Researchers at MIT have developed their own operating system, 'Fractal,' to study the operation and vulnerabilities of the chip.



When security researchers investigate the operating principles of chips, they often use general-purpose operating systems such as Windows, macOS, and Linux. However, because these are designed for everyday use, they may not be able to accurately measure the internal workings of the chip. Therefore, a research team at the Massachusetts Institute of Technology (MIT) has developed a proprietary OS called 'Fractal' for studying the internal structure of chips.

Fractal: An Operating System Designed for Microarchitecture Reverse Engineering.pdf
(PDF file)

https://people.csail.mit.edu/mengjia/data/2026.SP.fractal.pdf

To study how chips really work, MIT researchers built their own operating system | MIT News | Massachusetts Institute of Technology
https://news.mit.edu/2026/to-study-how-chips-really-work-mit-researchers-built-their-own-operating-system-0610

MIT's 'Fractal' Kernel Makes it Possible to Measure Chip Behavior More Accurately
https://www.all-about-industries.com/kernel-fractal-makes-chip-behavior-more-accurately-measurable-a-cb164145045f91f407da9c516cf90c17/

Vulnerabilities inherent in chips, such as ' Spectre ' and ' Meltdown ,' have a significant impact on users and businesses worldwide. Therefore, security researchers attempt to accurately measure the internal structure of chips, including cache , memory management , and branch prediction , in order to understand what kinds of attacks are possible against them.

To understand the internal structure of a chip, tests are conducted by rewriting the kernel , which is the core part of an operating system such as Windows, macOS, or Linux. However, since these operating systems are designed for everyday use, they may spontaneously manage memory areas, schedule and cancel processes, or generate processing interrupts even during testing. This can cause the very conditions that should be kept constant for measurement to change.

Therefore, the MIT research team developed 'Fractal,' an OS (kernel) rewritten from scratch specifically for chip research. A key feature of Fractal is that it allows tests to be run at different privilege levels without significantly altering other parameters.

In general-purpose operating systems, the system itself manages privilege levels, address space, and scheduling, affecting all measurements. Fractal achieves virtually background noise-free testing by using external kernel threads that run with kernel privileges while residing in the user process's memory.

Joseph Ravichandran, a PhD student in electrical engineering and computer science at MIT who led the Fractal project, said, 'We are utilizing the hardware in ways that are different from its original design intent. Nobody would have imagined that this was possible with hardware. But we have found ways to achieve a variety of basic functions.'



The research team actually used Fractal to investigate Apple's proprietary chip, the '

M1 .' The focus of the investigation was on branch prediction, which the CPU uses to predict the next code that might be executed. While branch prediction is important for performance, it can be exploited for side-channel attacks and was indeed the cause of Spectre and Meltdown.

The M1 processor implements an ARM security feature called 'CSV2,' which prevents code running at one privilege level from inducing speculative execution at another privilege level. The MIT research team confirmed through their investigation that this protection is effective during the execution phase of indirect branch prediction.

However, it was discovered that the CPU fetches potential targets into the instruction cache before the protection mechanism kicks in. This fetch is observable through the side channel, meaning user code can exceed its privilege level and influence what the kernel puts into the cache.

Furthermore, the research team discovered that Apple Silicon , used in iPhones and iPads, exhibits a phenomenon called 'phantom speculation,' where normal instructions are misinterpreted by the CPU as branches, potentially leading to speculative behavior that the program did not request. The MIT research team has already disclosed their findings to Apple.



The research team designed Fractal not as a single project, but as an infrastructure, so that other security researchers can also use Fractal for testing. Fractal supports x86_64 , ARM64 , and RISC-V , and also provides ports of standard tools that researchers are familiar with.

Ravichandran stated, 'This is like a microscope. With a handheld magnifying glass, you can only see a little. But with an electron microscope, you can observe in a true sense. Fractal is exactly like an electron microscope for operating systems,' expressing his hopes for improved testing accuracy across the entire community.

in Hardware,   Software,   Science, Posted by log1h_ik