This Operating System Reveals a Chip’s Dark Secrets

Modern operating systems are packed with defenses against security vulnerabilities. But what if those defenses could be removed? Doing so would offer a clear view of the chip running the OS. It would also expose hardware vulnerabilities the OS normally obscures.

A new hand-coded OS, Fractal, provides that clear view. Built from scratch by researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), Fractal is designed to probe the architecture of the chip that runs it. To prove that point, the OS, presented in May at the 2026 IEEE Symposium on Security and Privacy in San Francisco, was used to uncover a previously unknown vulnerability in Apple’s M1 chip.

Joseph Ravichandran, the CSAIL Ph.D. student who programmed Fractal, says the OS was inspired by obstacles faced while researching Pacman, an Arm CPU vulnerability disclosed in 2022.

“We paved the way with techniques such as custom kernel patches and kernel extensions,” Ravichandran explains—but these were only a partial solution. “The dream was always to have a completely custom operating system which would make these hacks unnecessary.”

Probing Chip Data Storage & Movement

Researchers exploring hardware vulnerabilities need to know exactly how data is stored and moved across a chip. They deduce this by coding tests that provoke desired behavior from a chip and then analyzing the results to reconstruct how the chip executed the code.

However, a conventional OS like Windows or MacOS will have defenses and features that obfuscate code execution and memory management. “I’ve built a number of lab exercises for our secure hardware design course,” says Ravichandran. “Seeing the struggles that students go through, and living those struggles myself in my research, I realized there just has to be a better way.”

Fractal is the obvious solution to the problem. Instead of patching or exploiting a conventional OS, Fractal entirely replaces a device’s original OS with a customized alternative focused on security research.

As you might expect, however, coding an OS is no small feat. Fractal was coded from scratch with a combination of programming languages including assembly, C, and C++. Ravichandran began work in June 2024 and finished the first version of the OS at the end of that year, after which it went through months of testing. Debugging was the most difficult step, as building a custom OS for hardware not designed to support it eliminated debugging tools from the equation.

“When getting Fractal to run on Apple silicon, for the longest time the only output I had was the power light on the front of the machine,” says Ravichandran. “This light told me whether my code was running, and the light stayed on, or if the machine had crashed for some reason, and the light turned off.”

Fractal OS Features for Security Research

Fractal provides researchers with three key features.

The first, headline feature is multi-privilege concurrency. On a conventional OS, comparing a chip’s behavior across privilege levels—which control a program’s access to system resources—is extremely difficult. Switching levels also shifts the memory layout, the CPU’s branch-predictor state, and more, all of which adds variables that skew test results. Fractal can run a test concurrently across privilege levels while holding other parameters identical, which leads to a much cleaner test result.

The second feature is cooperative multitasking, an alternative to a conventional OS feature called preemptive multitasking. Preemptive multitasking is an important feature for a modern OS, as it’s used to juggle the dozens or hundreds of tasks which might be active at once—but it can also pause a test if the OS decides another task matters more, which adds noise to the test result. Fractal’s cooperative multitasking, when enabled, allows a user to dictate the order in which code executes with no interruptions.

The final feature is Fractal’s memory system, called gmap. In a conventional OS, a program reaches memory through virtual addresses that the OS maps to real hardware. This mapping can change between tests. Gmap instead mirrors memory locations across threads and tasks, eliminating yet another variable.

The common threads across these features are control and clarity. “Fractal’s aim is to tell you simply what the hardware does as accurately as possible,” says Ravichandran. “Using the information learned from Fractal, researchers will be better equipped to understand how the hardware itself behaves independent of the OS.”

Discovering Phantom Speculation on M1

To show what Fractal could do, Ravichandran aimed it at Apple’s M1, a victim chosen primarily because it was the hardware on hand.

Fractal made it possible to find the first evidence that Apple Silicon is affected by a form of Phantom speculation, which in some cases can let an attacker momentarily direct a chip down a path an attacker chose. Phantom was known to be present in Advanced Micro Devices (AMD) and Intel hardware but was never proven to be present in Apple’s M1—until now.

The practical effect of the vulnerability is likely limited. Fractal found that while Phantom fetches can occur on Apple’s M1, the instructions are never executed. Ravichandran declined to speculate on how the vulnerability might be used in the wild, and said that the vulnerability was disclosed to Apple.

Though primarily tested on a Mac Mini equipped with Apple’s M1, Fractal also runs on many Intel and AMD PCs, Raspberry Pis, and some more recent Apple silicon devices like the Mac Mini with Apple M4. Fractal is freely available to download as an open source OS under the MIT license. Ravichandran has posted the kernel to Github and the full experimental setup on Zenodo, with additional details available on Fractal’s website.

Ravichandran is eager to see how other researchers make use of Fractal to explore other microarchitectures. “Right now, my goal is to get this system out into the world so other researchers can benefit from it,” he says. “My hope is that Fractal becomes a community project with contributions from other research labs who benefit from this approach.”