If hardware security nerds want to find out what the modern computer processor is actually doing under the hood, they face a huge hurdle: The operating system itself.
Engineers normally run tests on a commercial platform such as Linux or macOS to see how a chip performs with data, in scheduling, or hiding secrets. However, these operating systems are very large, loud and constantly clobbering the data. They transport threads around, run random processes in the background and add their own digital noise to all measurements. Observing the unaltered behaviour of a chip in a regular operating system is like trying to hear a whisper in the middle of a rock concert.
A group of computer scientists at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) resolved to take matters into their own hands to eradicate this background noise. They created their own operating system from scratch.
The highly specialized, uncompromised, bare-metal operating system kernel, dubbed Fractal, provides researchers with a crystal-clear view of the nuts and bolts of today’s computer silicon.
Shifting From a Magnifying Glass to an Electron Microscope
It has been years since the researchers who wanted to study the microarchitecture—the underlying circuitry and logic design of a processor—had to resort to wily tricks. They would find open source versions of the Linux or macOS operating systems and use them as the basis for hacking or patching them so that the additions don’t cause the computers to crash.
It was a rather unstable, very frustrating and not easily reproducible procedure by other scientists. Additionally, built-in security on modern systems, such as Apple Silicon, are preventing these kernel-level changes more and more.
Fractal completely upends this approach. Fractal mounts directly onto the “bare metal” hardware, rather than running on top of a huge software stack. No background apps, no automatic schedulers and no hidden processes.
Must read:
Multi-Privilege Concurrency: The Secret Weapon
Today’s computer chips divide the work to various security areas. The normal applications operate in a low-privilege mode, which is known as the “user mode,” and the operating system kernel operates in a high-privilege mode, known as the “kernel mode.
Researchers need to perform the same tests on both sides of the wall to learn how the chip performs on those hard boundaries, which is where horrifically serious hardware security problems such as Spectre or Meltdown happen.
It will add a tremendous amount of software noise when switching back and forth on a standard operating system, making it difficult to read the data. This is where fractal comes in with an architectural innovation called multi-privilege concurrency.
The Traditional General-Purpose OS is the concept, whereas MIT’s Fractal OS Architecture is the actual OS. The concept is the Traditional General-Purpose OS, the actual OS is MIT’s Fractal OS Architecture.
| Concept | Traditional General-Purpose OS | MIT’s Fractal OS Architecture |
|---|---|---|
| Boot Style | Boots heavy system layers, background daemons | Boots directly onto bare metal hardware |
| Memory Control | Shifts address spaces and memory constantly | Swaps privilege levels inside the exact same memory space |
| Noise Profile | High noise (hardware interrupts, thread migration) | Flat baseline, near-zero background interference |
| Primary Goal | Running consumer software and apps efficiently | Treating the processor chip as the object of study |
Cracking Open Apple’s M1 Chip
The MIT team immediately set to work using Fractal on the Apple’s M1 processor. In particular, they wanted to look at the chip’s branch predictors, the brainy parts of the CPU that guess the next piece of code a program is going to execute and, in advance, load the data required to execute it.
Fractal’s accuracy was evident from the beginning, as it uncovered new aspects of hardware behaviors that other research groups had never noticed before.
The system was able to confirm that Apple’s hardware defenses work as designed, preventing a program at low privilege level from causing the high-privilege kernel to run malicious code that the program has predicted. But Fractal spotted a small bug in the designers’ code: the protection prevents the unauthorized user, but the processor first loads the data it’s trying to block into its internal instruction memory.
Designed for the Research Community
Fractal was not designed Research to be a one-time solution for one paper—it was developed by a team at MIT’s CSAIL with the intent of making it widely useful. They built it to be strong and open source to be used by the world’s hardware community.
Fractal is over 31,000 lines of code and is already 100% supported by leading chip architectures such as x86_64, ARM64, and RISC-V, with the developers adding standard developer features such as a built-in C library, familiar POSIX system calls, and ports of common terminal software, including the popular text editor Vim and the GCC compiler.
The MIT team has already reported their M1 architectural discovery straight to Apple’s product security team. In the future, Fractal could be used as a regular method to ensure the security of a chip before it’s even manufactured.
