Glossary
Plain-language definitions of SEO terms used across the blog.
- AMFI
- Apple Mobile File Integrity — the kernel extension that enforces code signing on macOS and iOS, and the gatekeeper for most security-sensitive syscalls.
- BSD syscall
- The POSIX-shaped syscall family in XNU — open, read, write, fork, kqueue, and ~480 others. Positive syscall numbers, errno semantics.
- DTrace
- Sun's dynamic tracing framework, ported to Darwin in 2007 and still the most powerful syscall-tracing tool on macOS — when SIP lets you use it.
- Endpoint Security
- Apple's modern user-space framework for security tooling on macOS — the supported replacement for kernel extensions, exposing ~80 curated system events to a privileged client.
- Entitlement
- A signed key/value pair embedded in a macOS Mach-O binary that grants its process access to gated kernel and framework APIs.
- libsystem_kernel.dylib
- The thin user-space library that hosts every syscall stub on macOS — the layer between your C code and the SVC instruction.
- Mach port
- The fundamental IPC primitive on macOS — a kernel-managed endpoint that processes hold rights to and send messages through.
- Mach trap
- A syscall into the Mach microkernel side of XNU — tasks, threads, ports, IPC, and virtual memory primitives. Negative syscall numbers, kern_return_t semantics.
- SIP
- System Integrity Protection — the kernel-enforced lockdown on macOS that, since El Capitan, prevents even root from modifying core system files, debugging Apple binaries, or loading unsigned kexts.
- SVC instruction
- The arm64 Supervisor Call — the single instruction every macOS syscall on Apple Silicon ultimately compiles to.
- Task port
- The Mach port that represents a process to the kernel — and that, in send-right form, grants arbitrary read/write/execute capability over that process.
- XNU
- Apple's hybrid kernel — a Mach 3 microkernel core with a 4.4BSD personality bolted on, the kernel at the heart of every Mac and iPhone.