MIT researchers have built an operating system kernel from scratch, and it's already revealing security flaws that Apple's own engineers may have missed. Called Fractal, this custom system boots directly on bare computer hardware with no other software in the way — a setup so clean and unobstructed that it works like an electron microscope for studying how processors behave at their most fundamental level.
The problem Fractal solves is a real one in modern chip research. When security engineers want to understand whether attacks like Spectre and Meltdown can slip through a processor's defenses, they typically run their experiments on top of existing operating systems like macOS or Linux, manually patching the kernel and hoping their modifications hold. It's unstable, difficult to reproduce, and increasingly impractical. A team at MIT's Computer Science and Artificial Intelligence Laboratory decided there had to be a better way.
The breakthrough came from rethinking how to study the hardware itself. Modern processors keep state in many internal structures — branch predictors that guess what code to run next, caches that store frequently accessed data, translation lookaside buffers that speed up memory access. Researchers need to observe how these structures behave across the boundary between user code and kernel code, two domains the chip is designed to keep isolated. Fractal achieves this by introducing something called multi-privilege concurrency, which allows a single experiment to switch privilege levels at runtime while executing identical instructions in the same memory space. The team calls their innovation an "outer kernel thread" — a piece of code that sits inside a user process's memory but executes with full kernel privileges.
The result is an experimental environment with almost no background noise. Where measurements taken under macOS or Linux get blurred by interrupts, scheduler activity, and memory management, Fractal produces clean, flat baselines that reveal what the hardware is actually doing.
The team's first major discovery came when examining Apple's M1 processor in detail. The M1 is supposed to implement a security feature called CSV2 that prevents code running in one privilege level from steering speculative execution in another. Fractal confirmed this protection works for one part of the branch prediction process — user-mode programs cannot make the kernel speculatively execute a chosen target. But the researchers found something unexpected: the M1 still fetches the target into its instruction cache before the protection activates. That fetch is observable through what security researchers call a side channel, meaning user code can still influence what the kernel pulls into its caches across the privilege boundary.
Fractal also produced the first evidence that Apple Silicon exhibits a class of vulnerability called Phantom speculation — a type of misprediction previously demonstrated only on AMD and Intel processors. In Phantom, ordinary instructions, even no-ops, can be misinterpreted by the CPU as branches, triggering speculative behavior the program never requested. On the M1, Fractal showed that Phantom fetches succeed across both privilege levels and address spaces.
The research team, led by MIT PhD student Joseph Ravichandran, also overturned a previous finding about the M1's conditional branch predictor. Earlier work had suggested that cross-privilege training worked on the chip's performance cores but not its efficiency cores. Fractal revealed that the conditional branch predictor actually has no privilege isolation at all on either core type, and the earlier result was likely an artifact of how macOS manages its threads.
For researchers trying to make chips more secure, Fractal represents a new kind of precision tool. It lets them see what's really happening inside the processor, without the interference that has long obscured the view.