MIT researchers have developed their own operating system kernel, called Fractal, which allows for more precise analysis of processors. Using this method, they were able to identify previously unobserved behavior on Apple’s M1 chip that poses a potential security risk.
Fractal is based on a new concept: the “outer kernel” thread, which resides in the memory of a user process but runs with kernel privileges. Developer and MIT doctoral student Joseph Ravichandran describes the resulting operating system as the “electron microscope of operating systems.”
(Image: MIT / Gabriel Maragaño)
When security researchers want to investigate how modern processors actually work, they quickly run into limitations with conventional operating systems. Systems like macOS, Linux, or Windows are designed for stability, security, and everyday use—not for conducting measurements inside a chip with as little interference as possible.
A team at MIT's Computer Science and Artificial Intelligence Laboratory has therefore developed its own operating system kernel. Fractal is designed to give researchers a more direct view of microarchitectures—that is, internal structures such as caches, memory translations, and branch predictions.
The kernel was written from the ground up for experimental purposes. It runs directly on the hardware, replacing the standard operating system. The goal is not to create a system suitable for everyday use, but to enable measurements in which external influences distort the results as little as possible.
Controlled Experiments Instead of Operating System Noise
A key problem with previous research is that operating systems perform their own operations during each experiment. They manage memory areas, schedule and unschedule processes, and trigger interrupts, thereby altering the very conditions that are supposed to remain constant.
This is where Fractal comes in. The kernel allows tests to be run across different privilege levels without significantly altering other parameters. The researchers refer to this technique as multi-privilege concurrency.
To achieve this, Fractal uses, among other things, what are known as outer kernel threads. These are located in the memory of a user process but run with kernel privileges. This allows the same code to be executed in similar environments, once with user privileges and once with higher privileges.
This is complemented by cooperative multitasking and a proprietary memory system called gmap. Both are designed to prevent the operating system from interrupting tests or silently altering memory allocations between measurements.
New Findings on the Apple M1
As its first major use case, the team examined the Apple M1 processor. The focus was on branch predictions, which CPUs use to estimate which code might be executed next. Such mechanisms are important for performance, but can also be relevant for side-channel attacks. This behavior was responsible for the Meltdown and Spectre security vulnerabilities in x86 processors that came to light in 2017.. Security researchers had warned, that this vulnerability could also affect ARM processors, but have not yet been able to provide clear evidence of this.
The researchers first confirmed that an ARM security feature called CSV2 is effective in one key aspect on the M1. Specifically, user programs cannot simply cause the kernel to speculatively execute a selected target via indirect branch prediction.
At the same time, Fractal exhibited behavior that had not been documented previously. The processor apparently fetches a potential target into the instruction cache before the protective mechanism takes full effect. This process can be observed via a side channel.
In addition, the team found initial evidence that Apple Silicon is affected by what is known as "phantom speculation." In this scenario, ordinary instructions—such as a no-op—can be temporarily treated by the processor as if they were jumps. On the M1, such accesses across privilege and address space boundaries were observed, but execution of the instructions remained blocked.
Another experiment corrected earlier assumptions regarding the M1’s conditional branch prediction. According to the team, Fractal demonstrated that this prediction is not isolated by privilege levels on either performance or efficiency cores. Earlier divergent measurements may have been influenced by thread migrations under macOS.
A Tool for Further Research
Fractal is not designed as a single experiment, but as a research infrastructure. The kernel supports x86_64, ARM64, and RISC-V and comprises more than 31,000 lines of code. It also includes well-known interfaces and tools to make it easier to port existing experiments.
According to the researchers, the findings regarding the M1 were reported to Apple’s product security team. The team is cautious in its assessment of the practical implications of the observed phantom speculation findings, as while speculative fetches were observed, no execution was detected.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
The work was presented at the IEEE Symposium on Security and Privacy in San Francisco. In the long term, Fractal is intended to help other research teams make measurements of processors more reproducible and easier to compare. The kernel is available as an open-source project under the MIT license. Ravichandran has released the kernel on GitHub and the complete experimental setup on Zenodo; further details can be found on the Fractal website.(sg)
:quality(80)/p7i.vogel.de/wcms/27/64/2764abcce02217d49f1469141e36507d/0131762740v1.jpeg "With the latest features in Lantek's 3D CAD/CAM software, cutting complex 3D chamfers can be programmed easily and conveniently. (Image:Lantek)")
:quality(80)/p7i.vogel.de/wcms/89/fe/89fefb44db66a983e839272d378026aa/0131812009v1.jpeg "Vehicle assembly at Magna for the Chinese manufacturer Xpeng: According to a new report by AlixPartners, Chinese OEMs plan to nearly triple their overseas production by 2030. (Image:Peter Reiter Photography)")
:quality(80)/p7i.vogel.de/wcms/37/00/3700ac7a8c8e2c9c1a23ad8e4a89c661/0131816937v1.jpeg "These types of glide bombs are having a devastating effect in Ukraine when launched from Russia. To develop an effective countermeasure, Rheinmetall is now collaborating with a South Korean missile specialist ... (Image:dpa)")
:quality(80)/p7i.vogel.de/wcms/d2/f4/d2f47963746387b3195c73de9e154c03/0131799503v1.jpeg "Pauline Tok (left), CEO of the Singapore Aircargo Agents Association (SAAA), presented the award to the Witron team (from left): Patrick Weiss, Win Tun, Tobias Hessing, and Billy Syed. (Image:LSCMS)")
:quality(80)/p7i.vogel.de/wcms/02/09/02098b7cbc39f0ab816a07d471c06fe9/0131072594v1.jpeg "A mobile robot undergoing testing in a tunnel. (Image:IFG - Graz University of Technology)")
:quality(80)/p7i.vogel.de/wcms/e1/e2/e1e20ad261f8c32dc5261f6c8b546339/0131493961v1.jpeg "Moxa's smart switches combine support for common industrial protocols such as Profinet, Modbus, and EtherNet/IP with easy integration and advanced security features. (Image:Moxa)")
:quality(80)/p7i.vogel.de/wcms/1b/35/1b35fefe8f7ffe73e9f8be2fc67fc712/0131677915v1.jpeg "Only human empathy creates genuine relationships. Leaders who convey hope and embody trust in everyday life turn the risks of automated decisions into opportunities that strengthen both the organization and employees alike. (Image: ©Md - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/be/75/be751aca3fdefe69afba6eb4d8414e68/screenshot-202026-04-02-20172559v1.png "Complex piping systems for hydraulics and fuel made from corrosion- and heat-resistant stainless steel are used in aerospace. (Source: Butting)")
:quality(80)/p7i.vogel.de/wcms/59/d0/59d0bc5d8d39ed9b3ff7014d2eb71349/newsimage423193-1143x643v1v1.jpeg "Scanning electron microscope image of the nanostructure of an alloy composed of aluminum, molybdenum, niobium, tantalum, titanium, and zirconium. The material is particularly well-suited for catalytic processes. (Image:BAM)")
:quality(80)/p7i.vogel.de/wcms/0a/fc/0afcec30c596f2f4b8a45b5d3b1ea9ce/forschungspreis-fram-piotr-banczerowski-1440x810v1v1.jpeg "Save energy, compute faster, and back up data permanently: This new storage technology meets all of these requirements. (Image:Fraunhofer / Piotr Banczerowski)")
:quality(80)/p7i.vogel.de/wcms/5a/d1/5ad1366f16d2d5a46c6ad2835acb2f97/abb-1-lowres-2000x1125v1v1.jpeg "IPF's system for energy monitoring and production/process data acquisition: The IIoT gateway (left), the energy measurement module (center), and the I/O module, which can be used to expand the gateway's analog and digital interfaces. (Image:IPF Electronic, Inc.)")
:quality(80)/p7i.vogel.de/wcms/2b/a0/2ba04844991aaa9033d049931022232d/16-20zu-209-20maedler-schmierzahnr-c3-a4der-kettenschmierritzel-1821x1023v1v1.jpeg "Since May, Mädler has carried a standard line of PU lubricated gears and PU lubricated sprockets from Meyer. (Image:Mädler)")
:quality(80)/p7i.vogel.de/wcms/30/eb/30eb484db38bbfe98bee005d10354754/0131812788v1.jpeg "BMW unveiled the M Concept Neue Klasse at Le Mans—a precursor to the all-electric M3. (Image:BMW)")
:quality(80)/p7i.vogel.de/wcms/5b/be/5bbe55c3381ae8a8296bcbea8daada5d/0131817931v1.jpeg "3D preview of the SAF project in the Port of Dunkirk, where the joint venture between Technip Energies, Airbus, Safran, and Tereos will be based in the future. (Image:Technip Engines)")
:quality(80)/p7i.vogel.de/wcms/6e/c5/6ec542a4d42906e2e7adf59b05ef5c7d/26dt113-003-3555x2000v1v1.jpeg "Daimler Truck is consolidating its defense activities under the \"Daimler Truck Defence\" brand. (Image:Daimler Truck)")
:quality(80)/p7i.vogel.de/wcms/78/a8/78a86d9dd032df40827ce02df84871e8/0131808817v1.jpeg "The new storage system \"sonnenPro Compact 261\" for indoor and outdoor use is particularly suitable for integrating charging infrastructure. (Image: Sonnen)")
:quality(80)/p7i.vogel.de/wcms/19/d2/19d29497395712a79307f99445b41e48/0131825683v1.jpeg "Figure 1: (A) X-Cut HAADF scanning electron microscopy image of a WS2 device with a CPP of 50 nm, a contact length of 19 nm, and a width of 256 nm after etching the gate interconnect. (B) The corresponding energy-dispersive X-ray spectroscopy (EDS) analysis (Image:Imec)")
:quality(80)/p7i.vogel.de/wcms/e6/45/e645880a973236206d4ebb059697353f/0131759111v1.jpeg "Fractal is based on a new concept: the “outer kernel” thread, which resides in the memory of a user process but runs with kernel privileges. Developer and MIT doctoral student Joseph Ravichandran describes the resulting operating system as the “electron microscope of operating systems.” (Image:MIT / Gabriel Maragaño)")
:quality(80)/p7i.vogel.de/wcms/7a/11/7a11306c958e35eccb36ae9c512d3283/0131810754v1.jpeg "The snow leopard: one of the world's most elusive predators. (Image:Raspberry Pi)")
:quality(80)/p7i.vogel.de/wcms/e6/ea/e6ea899c6aa1a86a7da08fdcecc8fa97/0131786598v1.jpeg "With its Hybrid eCall certification, Keysight is accelerating progress in emergency communications for the automotive industry. (Image:Keysight)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/69/de/69de1b7403b0d/simtos-logo.jpeg "simtos-logo (SIMTOS)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/05/5c/055c523a3be81da64c15c017bbd25348/0129529705v1.jpeg "Memory errors such as buffer overflows or use-after-free jeopardize the stability of vehicle software. Formal verification helps to turn tested software into verifiably safe systems. (Image:Dall-E / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/88/c0/88c0efef674e9a92a9438c4ca87232b4/0127890201v1.jpeg "A large number of different programming languages are used in the development of software for the automotive sector. But which language is best suited to meet the stringent requirements of cybersecurity? (Image:freely licensed)")