Security researchers have been flying blind for years, patching Linux and macOS kernels by hand to study chip behavior. MIT CSAIL built a new operating system from scratch to solve the problem, and its first target was Apple's M1.
The team led by Joseph Ravichandran and Mengjia Yan unveiled Fractal on May 19, a bare metal operating system kernel designed specifically for microarchitecture research. As MIT CSAIL reported this week, the tool immediately found evidence that Phantom speculation, a class of attack previously seen only on AMD and Intel chips, affects Apple Silicon. The researchers also discovered that some of Apple's cross-privilege protections stop execution but fail to prevent observable instruction cache fetching.
Fractal supports x86_64, ARM64, and RISC-V architectures. At more than 31,000 lines of code, it is not a toy project. The team presented its findings at the IEEE Symposium on Security and Privacy in San Francisco this month, after disclosing the M1 results to Apple's product security team. In an unusual twist, Apple engineers examined Fractal itself.
Why existing tools fail at chip security research
The core problem Fractal solves is measurement noise. Modern processors keep state in internal structures like branch predictors, caches and TLBs. To study how these behave across the user/kernel boundary, researchers need identical experiments on both sides of that isolation domain. General purpose operating systems inject their own activity: interrupts, scheduler decisions, address space management. The signals researchers want are blurred beyond recognition.
Ravichandran described the difference in stark terms. He compared existing methods to a hand magnifying glass and Fractal to an electron microscope. The new OS boots directly on bare metal with no other software running. It exposes primitives that let a single experiment switch privilege levels at runtime while executing the same instructions in the same address space. The team calls the underlying technique multi-privilege concurrency.
The key innovation is the outer kernel thread, a construct that sits inside a user process's memory but executes with kernel privileges. The result is an experimental setup with almost no background noise. Where macOS or Linux produce fuzzy, irreproducible results, Fractal delivers flat baselines and clean signals.
What Fractal discovered about Apple Silicon
Apple's M1 implements an ARM specification called CSV2, designed to prevent code at one privilege level from steering speculation in another. Using Fractal, the MIT team confirmed that the protection works for the execute stage. A user program cannot make the kernel speculatively execute a chosen target through the indirect branch predictor. But the researchers found a gap.
The CPU still fetches the target into the instruction cache before the protection kicks in. That fetch is observable through a side channel, meaning user code can influence what the kernel pulls into its caches across the privilege boundary. The same pattern appeared between processes assigned different address space identifiers.
The team also produced the first evidence that Apple Silicon exhibits Phantom speculation. In Phantom attacks, ordinary instructions, including a simple no-op, can be misinterpreted by the CPU as branches, triggering speculative behavior the program never requested. On the M1, Fractal showed that Phantom fetches succeed across both privilege levels and address spaces, though the execute phase remains blocked.
A separate experiment overturned a prior finding about the M1's conditional branch predictor. Earlier work had reported that cross-privilege training worked on Apple's performance cores but not its efficiency cores. Fractal showed that the conditional branch predictor has no privilege isolation at all on either core type. The earlier result was likely an artifact of macOS quietly migrating threads between cores during system calls.
Implications for AI infrastructure and chip security startups
The relevance for StartupFortune readers extends beyond academic curiosity. The AI era runs on specialized compute, and the behavior of that compute is increasingly hard to audit. Training large models requires trusting that the underlying silicon does not leak information across security boundaries. Apple has positioned the M-series chips as part of its on-device AI push, with privacy as a primary selling point. Fractal shows why that validation work remains difficult.
Ravichandran wants Fractal to become shared infrastructure for the entire research community, similar to what QEMU and FFmpeg are for their respective fields. That ambition has commercial implications. Chip security startups have historically relied on proprietary testing methodologies. A standardized, open source electron microscope for microarchitecture could level the playing field, allowing smaller firms to compete with incumbents in chip validation. The tool supports x86_64 and RISC-V alongside ARM64, meaning Intel and AMD customers can also benefit.
For startups building on Apple Silicon or designing their own accelerators, the lesson is uncomfortable. The chip's behavior under adversarial conditions remains poorly characterized. Apple's CSV2 protection works as intended for execution but leaks through the cache side channel. Phantom speculation exists on the M1. The conditional branch predictor has no privilege separation at all. These are not merely academic findings. They are data points for any company making security claims about Apple-powered infrastructure.
Fractal is already available for researchers. The next phase is adoption. If the community builds on this infrastructure, the quality of microarchitecture security research could improve dramatically. For founders and engineers, the tool is worth watching. Understanding what your chips actually do is becoming a competitive advantage.
Also read: SoftBank rides Nvidia's AI surge as investors double down on concentrated bets • Binance's Android app privacy fight is back in the spotlight • Midjourney's TPU regret is a warning for AI startups
