Apple’s M1 Chip Has a Hidden Flaw Nobody Caught Until Now

A group of MIT researchers got tired of using makeshift tools to study how processors really work, so they built their own operating system from scratch.

The project overview was shared with iPhone in Canada on Wednesday by MIT. Called Fractal, the OS gave them a much cleaner way to poke around inside Apple’s M1 chip.

Apple has a built-in protection called CSV2 that’s supposed to stop code from sneaking across security boundaries inside the chip. The good news is that it mostly works. But the MIT team found a gap. Even when the protection blocks code from fully executing across that boundary, the chip still quietly fetches data into its cache beforehand, and that’s enough of a foothold for a potential attack.

They also found something nobody had spotted on Apple Silicon before. A class of exploit called “Phantom speculation,” previously only seen on AMD and Intel chips, shows up on the M1 too. It essentially tricks the processor into doing speculative work it was never supposed to do.

But most interestingly, an earlier study had concluded that one part of the M1’s branch predictor was safe on Apple’s efficiency cores. Fractal showed that result was wrong.

Lead researcher Joseph Ravichandran explained why: “You change the privilege level, nothing else changes. The only thing that could explain whether the attack succeeds or not is the privilege level.” The earlier researchers were actually watching macOS quietly shuffle their test between cores during the experiment, which skewed everything.

Ravichandran described Fractal as giving researchers a level of precision they’ve never had before. “It’s like a microscope. If you’ve got a hand magnifying glass, you can see a little bit. But if you had an electron microscope, now we’re really talking. That’s what Fractal is. The electron microscope of operating systems.”

Fractal is made up of over 31,000 lines of code that works across the three main types of processor technology used today: x86_64, ARM64, and RISC-V.

Instead of being built for just one specific test, it was designed as a foundation for many. It supports familiar, standard programming commands and includes classic tools like the Vim text editor, the GCC compiler, and the Dash command shell. By including these everyday tools, the team made it easy for researchers to take the software they already use and move it over to Fractal without needing to do a lot of complicated technical rewriting.

Apple’s security team was briefed on the findings, and they also examined Fractal itself.

Ravichandran and MIT professor Mengjia Yan authored this paper with support from the National Science Foundation, the Air Force Office of Scientific Research, and DARPA’s ACE program. They are set to present their findings this month at the IEEE Symposium on Security and Privacy in San Francisco.