[DigitalToday reporter Jinju Hong] Researchers at the Massachusetts Institute of Technology (MIT) have developed a dedicated operating system (OS) called Fractal to precisely analyze internal semiconductor behavior and security vulnerabilities. The researchers said they used it to analyze security features in Apple’s M1 chip and confirmed a new type of side-channel possibility as well as a “Phantom Speculation” phenomenon.

On June 22 local time, online media outlet Gigazine reported that Fractal is a research kernel designed for chip-level precision measurements that are difficult to implement with general-purpose operating systems such as Windows 11, macOS and Linux.

Semiconductor security researchers analyze internal CPU structures such as caches, branch prediction and memory management to find potential attack paths. Spectre and Meltdown, which previously affected the world, were also found through research into such microarchitectural vulnerabilities.

The problem is that general-purpose operating systems make it difficult to keep research conditions consistent. Memory management, scheduling and interrupt handling by an operating system can intervene in measurements and affect experimental results.

MIT researchers designed Fractal from scratch to address these limitations. The research kernel is configured to keep experimental conditions as consistent as possible across different privilege levels, and it runs inside user-process memory while using an external kernel thread with kernel privileges to sharply reduce background noise during measurements.

Joseph Ravichandran (조지프 라비찬드란), a PhD candidate in electrical engineering and computer science at MIT who led the project, said, “We are using hardware in a way that differs from its original design intent.” He added, “No one would have thought this could be possible in hardware.”

The researchers used Fractal to analyze the branch prediction mechanism of Apple’s M1 processor. Branch prediction is a technology that boosts performance by estimating in advance the next instruction a CPU will execute, but it can become a channel for information leakage if an attacker exploits it.

The analysis confirmed that the ARM-based security feature applied by Apple, CSV2 (Context Synchronization Vulnerability 2), properly performs its role of blocking speculative execution across different privilege levels.

The researchers, however, found that the CPU prefetches potentially executable code into the instruction cache before CSV2 protection is actually applied. They said this process can be observed through a side channel and showed the possibility that a user program could indirectly influence the kernel’s cache behavior.

The researchers also found the “Phantom Speculation” phenomenon in Apple silicon used in iPhones and iPads. It is a phenomenon in which normal instructions are mistakenly interpreted as branch instructions inside the CPU, causing unintended speculative execution. The researchers said they have already delivered related information to Apple.

Fractal was designed not as a one-off tool for a specific study but as a general-purpose semiconductor research platform. It supports the x86_64, ARM64 and RISC-V architectures, and the researchers also ported standard analysis tools they had used. This is expected to allow other researchers to repeat experiments in the same environment and verify results, improving the reproducibility and accuracy of semiconductor security research.

Ravichandran described Fractal as “an electron microscope for the OS field.” He said, “With a magnifying glass in your hand, you can see only part of it, but with an electron microscope you can observe much more precisely.” He added, “I hope Fractal becomes a foundation for improving measurement accuracy across semiconductor security research.”

The researchers projected that Fractal could be used in various fields, including verification of chip security features, analysis of microarchitectural vulnerabilities and comparative research across architectures.