Mach Kernel - Mach (IPC);
Mach was original developed by Cargine Mellon as a microkernel developed in 1994
Mach uses tasks as the smallest unit to share resources. A mach task can contain one or more Mach Threads
A single mach task can contain one or more mach Threads that are schulded by the CPU
POSIX (open BSD) layer of the OSX will provide the abstraction of the processes or pthreads
Mach IPC is a one-way communication channel. These messages are sent over ports[2] a port is like a message queue that is handled by the kernel itself that accepts structured Mach messages. A mach message typically contains a fixed header and custom body including the complex or not complex tagging (ian beer)
Messages are sent via PORT RIGHTS which determines which operation a task can perform
Basic set of port rights.
SEND RIGHT - This allows the holder to send messages to the underlying port but not receive them, it’s write-only it may be held by any number of holders its also transitive so it can be cloned by (..COPY_SEND) and handed over to others.
SEND_ONCE - Same as above but only able to be used once, the right is then immediately revoked by the kernel
RECEIVE - allows the holder the ability to read any message that was sent by (others) to the port. A task that has a RECEIVE right for a port can create a SENDright or SEND ONCEright for that port, which allows a task to send (queue) either multiple messages to the port, or a single message, respectively.
It also inherently marks its holder as the “owner” of the port, there can only be one RECEIVE right to a port and the port only exists so long as the rights owner is an alive, if the owner dies or dellocates the port right, all SEND[_once] become DEAD_NAME
Mach Task Flow - Bootstrap Port. (Launchd)
- Step 1: Task A creates a new port, for which it will own a RECEIVE right.
- Step 2: As the owner of the RECEIVE right, Task A creates a SEND right for the same port.
- Step 3: Task A registers with the bootstrap server, supplying the service name for the port and the SEND right in a process known as the bootstrap register.
- Step 4: Task B contacts the bootstrap server to perform a bootstrap lookup for the service name. If found, the server will make a copy of the SEND right that it got from Task A and send it to Task B.
- Step 5: Now that Task B has a SEND right, it can construct a message and send it to Task A.
The reason why mac uses launchAgents and LaunchDaemons is to ensure that launch will create and hold RECEEIVE right for each of those mach service names.
Flow for LaunchAgents
- Step 1: Task B will initiate a bootstrap lookup for a service name.
- Step 2: launchd will check if the task is running and if it isn’t, it will start it.
- Step 3: Task A (the service) will perform a bootstrap check-in. At this point, the bootstrap server will create a SEND right and keep it, while transferring the RECEIVE right to Task A.
- Step 4: launchd creates a copy of the SEND right and sends it to Task B.
Port Rights with Frida
MACH_MSG_TYPE_MOVE_RECEIVE = 0x10,
MACH_MSG_TYPE_MOVE_SEND = 0x11,
MACH_MSG_TYPE_MOVE_SEND_ONCE = 0x12,
MACH_MSG_TYPE_COPY_SEND = 0x13,
MACH_MSG_TYPE_MAKE_SEND = 0x14,
MACH_MSG_TYPE_MAKE_SEND_ONCE = 0x15,
MACH_MSG_TYPE_COPY_RECEIVE = 0x16,