Difference between revisions of "Kernel Task"

From The iPhone Wiki
Jump to: navigation, search
(Explaining the kernel_task)
 
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
The kernel_task is XNU's task object which abstracts the kernel itself. As a task object, it contains the ports used by the kernel: threads, virtual memory, exception and others. Unlike other task objects, however, it does not have a mapping to a BSD process. Thus, the corresponding PID for the kernel is PID 0.
+
The kernel_task is XNU's [[task]] object which abstracts the kernel itself. As a task object, it contains the ports used by the kernel: threads, virtual memory, exception and others. Unlike other task objects, however, it does not have a mapping to a BSD process. Thus, the corresponding PID for the kernel is PID 0.
   
 
The kernel_task is accessible by a variety of means in OS X's XNU. In iOS, however, Apple do their damnedest to keep anyone from obtaining the task port. This is because, given the kernel_task, various task APIs can be called to manipulate it. Chief amongst those would be virtual memory APIs (e.g. mach_vm_read and mach_vm_write) which compromise system security and allow various forms of injection. Whereas in OS X the processor set APIs can list all tasks, the same APIs in iOS leave out the kernel task.
 
The kernel_task is accessible by a variety of means in OS X's XNU. In iOS, however, Apple do their damnedest to keep anyone from obtaining the task port. This is because, given the kernel_task, various task APIs can be called to manipulate it. Chief amongst those would be virtual memory APIs (e.g. mach_vm_read and mach_vm_write) which compromise system security and allow various forms of injection. Whereas in OS X the processor set APIs can list all tasks, the same APIs in iOS leave out the kernel task.
  +
  +
Using /usr/libexec/stackshot (with the -i command line switch) it is possible to get a snapshot of all tasks on the system, including the kernel_task. Apple is well aware of this, which is likely why the daemon has disappeared from iOS 5. It is possible, however, to copy the iOS 4 daemon to an iOS 5 system, or simply compile stackshot from an open source file floating around the Internet. The output of the latter is similar to the following:
  +
  +
<pre>
  +
PID: 0 (kernel_task)
  +
Thread ID: 0x1 State: 9 - waiting Uninterruptible
  +
Continuation: 0x8005aa29 (vm_pageout_continue...)
  +
Thread ID: 0x2 State: 132 - running Idling processor
  +
Continuation: 0x800228d5
  +
Thread ID: 0x3 State: 9 - waiting Uninterruptible
  +
Continuation: 0x8001f3f9
  +
Thread ID: 0x4 State: 9 - waiting Uninterruptible
  +
Continuation: 0x80029c9d
  +
Thread ID: 0x5 State: 9 - waiting Uninterruptible
  +
Continuation: 0x80029e6d
  +
Thread ID: 0x6 State: 9 - waiting Uninterruptible
  +
Continuation: 0x8002c2c9
  +
Thread ID: 0x7 State: 9 - waiting Uninterruptible
  +
Frames: 4 kernel 0 user
  +
Return Addr Frame Ptr
  +
0x80021f61 0xc5a83f48
  +
0x80021623 0xc5a83f70
  +
0x8002eef1 0xc5a83fa8
  +
0x8007b37c 0x0
  +
  +
...
  +
</pre>

Latest revision as of 01:39, 25 February 2012

The kernel_task is XNU's task object which abstracts the kernel itself. As a task object, it contains the ports used by the kernel: threads, virtual memory, exception and others. Unlike other task objects, however, it does not have a mapping to a BSD process. Thus, the corresponding PID for the kernel is PID 0.

The kernel_task is accessible by a variety of means in OS X's XNU. In iOS, however, Apple do their damnedest to keep anyone from obtaining the task port. This is because, given the kernel_task, various task APIs can be called to manipulate it. Chief amongst those would be virtual memory APIs (e.g. mach_vm_read and mach_vm_write) which compromise system security and allow various forms of injection. Whereas in OS X the processor set APIs can list all tasks, the same APIs in iOS leave out the kernel task.

Using /usr/libexec/stackshot (with the -i command line switch) it is possible to get a snapshot of all tasks on the system, including the kernel_task. Apple is well aware of this, which is likely why the daemon has disappeared from iOS 5. It is possible, however, to copy the iOS 4 daemon to an iOS 5 system, or simply compile stackshot from an open source file floating around the Internet. The output of the latter is similar to the following:

PID: 0 (kernel_task)
        Thread ID: 0x1 State: 9 - waiting Uninterruptible 
        Continuation: 0x8005aa29 (vm_pageout_continue...)
        Thread ID: 0x2 State: 132 - running Idling processor 
        Continuation: 0x800228d5
        Thread ID: 0x3 State: 9 - waiting Uninterruptible 
        Continuation: 0x8001f3f9
        Thread ID: 0x4 State: 9 - waiting Uninterruptible 
        Continuation: 0x80029c9d
        Thread ID: 0x5 State: 9 - waiting Uninterruptible 
        Continuation: 0x80029e6d
        Thread ID: 0x6 State: 9 - waiting Uninterruptible 
        Continuation: 0x8002c2c9
        Thread ID: 0x7 State: 9 - waiting Uninterruptible 
        Frames:    4 kernel 0 user
                Return Addr     Frame Ptr
                0x80021f61      0xc5a83f48
                0x80021623      0xc5a83f70
                0x8002eef1      0xc5a83fa8
                0x8007b37c      0x0

          ...