Skip to main content

Concept

Mach: One of the fundamental components of macOS. Limited to managing only the most basic tasks, like scheduling, managing threads, interfacing with hardware, managing virtual memory, and passing messages between tasks. 

 

  • Tasks and Threads: 

    • Mach uses tasks as the smallest unit to share resources. 

    • A single task can contain multiple threads. 

    • POSIX (BSD) layer abstracts tasks as processes and threads as POSIX threads. 

  • Mach IPC (Inter-Process Communication): 

    • Communication between tasks occurs via Mach IPC, based on one-way communication channels using ports. 

    • port is a kernel-handled message queue for structured messages. 

  • Port Rights: 

    • RECEIVE right: Allows a task to receive messages; owned by only one task per port. 

    • SEND right: Allows a task to send messages; can be created by the RECEIVE right owner. 

    • SEND ONCE right: Allows sending a single message. 

    • SEND rights can be transferred or cloned to enable communication between tasks. 

  • Bootstrap Server: 

    • Bootstrap server (e.g., launchd in macOS) is the first task started, having PID of 1.  Any future task automatically holds a SEND right to it 

    • Facilitates communication between tasks by handling SEND rights and service name registrations. 

  • Communication Process Example: 

    1. Task A creates a port and holds the RECEIVE right. 

    2. Task A creates a SEND right and registers it with the bootstrap server. 

    3. Task B contacts the bootstrap server to look up the service name and obtain the SEND right to communicate with Task A. 

    4. Task B sends a message to Task A using the SEND right. 

  • Security Concerns: 

    • Bootstrap server can't verify if a service name belongs to the correct task, leading to potential impersonation. 

    • Apple secures system service names via configuration files in SIP-protected locations (/System/Library/LaunchDaemons and /System/Library/LaunchAgents). 

    • For system services, launchd dynamically starts the service upon lookup and handles SEND/RECEIVE rights securely. 

  • Predefined System Services Communication: 

    1. Task B initiates a bootstrap lookup. 

    2. launchd starts the service if it's not running. 

    3. Service (Task A) checks in; launchd handles the SEND/RECEIVE rights. 

    4. launchd sends the SEND right to Task B. 

     

Sample codes: 

 

 

mach_port_allocate(): Create a new port 

mach_port_insert_right(): Create a new SEND right 

bootstrap_register(): Register the service name with the bootstrap server 

mach_msg(): Receive/Send a message 

 

bootstrap_look_up(): Perform a look up 

 

 

 

Special Ports 

  • Mach Special Ports Overview: 

    • Special ports provide access to various system objects; their RECEIVE right is always held by the kernel. 

    • Three important special ports are: HOST_PORTHOST_PRIV_PORT, and task ports. 

  • HOST_PORT: 

    • Allows retrieval of system information (e.g., processor details) through SEND rights, such as executing function calls like host_processor_info. 

  • HOST_PRIV_PORT: 

    • privileged version of HOST_PORT for performing actions like calling kext_request to load/unload kernel extensions. 

    • SEND rights to HOST_PRIV_PORT are restricted to root users with specific entitlements (e.g., com.apple.private.kext*). 

  • Task Ports: 

    • Control access to individual tasks, allowing full control (e.g., virtual memory access, thread management) if a SEND right is obtained. 

    • Access is tightly controlled by taskgated and AppleMobileFileIntegrity (AMFI). 

    • Task ports can be accessed under specific conditions: 

      1. com.apple.security.get-task-allow entitlement: Allows access to task ports of processes running at the same user level. Dangerous if misused. 

      2. com.apple.system-task-ports entitlement: Allows access to any task port except the kernel. An Apple-only entitlement. 

      3. Non-Apple binaries without hardened runtime: Task port access is possible if running as root, even though root rights are increasingly limited by SIP and TCC. 

  • Security Implications: 

    • Misuse of entitlements like com.apple.security.get-task-allow can lead to severe security risks. 

    • Root access limitations (e.g., SIP, TCC) make task port access valuable for gaining additional privileges on macOS.