to_kernel_offset type=27 off=8384 ... p_memstat_requestedpriority type=47 off=8832 p_memstat_assertionpriority type=47 off=8864 NEW p_memstat_dirty type=41 off=8896 ... p_memstat_memlimit_inactive type=47 off=9280 p_memstat_relaunch_flags type=47 off=9312 p_responsible_pid type=78 off=9344 p_user_faults type=41 off=9376 p_exit_reason type=297 off=9408 p_user_data type=27 off=9472
struct fileproc
now hasf_vflags
- another 4 bytes (with forced padding afterf_iocount
, since it pushesf_fglob
, an 8 byte pointer, to alignment), bringing up struct size to 32...- task field massively changed from 1,472 → 1,560 (to allow for restartable, watches, etc. New layout:
STRUCT task (1560 bytes) lock type=8942 off=0 ref_count type=239 off=128 active type=334 off=160 halting type=334 off=192 message_app_suspended type=334 off=224 vtimers type=41 off=256 /* 0x28 */ map type=2869 off=320 /* 0x30 */ tasks type=621 off=384 watchports type=9012 off=512 NEW returnwait_inheritor type=228 off=576 NEW sched_group type=9015 off=640 threads type=3296 off=704 restartable_ranges type=9017 off=832 NEW pset_hint type=9103 off=896 .. bsd_info type=49 off=7424 /* 0x3a0 */ corpse_info type=9029 off=7488 .. t_procflags type=41 off=7904 t_returnwaitflags type=46 off=7936 NEW all_image_info_addr type=574 off=8000 .. exec_token type=41 off=11616 coalition type=4179 off=11648 task_coalition type=9072 off=11776 dispatchqueue_offset type=27 off=12032 hv_task_target type=49 off=12096 task_exc_guard type=9073 off=12160 .. task_monotonic type=9071 off=11008 task_can_transfer_memory_ownership type=46 off=11200 NEW task_objects_disowning type=46 off=11208 // Added in place of purgeable_disowning.. task_objects_disowned type=46 off=11216 task_volatile_objects type=3 off=11232 task_nonvolatile_objects type=3 off=11264 // task_purgeable_disowning type=155 off=10688 -- removed // task_purgeable_disowned type=155 off=10720 -- removed task_owned_objects type=3 off=11296 NEW task_objq type=3296 off=11328 ... io_user_clients type=3296 off=12224 mach_header_vm_address type=574 off=12352 loadTag type=41 off=12416
Added: > 6lowpan > Coalition.task.ledgers > Per-coalition.ledgers > kalloc.12288 > kalloc.16384 > mcache.netns.ns_flow_inf$ > mcache.netns.ns_reservat$ > mcache.netns.ns_token > mcache.skywalk.mem.mg.12 > mcache.skywalk.mem.mg.28 > netns.ns > personas - coming to MacOS, apparently (already present in *OS) > protons.token > skywalk.mem.pp.htbl Removed: < mcache.skywalk.mem.mg.62 < skywalk.ch.htbl < skywalk.nx.fsw.ms.mc < pipe.garbage.zone
zone_require(address,zindex)
function makes sure that a given address originates in the zone numbered zindex - or else panic. This effectively mitigates the common (possibly copyrighted/stolen) technique of exploiting UaF by constructing fake objects (q.v. async_wake through voucher_swap fake object construction via pipes/msg OOLs/etc) in kernel memory when memory is repurposed after garbage collection. (Thanks, @IBSparkes!)
_zone_require: ffffff80003af480 movq %rdi, %rax ffffff80003af483 movq _zone_map_min_address(%rip), %rcx ffffff80003af48a cmpq %rdi, %rcx ffffff80003af48d ja 0xffffff80003af4be # outside_zone_map ffffff80003af48f leaq 0x7(%rax), %rdx ffffff80003af493 cmpq _zone_map_max_address(%rip), %rdx ffffff80003af49a jae 0xffffff80003af4be # outside zone_map ffffff80003af49c movq %rax, %rdx ffffff80003af49f andq $-0x1000, %rdx ffffff80003af4a6 subq %rcx, %rdx ffffff80003af4a9 shrq $0xc, %rdx ffffff80003af4ad leaq (%rdx,%rdx,2), %rcx ffffff80003af4b1 shlq $0x3, %rcx ffffff80003af4b5 addq _zone_metadata_region_min(%rip), %rcx ffffff80003af4bc jmp 0xffffff80003af4c8 # in ffffff80003af4be movq %rax, %rcx ffffff80003af4c1 andq $-0x1000, %rcx ffffff80003af4c8 movzwl 0x16(%rcx), %edx ffffff80003af4cc andl $0x3ff, %edx ffffff80003af4d2 cmpl $0x3ff, %edx ffffff80003af4d8 jne 0xffffff80003af4eb ffffff80003af4da movl 0x10(%rcx), %edx ffffff80003af4dd negq %rdx ffffff80003af4e0 movzwl 0x16(%rcx,%rdx), %edx ffffff80003af4e5 andl $0x3ff, %edx ffffff80003af4eb movzwl %dx, %ecx ffffff80003af4ee imulq $0x130, %rcx, %rcx # <== 0x130 is sizeof(struct zone) ffffff80003af4f5 leaq _zone_array(%rip), %rdx // get zone index ffffff80003af4fc leaq (%rdx,%rcx), %rdi ffffff80003af500 cmpq %rsi, %rdi ffffff80003af503 jne 0xffffff80003af506 # do_panic ffffff80003af505 retq # return 0 _do_panic: ffffff80003af506 pushq %rbp ffffff80003af507 movq %rsp, %rbp ffffff80003af50a movq 0xf8(%rcx,%rdx), %rdx // Get zone name from zone (at 0xf8) ffffff80003af512 leaq 0x76cdb9(%rip), %rdi ## literal pool for: "\"Address not in expected zone for zone_require check (addr: %p, zone: %s)\"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-6041.0.0.111.5/osfmk/kern/zalloc.c:654" ffffff80003af519 movq %rax, %rsi ffffff80003af51c xorl %eax, %eax ffffff80003af51e callq _panic
2. Both (Usermode)
libsystem_featureflags (update Table 2-20 of Volume I)- SF_FIRMLINK and SF_DATALESS (chflags nodataless)
- libxpc now at 1691.. (from 13xx). New APIs include xpc_message_request, xpc_graph, xpc_payload, xpc_pipe_routine_with_flags
- GCD (libdispatch) at 1163 (from 1008)
- DYLD 725 - no changes to opcodes (at least none I can see).
Two more Load commands:
#define LC_DYLD_EXPORTS_TRIE (0x33 | LC_REQ_DYLD) /* used with linkedit_data_command, payload is trie */ #define LC_DYLD_CHAINED_FIXUPS (0x34 | LC_REQ_DYLD) /* used with linkedit_data_command */
q.v.<mach-o/fixup-chains.h>
MH_flags:< #define MH_SIM_SUPPORT 0x08000000 /* Allow LC_MIN_VERSION_MACOS and < LC_BUILD_VERSION load commands with < the platforms macOS, iOSMac, < iOSSimulator, tvOSSimulator and < watchOSSimulator. */ < < #define MH_DYLIB_IN_CACHE 0x80000000 /* Only for use on dylibs. When this bit < is set, the dylib is part of the dyld < shared cache, rather than loose in < the filesystem. */
- First time I haven't seen more fields in SLC..
- IOSMac platform is now UIKIT_FOR_MAC, and there's a new platform - 10 - DriverKit
- New in libsystem_darwin:
_crfprintf_np _dup_np _fcheck_np _os_simple_hash_string_with_seed _os_simple_hash_with_seed _os_subcommand_main _os_variant_check _os_variant_is_darwinos _os_variant_is_recovery _os_variant_uses_ephemeral_storage _realpath_np _vcrfprintf_np _vwfprintf_np _wfprintf_np
- skywalk has new object, protons
3. iOS 13
jtool2 --analyze
finds the important ones . Dunno why AAPL won't fix that LC_SOURCE_VERSION, especially if all kernelcaches are new style now..4. MacOS
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on /dev/disk1s5 465Gi 9.8Gi 28Gi 27% 478272 4876598648 0% / devfs 195Ki 195Ki 0Bi 100% 682 0 100% /dev /dev/disk1s1 465Gi 425Gi 28Gi 94% 1638495 4875438425 0% /System/Volumes/Data /dev/disk1s4 465Gi 2.0Gi 28Gi 7% 5 4877076915 0% /private/var/vm map auto_home 0Bi 0Bi 0Bi 100% 0 0 100% /System/Volumes/Data/home mount: /dev/disk1s5 on / (apfs, local, read-only, journaled) devfs on /dev (devfs, local, nobrowse) /dev/disk1s1 on /System/Volumes/Data (apfs, local, journaled, nobrowse) /dev/disk1s4 on /private/var/vm (apfs, local, journaled, nobrowse) map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)Updated in Vol 1
- syskextd - For loading System Extensions and handling DriverKit. Major @@TODO for Volume II.. (Thanks, AAPL)
/usr/libexec: Removed: > assertiond > atomicupdatetool (ok, only added after OTA) > awacsd > dumpemacs > emacs (good riddance) > rpmuxd > SafariCloudHistoryPushAgent > SafariHistoryServiceAgent > SafariLaunchAgent > SafariNotificationAgent > SafariPlugInUpdateNotifier > webinspectord > wifid Added: runningboardd -- assertion services daemon: < DumpPanic < SidecarDisplayAgent: Sidecar Virtual Display Service (+sidecarrelay) < brtool_legacy: retired brtool < corebrightnessdiag: Collects Night Shift Information for sysdiagnose < coredatad: coredatad handles CloudKit syncing for clients of Core Data + CloudKit < datastored: Manages xpc datastores < dhcp6d: Stateless DHCPv6 server < endpointsecurityd : maintains user mode kauth replacement (along with EndpointSecurity.kext) < init_featureflags (inited by launchd __TEXT__config) < metrickitd: manages processing and vending of structured app specific metrics through MetricKit < microstackshot : ported from *OS < nearbyd : proximity daemon < prng_seedctl: Loads and updates the kernel PRNG seed file (/var/db/SystemEntropyCache) < proactiveeventtrackerd: Proactive Siri < recoverylogd: BridgeOS Recovery < remindd: ReminderKit.framework daemon (AAPL, fix the man page..) < replayd MacOS deamon introduced to support bringing up ReplayKit to Marzipan (AAPL, fix the man page - it's a directory) < runningboardd:assertion services daemon < searchpartyd < searchpartyuseragent < teslad: MAnageedConfiguration enrollment. no relation to failing stock < transparencyd: Err.. Transparency daemon? < usermanagerhelper: persona related. Really tiny. Should decompile this at some point < wifip2pd: WiFi peer-to-peer < wspd: search in smb share according to MS-WSP protocol
Now you see why I had to delay Volume II. Lots more to document. Sorry.
(Advertisement) I'll be covering updated material for OS X 10.15 and iOS 12 at Our iOS/OS X for Reverse Engineers Course late Novth , 2019 in NYC! - it'll be better than ever!