Obj-C in macOS memory management internals

Objective-C is deeply ingrained in macOS and iOS; it doesn’t operate in isolation but on top of OS memory management and security mechanisms.

That said, I think there are some interesting aspects of how the Obj-C runtime interacts with low-level systems like allocators, and how it’s influenced by (and contributes to) OS security.

Allocation and deallocation (malloc integration)

Objective-C object allocation ultimately uses the standard C memory allocator. When you call [[MyClass alloc] init], the runtime will ask the class for its instance size, add any alignment or metadata padding, and allocate that many bytes. In the era of NSZone (historic allocator zones), you could specify a zone, but now zones are ignored… all allocations go to the default malloc zone.

+allocWithZone: is implemented to just call +alloc and is kept only for API compatibility. The memory comes from heap segments managed by malloc. Apple’s malloc on macOS/iOS uses various heuristics (tiny, small, large buckets, etc.), and Objective-C doesn’t need any special support from it beyond regular allocation and free.

The Obj-C runtime does have its own small allocator for certain metadata (for example, runtime-created classes or blocks may use calloc directly, and associated object keys use a side table that is essentially a hash map). But object instances are malloc’ed. Deallocation of an object ends up in a call to free() (either directly or via object_dispose after cleanup). There is also an environment variable MallocStackLogging; when enabled, can help debug memory issues including Objective-C objects (and tools like Zombies: setting NSZombiesEnabled causes freed Obj-C objects to turn into zombie stubs* rather than actually freeing, to help detect overreleases).

---

* Zombie stubs are placeholder objects used in debugging that replace deallocated Objective-C objects to catch use-after-free errors by crashing the program when a message is sent to the zombie.

---

In the past, Apple’s GC used a custom allocator (“Auto Zone”) that coexisted with malloc, but now that’s gone. Thus, from the OS perspective, an Objective-C program’s memory usage is just normal heap allocations (plus some small contributions from the Objective-C runtime for metadata).

Memory zones (NSZone)

As noted, NSZone was a mechanism for custom memory allocation pools. You could create an NSZone to allocate a bunch of objects together, perhaps to improve locality or facilitate bulk deallocation. This was a Mach-era concept that never proved very useful and is essentially deprecated.

At present (afaik), Objective-C runtime just ignores the zone parameter and uses the default heap. Apple explicitly states: “There is no need to use NSZone any more. They are ignored by the modern Objective-C runtime.” So, Objective-C doesn’t really integrate with malloc “zones” in any special way today. Tools like Guard Malloc (for debugging buffer overruns) or malloc nano/secure modes apply to Objective-C objects the same as any heap allocation.

Tagged pointers

One interesting memory optimization in Objective-C (since iOS 7 / OS X Mavericks era) is tagged pointers. Certain classes–notably NSNumber, NSDate, and a few others (even NSString for small strings on recent systems)–don’t use malloc at all for certain values. Instead, the pointer value itself is encoded with the data.

For example, instead of allocating a full NSNumber object for an integer 42, the runtime can represent it as a pointer where some bits actually store the integer value and a tag that tells the runtime “this isn’t a real heap pointer, it’s an encoded number.” These tagged pointers have a special bit pattern (usually LSB=1 or a specific high bit set) so that the runtime recognizes them. When an API like [NSNumber numberWithInt:42] is called, you might get a tagged pointer (no heap allocation, extremely fast, no need to free). The objc_msgSend knows to check for tagged pointers and, if found, treat them differently (in fact, many operations on them are implemented by simply checking the pointer bits). This reduces memory usage and fragmentation for lots of small immutable objects.

Tagged pointers are an interplay* between the runtime and CPU addressing (it uses the fact that addresses are aligned and some bits are unused).

---

* not a security term, but an interplay is the dynamic interaction or mutual influence between two or more elements that affect each other’s behavior or outcome.

---

From a security perspective, tagged pointers are non-pointer data masquerading as pointers, which could confuse traditional exploit techniques. But nowadays, pointer authentication also helps here (PAC has to ignore those or treat the tag bits appropriately).

If an exploit tried to forge a tagged pointer, they’d have to ensure the bits matched a valid encoding or the runtime would just treat it as a huge odd pointer and likely crash on access. In short ig, tagged pointers improve performance and memory usage for certain Obj-C objects by avoiding malloc entirely… an example of runtime and memory allocator integration for optimization.

Integration with VM and Shared Cache

macOS and iOS use a dyld shared cache for system libraries. This includes libobjc.A.dylib (the Objective-C runtime) and all the core Cocoa frameworks. At app launch, rather than mapping hundreds of individual dylibs, the OS maps one large shared cache binary that contains most system libraries prelinked. This improves performance but historically had a security downside: the shared cache was at a fixed address for a given iOS build (across reboots), making ASLR less effective.

Attackers could often know where Objective-C classes and methods resided in memory if they could guess the cache slide. Apple addressed this by adding a per-boot randomization and even re-randomization of the shared cache at process start if an attack is detected. For instance, if a service crashes in a way that suggests an attacker was brute-forcing ASLR using the cache, iOS can reload a new randomized cache for that service. Objective-C classes and selector strings reside in this shared cache (in specific segments: __OBJC_RO, __objc_selrefs, etc.). This means that, e.g., the address of a method implementation (IMP) is in a read-only segment of the cache (since it’s just part of the executable code of a framework). Attackers traditionally needed an info leak to get those addresses for exploitation; now with re-randomization and pointer authentication, that’s even harder.

Memory protection and Obj-C metadata

The Objective-C runtime metadata (class definitions, method lists, protocol lists) are mostly stored in READ-ONLY memory as part of the binary image, for security and performance. For example, the list of methods for a class is in a const section, and the selectors (method names) are in a read-only section (__objc_methname). This means an attacker cannot simply overwrite a method name or selector string at runtime; they’d have to use a writable page.

The class structs themselves, however, contain pointers to the methods (IMP pointers), and those class structs are typically in a __DATA segment (writable) because the runtime may modify them (e.g., during +load or to attach categories, or swizzling). Method swizzling works by writing to a class’s method list to swap implementations. Since those writes are legitimate (done by app code often), the pages backing class metadata must be writable.

Code signing on iOS/macOS allows these writes because the pointers being written are still pointing to valid, signed code (an IMP must reside in a code segment of some library). The dynamic linker also populates the class and protocol hashtables at runtime. From a security view, this is a controlled mutability: you can change pointers but only to other valid code addresses (an attacker who somehow gets arbitrary write could repoint a class’s method to a different function that already exists in the process… which is bad, but not as powerful (RAH!) as pointing to injected shellcode, thanks to DEP and code signing). Modern iOS with hardened runtime will prevent loading unsigned code, so an attacker can’t introduce new methods outside the ones already present in memory.

Objective-C, and malloc zones or Guard Malloc

While zones are deprecated, Guard Malloc (a debug feature) is interesting in context: it places each allocation on its own vm page with guard pages around it. This can catch buffer overruns. If you run an app with Guard Malloc, each Objective-C object allocation (which are usually small) will be isolated, drastically slowing the app but making it easier to catch memory errors. This is a developer tool, not in production, but it demonstrates that at the end of the day, Obj-C objects are just heap allocations subject to the same debugging tools as any other allocation.

Interaction with C++ (objc_destructInstance)

Internally, when an object is deallocated, if it has C++ ivars* or needs custom cleanup, the runtime calls objc_destructInstance. This will call any C++ destructors (.cxx_destruct in Obj-C class metadata) and also zero out the memory if in debug.

---

* C++ ivars are instance variables in an Objective-C++ class that are implemented using C++ types, allowing C++ objects to be embedded within Objective-C objects and requiring proper constructor and destructor handling.

---

Interestingly, if an object is freed via the fast path (no extra bits set as shown earlier), it skips zeroing, which is fine unless an attacker can read freed memory to glean data. In high-security scenarios, one might want memory zeroing on free. Apple doesn’t zero most allocations on free by default for performance, except under Zone Sanitizer or similar tools. That’s not specific to Obj-C, but it’s worth noting that freed Obj-C object memory might still contain leftover data (like what the object was holding). If an attacker has an info leak bug, they could scrape deallocated object memory to find sensitive info (this is a common technique in exploits: use after free to read freed objects like NSStrings that might contain passwords). Apple’s overall strategy (afaik) to mitigate this is to isolate processes and use pointer authentication to prevent easy crafting, but the memory content itself is not encrypted or anything. Some sensitive frameworks explicitly zero out data (e.g., Keychain items in memory) when done.

macOS/iOS memory protections leveraged

Apple introduced other protections like eXecutable-Only (XO) memory for JIT regions, but that’s more for JITted code (not directly related to Obj-C).

Top-byte Ignore (TBI)

One relevant ARMv8.3-A feature Apple uses is Top-byte Ignore (TBI) in pointers, which is how tagged pointers and pointer authentication coexist. The top byte of 64-bit pointers can be used for metadata (PAC or tag). The Obj-C runtime takes advantage of this for PAC and tagged pointers (embedding signatures or small data in the high bits). This is a “collaboration” (?) between the compiler/runtime and hardware to secure and optimize object pointers.

Associated objects and memory

Associated objects (via objc_setAssociatedObject) are stored in side tables keyed by the object’s pointer. These tables are essentially global hash maps.

From a memory perspective, they’re part of the Obj-C runtime’s managed memory, and they are cleaned up when an object dies (as we saw, the has_assoc flag triggers removal of entries). We need to be careful because associated objects can create retain cycles (the association is a strong reference by default), which is another reason why the runtime must clean them to avoid leaks. In security sense, associated objects are mostly a design convenience and don’t introduce unique vulnerabilities, but they do mean an object’s reachability can extend beyond what static analysis might show (something could have associated a secret object with a public one, keeping it alive longer than expected).

Objective-C’s influence on system design

macOS uses Obj-C in many userland components. Launch services, UI frameworks, scripting bridges are all heavily Objective-C.

In recent years, Apple has begun rewriting some components in Swift or adding Swift wrappers, but the runtime is still ubiquitous. The macOS kernel and lower-level parts do not use Obj-C (they are C/C++ for kernel, and Swift isn’t in the kernel either except in experiments). But at the app layer, any memory management discussions (from UIViews to NSURLSession) involve Obj-C ARC under the hood (if you use Swift, it’s still using ARC for Cocoa objects).

Security implications recap

The Obj-C runtime now works hand-in-hand with hardware security (PAC) to prevent abuse of its dynamic features. Enforced code signing makes it so even if an attacker hijacks an Objective-C call, they can only call existing code, hopefully limiting damage.

Apple’s move to memory-safe languages (Swift) for parsing untrusted input shows an architectural mitigation, essentially sandboxing or avoiding Obj-C in those scenarios. On the flip side, because Objective-C is not memory-safe, bugs in Obj-C-based code (buffer overflows, etc.) are still possible. A notable example: the Stagefright bug on Android had a parallel on iOS in the iMessage parsing (hence BlastDoor.) But once such a bug is exploited, the attacker then faces Objective-C’s PAC protections at the next stage.

Role in system

Objective-C will a layer in macOS/iOS memory management for a long time probably; it’s the glue between high-level objects and raw memory. It doesn’t replace malloc or virtual memory; it builds reference counting and object semantics on top of them.

It’s influenced by OS security developments (like pointer authentication, ASLR, code signing), and in turn influences how Apple designs system components (e.g., splitting functionalities to isolate Obj-C subsystems when needed for security). While new development may favor Swift, Swift’s interaction with Cocoa is through Objective-C runtime abstractions (Swift objects bridging to Obj-C objects when interacting with Obj-C APIs, etc.). Thus, the Obj-C runtime will likely be part of Apple’s platforms for the foreseeable future, continually updated to use new hardware defenses and to ensure that the flexibility of dynamic messaging does not become a security liability.