Fractal: A Kernel Built for Chip Reverse Engineering

Most security researchers studying CPU vulnerabilities like Spectre and Meltdown have to fight against the very OS they run on. macOS or Linux injects interrupts, scheduler noise, and address-space management into every measurement. MIT's CSAIL team built Fractal, a 31,000+ line kernel written from scratch, to eliminate that noise entirely.

Fractal boots directly on bare metal and exposes primitives that let a single experiment switch privilege levels at runtime while executing the same instructions in the same address space. The key innovation is the "outer kernel thread" — a construct that runs inside a user process's memory but executes with kernel privileges. This enables what the team calls "multi-privilege concurrency."

The result: measurements with almost no background noise. Where macOS or Linux produce blurred baselines, Fractal delivers clean signals.

What Fractal Found on Apple's M1

Apple's M1 implements ARM's CSV2 specification, which is designed to prevent user-mode code from steering speculation in kernel mode. Using Fractal, the MIT team confirmed that CSV2 blocks the execute stage of indirect branch prediction — a user program cannot make the kernel speculatively execute a chosen target.

However, they found that the CPU still fetches the target into the instruction cache before the protection kicks in. That fetch is observable via a side channel, meaning user code can influence what the kernel pulls into its caches across the privilege boundary. The same pattern appeared between processes with different address space identifiers.

More critically, Fractal produced the first evidence that Apple Silicon exhibits Phantom speculation — a class of misprediction previously shown only on AMD and Intel processors. In Phantom, ordinary instructions like a no-op can be misinterpreted as branches, triggering speculative behavior. On the M1, Fractal showed Phantom fetches succeed across both privilege levels and address spaces, though the execute phase remains blocked.

Another experiment overturned prior work on the M1's conditional branch predictor. Earlier research claimed cross-privilege training worked on performance cores but not efficiency cores. Fractal showed the conditional branch predictor has no privilege isolation at all on either core type. The earlier result was likely an artifact of macOS quietly migrating threads between cores during system calls.

Architecture and Portability

Fractal supports x86_64, ARM64, and RISC-V. It provides familiar POSIX system calls, a C library, and ports of standard tools like vim, GCC, and the dash shell. This lets researchers move existing experiment code with minimal friction.

Joseph Ravichandran, the MIT PhD student who led the project, says: "We're using hardware in ways it wasn't designed for. It's not even obvious that this is a possible thing you could do with the hardware. But we found a way to pull all these different primitives off. It's like a microscope."

Implications for Developers

For developers working on security-sensitive code, these findings reinforce that speculative execution attacks are not limited to Intel and AMD. Apple Silicon, despite its reputation for efficiency, has exploitable microarchitectural side channels.

If you're writing code that handles sensitive data across privilege boundaries (e.g., kernel extensions, hypervisors, or even high-assurance user-space applications), you cannot assume CSV2 or similar protections are complete. The MIT team disclosed their findings to Apple, and Apple's engineers examined Fractal in return — an unusual sign of engagement.

Next Steps

The team presented their work at the IEEE Symposium on Security and Privacy. Fractal is open-source and available for other researchers to use. If you're doing microarchitectural research, consider using Fractal instead of patching macOS or Linux. The project website is linked in the source.

For the rest of us: stay tuned for Apple's response, and consider that the M1's branch predictor isolation is weaker than advertised.