To study how chips really work, MIT researchers built their own operating system | MIT News
Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) developed Fractal, a specialized operating system kernel that allows for precise microarchitecture analysis. According to lead researcher Joseph Ravichandran, Fractal acts as an “electron microscope” for processors, uncovering previously unknown “Phantom” speculation behaviors in Apple’s M1 chip that standard operating systems missed.
Why is Fractal different from Linux or macOS for chip research?
Standard operating systems like Linux or macOS aren’t built for microarchitecture study. They manage privilege levels, address spaces, and scheduling in ways that inject “noise” into measurements. To study a chip, researchers usually patch these kernels by hand, but the resulting environment is unstable and hard to reproduce.
Fractal solves this by booting directly on bare metal. It uses a technique called multi-privilege concurrency, which allows a single experiment to switch privilege levels at runtime while executing the same instructions in the same address space. According to the MIT team, this is achieved through “outer kernel threads” that sit inside a user process’s memory but execute with kernel privileges.
What did MIT discover about Apple’s M1 processor?
Using Fractal, the MIT team examined the M1’s implementation of CSV2, an ARM specification designed to stop code in one privilege level from steering speculation in another. While they confirmed the execute stage of indirect branch prediction is protected, they found a critical gap: the CPU still fetches the target into the instruction cache before the protection triggers.
This fetch is observable through a side channel. It means user code can influence what the kernel pulls into its caches across the privilege boundary. The team also found the first evidence of “Phantom” speculation on Apple Silicon. Previously, this class of misprediction—where the CPU misinterprets ordinary instructions as branches—was only demonstrated on Intel and AMD processors.
Correcting the record on M1 cores
Fractal also overturned previous research regarding the M1’s conditional branch predictor. Earlier studies suggested cross-privilege training worked on performance cores but not efficiency cores. The MIT team proved that the predictor has no privilege isolation on either core type. Ravichandran noted that the earlier, conflicting result was likely an artifact of macOS migrating threads between cores during system calls.
How will Fractal change the future of CPU security?
Fractal is designed as shared infrastructure rather than a one-off experiment. It supports x86_64, ARM64, and RISC-V and includes over 31,000 lines of code. To make it accessible, the team included POSIX system calls, a C library, and ports of tools like GCC and vim, allowing researchers to migrate existing code with minimal friction.
University of Southern California assistant professor Mengyuan Li, who was not involved in the paper, stated that Fractal turns an “ad hoc microarchitectural reverse-engineering workflow into reusable research infrastructure.” The goal is for Fractal to become a community standard, similar to how QEMU functions for virtualization.
Frequently Asked Questions
What is “Phantom” speculation?
It is a CPU behavior where non-branch instructions (like a no-op) are misinterpreted as branches, triggering speculative execution that the program did not request.
Does Fractal replace macOS or Linux?
No. Fractal is a research tool that boots on bare metal to study hardware. It is not intended for general-purpose computing.
Which processors does Fractal support?
According to the MIT team, it supports ARM64, x86_64, and RISC-V architectures.
Want to stay updated on the latest in hardware security and processor vulnerabilities? Leave a comment below with the topics you want us to cover next, or subscribe to our technical newsletter for deep dives into microarchitecture.