DOCSLIB.ORG

Security Analysis and Decryption of Lion Full Disk Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption Omar Choudary Felix Grobert¨ ∗ Joachim Metz ∗ University of Cambridge [email protected] [email protected] [email protected] Abstract 1 Introduction Since the launch of Mac OS X 10.7, also known as Lion, With the launch of Mac OS X 10.7 (Lion), Apple has Apple includes a volume encryption software named introduced a volume encryption mechanism known as FileVault 2 [8] in their operating system. While the pre- FileVault 2. Apple only disclosed marketing aspects of vious version of FileVault (introduced with Mac OS X the closed-source software, e.g. its use of the AES-XTS 10.3) only encrypted the home folder, FileVault 2 can en- tweakable encryption, but a publicly available security crypt the entire volume containing the operating system evaluation and detailed description was unavailable until (this is commonly referred to as full disk encryption). now. This has two major implications: first, there is now a new functional layer between the encrypted volume and We have performed an extensive analysis of the original file system (typically a version of HFS Plus). FileVault 2 and we have been able to find all the This new functional layer is actually a full volume man- algorithms and parameters needed to successfully read ager which Apple called CoreStorage [10] Although this an encrypted volume. This allows us to perform forensic full volume manager could be used for more than volume investigations on encrypted volumes using our own encryption (e.g. mirroring, snapshots or online storage tools. migration) we don’ t currently know of any other appli- In this paper we present the architecture of FileVault 2, cations. Therefore in the rest of this paper we will use the giving details of the key derivation, encryption process term CoreStorage for the combination of the encrypted and metadata structures needed to perform the volume volume and the functional layer that links this volume to decryption. Besides the analysis of the system, we have the actual HFS Plus filesystem. also built a library that can mount a volume encrypted The second implication is that the boot process is with FileVault 2. As a contribution to the research and slightly modified since the user password or other token forensic communities we have made this library open must be retrieved before being able to decrypt the data. source. Apple’ s volume encryption is equivalent to solu- tions such as PGP Whole Disk Encryption [12], True- Additionally, we present an informal security evalua- Crypt [13], Sophos SafeGuard [20], Credant [21], Win- tion of the system and comment on some of the design Magic SecureDoc [22], or Check Point FDE [23]. All and implementation features. Among others we analyze these solutions can be used on corporate laptops, which the random number generator used to create the recovery generally contain sensitive data that must be protected at password. We have also analyzed the entropy of each all times (even when the computer is turned off). 512-byte block in the encrypted volume and discovered To the best of our knowledge, Apple has not released that part of the user data was left unencrypted 1. any documentation or source code on FileVault 2, which obstructs security experts and consumers to assess the security of the system. Also, the missing documentation ∗The opinions expressed in this paper are mine alone and do not and interfaces effectively limit the development of any reflect the opinions of my employer or affiliates of my employer unless third-party tools that can help in data recovery or forensic otherwise explicitly stated. 1This was reported to Apple in 2011 and FileVault Disk Encryption investigations. has been altered accordingly. See Apple CVE-2011-3212. In this paper we present the results of our analysis 1 of FileVault 2: we were able to find most of its algo- yse it at the forensic laboratory. Even if we had physical rithms and parameters to the extent that we are able to access to a computer, we would not trust the operating read and mount a CoreStorage volume on a Linux ma- system to extract the necessary files since malware could chine. In the following sections we describe in detail tamper with the OS. With FileVault 2 enabled, we cannot the key derivation mechanisms and the encryption pro- read the disk contents unless the Mac OS is running. Al- cess. There remains unknown information in the volume though it is possible to access the disk of a Mac computer header and metadata, that we believe is used for verifica- with another Mac computer using a FireWire connection, tion routines or other functionality of CoreStorage which many times we use forensic tools on another operating does not seem to affect the read of the contents of the en- system than Mac OS and we cannot rely on remote lo- crypted volume. cations having spare Mac computers for this task. Hav- Based on these findings, we have developed a cross- ing cross-platform software to read encrypted volumes platform library that reads and mounts CoreStorage vol- solves these problems. We can simply boot the Mac com- umes. Such a library can be used to analyse the contents puter from a Linux live CD and use the software either of a particular file (or block) from an encrypted volume, locally or remotely to access the necessary files. without having to use Mac OS or even without having The second part of the motivation has been our de- physical access to the Apple computer in question (e.g. sire to have a security assessment of the system. Since by booting from a Linux live CD and connecting to the FileVault 2 can be used on corporate machines we machine via the network). needed to make sure that using this system instead of Our work provides the security and forensic commu- other known encryption solutions will not introduce vul- nity with an open source library that can be used to anal- nerabilities. yse CoreStorage volumes, having the user password or The next paragraphs provide a brief background on recovery password. It is also possible to recover the data full disk encryption after which the details of FileVault 2 from a CoreStorage volume using a private key but our are discussed. library does not support this yet. However, this merely involves updating the key derivation process, which we 2 Background fully describe in this paper. As part of our analysis we have also done an (informal) Commonly a hard disk is logically organised in multi- assessment of the security of the encryption mechanisms, ple sections, often referred to as either partitions or vol- including the random number generator mechanism used umes. These volumes can be used for various purposes, to create the recovery password. We found that some and they are often structured according to a file system data is unnecessary protected (however weakly) while format (e.g. NTFS, FAT, HFS, etc.). It is possible to some other basic mechanisms such as code mangling are have a single disk with 3 volumes, where the first volume not used at all. We have also performed an entropy test is formatted with NTFS and contains a Windows operat- on each 512-byte block of the encrypted volume and we ing system, the second volume is formatted with EXT3 found that part of the user data was left unencrypted. and contains an installation of a Linux distribution, while the third volume is formatted with FAT and only contains 1.1 Goals and motivations data (no operating system). The reader is encouraged to check the excellent book by Brian Carrier [28] for more Our primary goal has been to determine how FileVault 2 details on the topic. operates. As we will detail in the next section, this task Volume encryption is a mechanism used to encrypt involves finding how and where the encrypted volume the contents of an entire volume. This is sometimes master key is stored, how this key can be obtained from referred to as full disk encryption, which is mis- the user password or another token, what other data (the leading, since a physical disk can actually contain mul- metadata) is available and how is used, and finally how tiple volumes, each encrypted independently. The term the disk encryption and decryption are performed. full disk encryption is incorrectly used in the case As part of this process we created an open source tool of FileVault 2 and other systems such as BitLocker, that that can read and decrypt a CoreStorage volume. in fact perform volume encryption. Nonetheless, due Our motivation is twofold. First of all we needed a tool to its popularity, we will continue to use the term full for digital forensic investigations. When a computer is disk encryption in the remaining of this paper. suspected of malware or some malicious access we need Now, here is one the main problems: since we are en- to obtain certain files from the disk. If the computer is crypting the entire volume, and this volume might be the at a distant location it might not be feasible or conve- volume containing the operating system, there is no un- nient to send the computer or disk (for a Mac Book Air encrypted code left to actually boot the system. There- is not even trivial to remove the disk) in order to anal- fore the minimum code required to decrypt the operating 2 the encrypted volume master key is stored in a metadata encrypted key section. This metadata is generally stored in the same blob intermediary key disk as the encrypted volume, but on a different location.
Recommended publications
  • Learn Yosemite OS X from PCM's Apple Experts

    Learn Yosemite OS X from PCM's Apple Experts

    Learn Yosemite OS X from PCM’s Apple Experts Yosemite 101: OS X Support Essentials Give PCM the opportunity to train your team to support users of Apple’s Mac OS X Yosemite. Our Apple certified trainers are ready to come to your location and provide PCM’s Apple certified trainers will teach your team Yosemite OS X fundamentals and how to be efficient with you with invaluable Yosemite tools and resources. hands-on instruction. OS X Yosemite Support Essentials is a three-day, Who Should Attend hands-on course that provides an in-depth explo- • Help desk specialists, technical coordinators, ration of troubleshooting on Mac OS X v10.10 Yo- service technicians, and others who support semite. This course is designed to give you a tour Mac users. of the breadth of functionality of Mac OS X v10.10 • Technical support personnel in businesses that Yosemite and the best methods for effectively use Macs. supporting users of Mac OS X v10.10 Yosemite • Technical coordinators or power users who systems. The course is a combination of lectures manage networks of computers running and hands-on case study exercises that provide Mac OS X — such as teachers and technology practical real-world experience. specialists who manage networks or computer labs. At your location For a class at your location, PCM will provide an What You Will Learn Apple Certified Trainer, all the student materials, • The troubleshooting process and how to and an exam voucher for each attendee (up to become more efficient with available tools 6 students included in price).
  • Blacklight 10.2

    Blacklight 10.2

    BlackLight 10.2 Release Notes October 30, 2020 Thank you for using BlackBag Technologies products. The Release Notes for this version include important information about new features and improvements made to BlackLight. In addition, this document contains known limitations, supported versions, and updated system requirements. While this information is complete at time of release, it is subject to change without notice and is provided for informational purposes only. Summary To enhance our forensic analysis tool, BlackLight 10.2 includes these new or improved features. • Timeline • Optical character recognition • Tagging improvements • Ingest additional Cellebrite mobile extractions • A first look at Activity Correlation for Windows Features Timeline The new Timeline view lets you access more information from one place. It responds quickly, even with many items in a case file, and it is cleaner and easier to navigate than the previous version. Timeline view allows you to easily focus on all activity during a time period you specify. You can see and sort by all timestamps for each artifact in the Timeline view. You can also see the file path, so you can easily view the file in the File Browser view and investigate further. You can tag items in the Timeline view just as you would in other views within BlackLight. Optical Character Recognition This release introduces the ability to process image (picture) based files for text. Optical character recognition (OCR) converts text detected in the image into plain text which can be indexed and then searched. This process is limited to these image types. .pdf, .tiff, .bmp, .png, .jpg, and .gif You can run OCR processing in three ways.
  • The Apple Ecosystem

    The Apple Ecosystem

    APPENDIX A The Apple Ecosystem There are a lot of applications used to manage Apple devices in one way or another. Additionally, here’s a list of tools, sorted alphabetically per category in order to remain vendor agnostic. Antivirus Solutions for scanning Macs for viruses and other malware. • AVG: Basic antivirus and spyware detection and remediation. • Avast: Centralized antivirus with a cloud console for tracking incidents and device status. • Avira: Antivirus and a browser extension. Avira Connect allows you to view device status online. • BitDefender: Antivirus and malware managed from a central console. • CarbonBlack: Antivirus and Application Control. • Cylance: Ransomware, advanced threats, fileless malware, and malicious documents in addition to standard antivirus. • Kaspersky: Antivirus with a centralized cloud dashboard to track device status. © Charles Edge and Rich Trouton 2020 707 C. Edge and R. Trouton, Apple Device Management, https://doi.org/10.1007/978-1-4842-5388-5 APPENDIX A THe AppLe ECOSYSteM • Malware Bytes: Antivirus and malware managed from a central console. • McAfee Endpoint Security: Antivirus and advanced threat management with a centralized server to track devices. • Sophos: Antivirus and malware managed from a central console. • Symantec Mobile Device Management: Antivirus and malware managed from a central console. • Trend Micro Endpoint Security: Application whitelisting, antivirus, and ransomware protection in a centralized console. • Wandera: Malicious hot-spot monitoring, jailbreak detection, web gateway for mobile threat detection that integrates with common MDM solutions. Automation Tools Scripty tools used to automate management on the Mac • AutoCasperNBI: Automates the creation of NetBoot Images (read: NBI’s) for use with Casper Imaging. • AutoDMG: Takes a macOS installer (10.10 or newer) and builds a system image suitable for deployment with Imagr, DeployStudio, LANrev, Jamf Pro, and other asr or Apple Systems Restore-based imaging tools.
  • Mac OS X Server in Education Collaboration and Communication Solutions for 21St-Century Academic Environments

    Mac OS X Server in Education Collaboration and Communication Solutions for 21St-Century Academic Environments

    Mac OS X Server in Education Collaboration and communication solutions for 21st-century academic environments. Podcasts. Blogs. Wikis. Group calendars. Video chats. Instant access to centralized resources. Welcome to the 21st-century academic environment. With Mac OS X Server version 10.5 Leopard, Apple puts the power of a server into the hands of everyone in your institution. So students, educators, and researchers are always connected and always communicating and collaborating—whether they’re around the globe or just across campus. 10 Reasons for Mac OS X Server in Education 1. End-to-end production of professional-quality podcasts. Podcast Producer in Mac OS X Server is a complete, customizable solution for producing podcasts of lectures, development sessions, research presentations, and campus updates. Starting with the Podcast Capture application in Mac OS X Leopard, it’s a snap for users to capture audio and video, record onscreen actions, or submit existing QuickTime content to the server. Once the content is uploaded, Podcast Producer automatically publishes it to your choice of distribution services—including iTunes U—in formats optimized for playback on almost any device, from HD video to iPod, Apple TV, or any multimedia-enabled cell phone. 2. Group collaboration on wiki-powered websites. Mac OS X Server gives students, educators, and research teams an instant space for collaboration. With their own group wiki—complete with blog, group calendar, and mailing-list archive—authorized users can create entries, tag and cross-reference material, upload files and images, add comments, and perform keyword searches. Best of all, these powerful capabilities are accessible from any modern browser in just a few clicks—there’s no need to learn an arcane markup language.
  • Filevault, Choose an Unlock Method, and Set a • Create a Recovery Key

    Filevault, Choose an Unlock Method, and Set a • Create a Recovery Key

    Overview Power and Mac State 8. Choose how to unlock your disk and reset Encryption occurs only while plugged into a your login password if you forget it. If your Mac is eligible, you just need to enable power source and in the Awake Status. • Use your iCloud account OR FileVault, choose an unlock method, and set a • Create a recovery key. Write down the few other options. Once enabled, files are Prevent Your Mac From Sleeping recovery key, or take a photo with your encrypted as they are added. 1. Go to the Apple menu. phone (be sure your phone is set up to 2. Select System Preferences. use a passcode to unlock), and keep it in Macs that are managed by WashU IT 3. Select Energy Saver. a safe place. are encrypted. If you need access to 4. Select the Power Adapter tab and your FileVault key, please contact the then slide the timer to Never. Don’t WashU IT Help Desk. forget to reset it when you are done encrypting. Requirements to Use FileVault Enabling FileVault 9. Select Continue. 10. If your Mac has multiple users, each Correct Mac OS Version If you meet the requirements in 1, 2, and 3, account that needs login access will need to OS X 10.7 Lion or newer and your mac is plugged into a power source, be enabled. You will need to know the follow the steps below. associated password for each account, or Check Your OS Version 1. Go to the Apple menu. have the user enter it during this process.
  • Macintosh System 7.5 Upgrade Guide 1994.Pdf

    Macintosh System 7.5 Upgrade Guide 1994.Pdf

    Macintosh ••••••••••••••••••••••••••• Upgrade Guide <-»·' c:_ 1 - '--~ I · · ····~ f~··~~ \ ,{"&.--;:... (}.. ... Macintosh • • • Upgrade Guide • Apple Compute.r, Inc. © 1994 Apple Computer, Inc. All rights reserved . Under the copyright laws. this manual may not be copied, in whole or in part. wi thout the written consent of Apple. Your rights to the software are governed by the accompanying soft ware li cense agreement. The Apple logo is a trademark of Apple Computer, Inc., registered in !he U.S. and olher count ries. Use of the "keybomd" Apple logo (Option-Shi 1"1 -K) for commercial purposes witJwut the prior wrillen consenl of Apple may constitule lrademark infringement and unfair compel ilion in violation or federal and state laws. Every efforl has been made to ensure tlult the informati on in this manual is accurate. Apple is not responsib le for printi ng or clerical errors. Apple Computer. Inc. I Infinite Loop Cuperti no. CA 950 14-2084 (408) 996- 10 I0 Apple, the Apple logo, AppleTalk, LaserWritcr, Mac intosh. and PowerBook are trademarks of Apple Computer. Inc., registered in the U.S. and other countries. AppleMail. AppleScri pt. At Ease. Balloon Help, ColorSync, Finder. Plai nTalk, PowerShare, PowerTalk, Quick Draw. QuickTime, and TrucTypc arc trademarks of Apple Computer. Inc. Adobe, Adobe Ill ustrator. Adobe Photoshop. Adobe Type Manager. and PostScript are trademarks of Adobe Systems Incorporated, which may be registered in certain jurisdict ions. Exposure is a registered tmdemark of Preferred Publi shers, Inc. Helvetica and Times are regislered trademarks of Linotype Company. QMS is a registered lrademark of QMS. Inc. Quark X Press is a registered trademark of Quark, Inc.
  • Read Before You Install Mac OS X

    Read Before You Install Mac OS X

    Read Before You Install Mac OS X This document provides important information about installing Mac OS X that isn’t in the Welcome to Mac OS X book. Read this document before you install Mac OS X to learn about supported computers, system requirements, and known issues. For more information about Mac OS X, visit this Apple Web site: m www.apple.com/macos/ For the latest information about this release of Mac OS X, open Mac Help and click the More link under News. For information about the support available for this product, see the AppleCare Software Services and Support Guide included with Mac OS X. Supported computers You can install this version of Mac OS X on any of the following computers: m Power Mac G4 m Power Macintosh G3 m PowerBook G4 m PowerBook G3 (except the original PowerBook G3) m iMac m iBook System requirements Your computer must have m at least 128 MB of RAM m a built-in display or a display connected to an Apple-supplied video card m at least 1.5 GB of disk space available 1 Starting installation To start installing Mac OS X, double-click the Install Mac OS X icon. In Mac OS 9 In Mac OS X If the Installer does not open, insert the CD and restart your computer while holding down the C key. If the Installer still does not open, try selecting the Install Mac OS X CD as your startup disk by using Startup Disk preferences (if you are using Mac OS X) or the Startup Disk control panel (if you are using Mac OS 9).
  • Apple File System Reference

    Apple File System Reference

    Apple File System Reference Developer Contents About Apple File System 7 General-Purpose Types 9 paddr_t .................................................. 9 prange_t ................................................. 9 uuid_t ................................................... 9 Objects 10 obj_phys_t ................................................ 10 Supporting Data Types ........................................... 11 Object Identifier Constants ......................................... 12 Object Type Masks ............................................. 13 Object Types ................................................ 14 Object Type Flags .............................................. 20 EFI Jumpstart 22 Booting from an Apple File System Partition ................................. 22 nx_efi_jumpstart_t ........................................... 24 Partition UUIDs ............................................... 25 Container 26 Mounting an Apple File System Partition ................................... 26 nx_superblock_t ............................................. 27 Container Flags ............................................... 36 Optional Container Feature Flags ...................................... 37 Read-Only Compatible Container Feature Flags ............................... 38 Incompatible Container Feature Flags .................................... 38 Block and Container Sizes .......................................... 39 nx_counter_id_t ............................................. 39 checkpoint_mapping_t ........................................
  • Dell Encryption Enterprise for Mac Administrator Guide V10.9

    Dell Encryption Enterprise for Mac Administrator Guide V10.9

    Dell Encryption Enterprise for Mac Administrator Guide v10.9 March 2021 Rev. A02 Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved. Registered trademarks and trademarks used in the Dell Encryption and Endpoint Security Suite Enterprise suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Cylance®, CylancePROTECT, and the Cylance logo are registered trademarks of Cylance, Inc. in the U.S. and other countries. McAfee® and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. in the US and other countries. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated. Authen tec® and Eikon® are registered trademarks of Authen tec. AMD® is a registered trademark of Advanced Micro Devices, Inc. Microsoft®, Windows®, and Windows Server®, Windows Vista®, Windows 7®, Windows 10®, Active Directory®, Access®, BitLocker®, BitLocker To Go®, Excel®, Hyper-V®, Outlook®, PowerPoint®, Word®, OneDrive®, SQL Server®, and Visual C++® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. VMware® is a registered trademark or trademark of VMware, Inc. in the United States or other countries.
  • LAPTOP ENCRYPTION for MAC How to Check If Filevault Is Enabled

    LAPTOP ENCRYPTION for MAC How to Check If Filevault Is Enabled

    LAPTOP ENCRYPTION FOR MAC How to check if FileVault is enabled? In systems running OS X Yosemite 10.10 and newer, Apple encourages you to turn on FileVault 2 during setup. So, if you’re using a newer Mac, there’s every chance that your files are already being encrypted. Here’s how to check: 1. Click on the Apple menu and select System Preferences. 2. Select Privacy & Security. 3. Click on the FileVault tab and the status will be displayed. Before you turn on FileVault, be aware that the initial encryption process can take hours. However, it does run in the background so you can continue using your Mac as normal, albeit not at peak levels of performance. Also, FileVault encrypts the entire disk. Any additional users will need to be enabled so that they can unlock the disk by entering their password. How to turn on FileVault disk encryption 1. Click on the Apple menu and select System Preferences. 2. Select Privacy & Security. 3. Click on the FileVault tab, then click the lock in the bottom left corner of the window. 4. Enter your administrator name and password and click Unlock. 5. Click Turn On FileVault. 6. Choose whether you want to link your iCloud account to FileVault to unlock the disk and reset your password or create a recovery key and click Continue. 7. Click Restart to reboot your Mac and begin the encryption process. Choosing a FileVault Recovery Key The FileVault recovery key deserves special mention here. If you choose this option over linking your iCloud account, it’s critical that you make a note of the recovery key and keep it in a safe place that’s not on your hard drive.
  • Administering Filevault on Macos 10.13 with Jamf Pro

    Administering Filevault on Macos 10.13 with Jamf Pro

    Administering FileVault on macOS 10.13 with Jamf Pro Technical Paper Jamf Pro 9.81 or Later 5 November 2020 © copyright 2002-2020 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington Ave S Suite 1100 Minneapolis, MN 55401-2155 (612) 605-6625 Jamf, the Jamf Logo, JAMF SOFTWARE®, and the JAMF SOFTWARE Logo® are registered or common law trademarks of JAMF SOFTWARE, LLC in the U.S. and other countries. Apple, FileVault, Keychain, macOS, and OS X are registered trademarks of Apple Inc., in the United States and other countries. All other product and service names mentioned herein are either registered trademarks or trademarks of their respective companies. Jamf would like to acknowledge Rich Trouton for contributing content to this technical paper. Contents Contents 5 Introduction 5 What's in This Guide 5 Important Concepts 5 Additional Resources 6 Overview 7 General Requirements 8 Activating FileVault Disk Encryption Using a Configuration Profile 9 Choosing a Recovery Key 10 Creating and Exporting an Institutional Recovery Key 10 Creating and Exporting an Institutional Recovery Key with the Private Key 11 Creating and Exporting an Institutional Recovery Key without the Private Key 13 Creating a Disk Encryption Configuration 15 Deploying the Disk Encryption Configuration 18 Creating Smart Computer Groups for FileVault 18 Creating a Smart Group for FileVault Eligible Computers that are Not Yet Encrypted 19 Creating a Smart Group of Computers with a Partition in a Specific Encryption
  • Mac OS 8 Revealed

    Mac OS 8 Revealed

    •••••••••••••••••••••••••••••••••••••••••••• Mac OS 8 Revealed Tony Francis Addison-Wesley Developers Press Reading, Massachusetts • Menlo Park, California • New York Don Mills, Ontario • Harlow, England • Amsterdam Bonn • Sydney • Singapore • Tokyo • Madrid • San Juan Seoul • Milan • Mexico City • Taipei Apple, AppleScript, AppleTalk, Color LaserWriter, ColorSync, FireWire, LocalTalk, Macintosh, Mac, MacTCP, OpenDoc, Performa, PowerBook, PowerTalk, QuickTime, TrueType, and World- Script are trademarks of Apple Computer, Inc., registered in the United States and other countries. Apple Press, the Apple Press Signature, AOCE, Balloon Help, Cyberdog, Finder, Power Mac, and QuickDraw are trademarks of Apple Computer, Inc. Adobe™, Acrobat™, and PostScript™ are trademarks of Adobe Systems Incorporated or its sub- sidiaries and may be registered in certain jurisdictions. AIX® is a registered trademark of IBM Corp. and is being used under license. NuBus™ is a trademark of Texas Instruments. PowerPC™ is a trademark of International Business Machines Corporation, used under license therefrom. SOM, SOMobjects, and System Object Model are licensed trademarks of IBM Corporation. UNIX® is a registered trademark of Novell, Inc. in the United States and other countries, licensed exclusively through X/Open Company, Ltd. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed in initial capital letters or all capital letters. The author and publisher have taken care in the preparation of this book, but make no express or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.