Darwin has two worlds. World A is Apple’s. Their system policy, networking, filesystems, and drivers live in the kernel. World B is everyone else. Our networking stack, system policy, filesystems, and drivers live in user-space. They are slower but I can use any library.

You have to go beyond the libraries listed in your executable format to get a full SBOM. Every software project is going to have files from outside the project compiled into the binary statically. That code is still a dependency and often unmaintained.

Older papers on operating systems explored the merits and flaws of solutions in existing systems. With the world standardizing on Linux that's largely gone away.

The windows sandbox implementation is difficult to worn with IMO. Look at Capsicum, Seatbelt, and pledge as those have quite a few less practical ways to be defeated.

With Darwin you have to copy data into the message then the privelaged helper performs the system call copying data again on input and return. Then you copy the data back to the original process. That’s several hopes between processes and in/out of the kernel. Flexible but slow.

FreeBSD’s Capsicum can be much faster than the equivalent implementation in Darwin as once a process in the sandbox has a capability it can directly call kernel methods on the object. Darwin requires you copy the data twice as it uses message passing.

I’m not an Apple fan but I am not a fanboy. Apple has great technologies but they are all built for specific use cases centered around consumer electronics and choices about how the system should work.

In my 20s I thought I needed to find new ideas in tech. In my 30s I understand I’m looking for new ways to package old ideas that were limited by the technology and experience of their time.

Capability based systems have some fundamental hurdles like how do you stop a process from giving away a capability once it acquires it and how do you revoke capabilities.

FreeBSD Celebrates The Milestone Of Reproducible Builds & No Root Needed https://t.co/NNuBfIHfPm

XPC is not an IPC mechanism. It’s a protocol that sits on top of an IPC mechanism (Mach messaging) providing serialization (replacing MIG), remote procedure calls through objc_msg_send on the remote and higher level security through process checks like code signatures.

Does anyone know if pledge and unveil have any published research papers? I have a few for Capsicum style capabilities and search hasn’t been helpful.

I misjudged the learning curve for OpenBSD. Typically I’d like a 600 page book that captures a moment in time for a system so I can focus on the changes since but OpenBSD doesn’t have that. What it does have is source you can jump right into. I’ve never seen code this clean.

Mach’s influence is also felt in Linux. The NSA sponsored DTMach, which begat DTOS, which begat Flask the base for what is now known as SELinux.

If security is important enough to halt the processing of data, you should panic the kernel when the Audit system fails. Otherwise you have no record of what events took place after the subsystem failed. In @freebsd this is tunable.

I can’t support all hardware across the application stacks for WiFi, Bluetooth, USB, etc so I am left with a choice to make. Either support a popular family of hardware like Texas Instruments or support one application stack for a variety of hardware. I can’t have both.

but that can be done for most use cases.

The operating systems that gained popularity in the 2000s (Android, Darwin) both implement a distinct non-UNIX message passing interface based on capabilities and is largely the reason these systems enjoy the security posture they do. You still have to protect against UNIX

Here is an early figure for my 2026 talk Constraining UNIX Applications. I want to leave the listener with a clear understanding between MACF, Capabilities, and namespace transformation.

Apple is able to innovate Darwin at a much faster pace than BSD because Apple is a hardware company. Most hardware vendors design thier processors with proprietary firmware blobs that put the UNIX application processor into a box that it can’t break out of.