To study how chips work, MIT researchers built their own operating system
MIT researchers at CSAIL have developed Fractal, a novel operating system kernel designed for deep, noise-free analysis of processor microarchitecture. This "electron microscope of OSes" allows security researchers to directly observe chip behavior without interference from standard operating systems. It has already uncovered previously unknown speculative execution vulnerabilities, including "Phantom" attacks, in Apple's M1 chips, offering a powerful new paradigm for hardware security research.
The Lowdown
MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) has developed "Fractal," a custom operating system kernel designed to provide an unparalleled view into how modern processors truly operate. Unlike traditional approaches that patch existing OSes, Fractal was built from the ground up to eliminate observational noise and enable precise hardware microarchitecture studies, akin to an "electron microscope" for chips. Its initial deployment has already yielded significant findings regarding Apple's M1 processor.
- The Problem with Current Research: Existing methods for studying chip behavior, particularly for speculative execution vulnerabilities like Spectre and Meltdown, rely on patching general-purpose operating systems. These approaches are inherently unstable, difficult to reproduce, and introduce significant system noise (e.g., interrupts, scheduling, address-space management) that obscures the true microarchitectural behavior being investigated.
- Fractal's Solution: Fractal operates directly on bare metal, providing a pristine research environment. It introduces "multi-privilege concurrency" and an "outer kernel thread," allowing experiments to seamlessly switch privilege levels and execute code within the same address space. This design significantly reduces background noise, delivering exceptionally clean experimental signals.
- Key Findings on Apple's M1:
- While confirming ARM's CSV2 specification effectively blocks speculative execution of indirect branches across privilege levels, Fractal discovered that user code can still influence instruction cache fetches in the kernel across these boundaries.
- It provided the first definitive evidence of "Phantom" speculation on Apple Silicon. This phenomenon allows ordinary instructions, even no-ops, to be misinterpreted as branches, triggering unintended speculative behavior.
- Fractal also corrected prior research on the M1's conditional branch predictor, revealing that it lacks any privilege isolation across both performance and efficiency cores, attributing earlier conflicting results to artifacts from macOS thread migration.
- Designed as a Research Tool: Comprising over 31,000 lines of code, Fractal supports x86_64, ARM64, and RISC-V architectures. It incorporates familiar POSIX system calls, a C library, and ports of standard tools like vim and GCC, making it accessible and adaptable for the wider research community.
- Ambitious Vision: The team's long-term goal is for Fractal to become a foundational, shared infrastructure for microarchitecture research, much like QEMU or FFmpeg are in their respective domains. This aims to dramatically improve the reliability, accuracy, and clarity of future hardware security and processor behavior studies.
By providing a pristine environment for chip analysis, Fractal represents a significant architectural contribution, transforming ad-hoc reverse-engineering into a robust, repeatable research methodology. Its early findings on Apple's M1 underscore its potential to advance our understanding of hardware security and expose subtle vulnerabilities in processor design.