The full paper, slides from my S&P talk, and all our experiment data can be found at the Fractal project website here: https://fractal-os.com
We've been building Fractal internally for a very long time (first commit was almost exactly 2 years ago), so it's exciting to finally share it with the world. Let me know what you think!
At the risk of sounding extremely dumb, I have a question for you: if the hardware is susceptible to something that you can't actually reproduce with the software everyone runs on it, who should care, and why? Is it even really fair to call it a vulnerability at that point? Is the idea that this is supposed to help identify a different mechanism of exploiting the vulnerabilities with the shipped OS too?
To give an analogy, it almost feels like removing the protection circuitry from a Li-Ion battery and then testing if it can catch fire, and observing that it does. Should it really worry users?
Not the author, but as someone who frequently has to answer this question, I'll chip in:
A mistake is a mistake, whether you have a way to reproduce it right now or not. It's pretty much a given that whatever means you have right now to reproduce the problem will evolve and broaden the scope. Also, if you haven't found a way to reproduce the problem, it doesn't mean it doesn't exist: it takes a lot more effort to prove that it's impossible to reproduce than to simply not being able to reproduce the problem.
Not to take away from the authors' work, but this was actually the approach taken by some engineers while Spectre / Meltdown were still under embargo. Not sure if they ever mentioned their work publicly so I will avoid naming them, but some talented folks from Microsoft who basically came to the same conclusion that a specialized environment free of noise was necessary both to test mitigations and find variants.
The paper's reference to https://github.com/blacktop/darwin-xnu-build does not support the statement made by the paper. It's not redaction or obfuscation that makes building XNU difficult. It's having the right toolchain; modifying makefiles and code to accommodate a slightly different toolchain; and needing a load of extra stuff that isn't pre-supplied with XNU. A lot of the patches and issues there are about compiler differences, language standard differences, and plain missing stuff.
This is a secondary niggle in the larger scheme of things, though. Not using something like XNU in the first place is the way, for the reasons that the paper goes into. (Whilst 'of course it runs NetBSD' applies to the M1, one wouldn't use NetBSD for this for the same reasons that one wouldn't use XNU.) People experienced in this sort of thing likely nodded along at decisions like coöperative rather than preëmptive multitasking.
I wonder whether they considered the Watanabe shell rather than the Debian Almquist shell. They picked vim instead of nvi2, after all.
I assume the idea is that finding tools and assembling other projects together into a build environment is comparatively easy but papering over entire components being missing is much harder
No. As I said, that's really a secondary niggle with the paper itself misrepresenting its reference, which as you can see already provides patches to paper over such stuff, as through the problem with XNU were redaction, which it isn't per that reference.
The primary reason not to use XNU is what the paper goes into in detail; which is the architecture of XNU simply getting in the way, just as the architecture of NetBSD would for the same reasons. If XNU being incomplete were the primary problem, NetBSD, a complete operating system that supports loadable kernel modules and provides a coherent development toolchain out of the box, would be the answer. But it is not.
I'm really excited about this work, although I haven't read the code or paper yet. It seems to me Fractal would be ideal for running benchmarks for compilers so that the OS-induced noise is kept to a minimum.
I am very confused by calling this kind of work "researches".
They are not pushing the boundary of human knowledge - they are playing game (reverse engineering) with other human.. maybe that is me having a very narrow definition of "research"
I actually do a phd in a closely related area.
Creating better tools to do research with is definitely part of the research process.
While there is a lot of work in general operating systems, those aimed to specifically do a lot of microarchitectural experiments is still undiscovered ground.
Feel free to suggest a more suitable word. Research is usually defined against the the body of knowledge of the entity performing it and not all of humanity that ever lived.
Yet a published peer-reviewed research should be against humanity. I am also curious whether such research can bring knowledge that apple don't know, otherwise even it is impressive, there is a level of sadness in it from my view.
I suppose the theory is when you're attacking a console like the Xbox One with some known hypervisors vulnerabilities, but generally what is considered to be secure hardware, you could use the patchable hypervisor vulnerability to install your custom OS, then use the OS itself to find silicon bugs, finally securing a pathway for permanent access to the device.
> When security researchers want to understand what a modern processor is really doing with the kind of detail that determines whether attacks like Spectre and Meltdown are possible, they usually run their experiments on top of an operating system that was never built for the job. They open up macOS or Linux, patch the kernel by hand, and hope the modifications hold. The approach is unstable, hard to reproduce, and on Apple’s platforms, slated for deprecation.
> A team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) decided to build something different. Fractal, an operating system kernel written from the ground up, treats the hardware itself as the object of study.
> Fractal supports x86_64, ARM64, and RISC-V, and consists of more than 31,000 lines of code. The team designed it as infrastructure rather than as a single experiment, with familiar POSIX system calls, a C library, and ports of standard tools like vim, GCC, and the dash shell, so that researchers can move existing experiment code over with minimal friction.
I was around the "what does the hardware really do?" space 4-ish decades ago - hacking together your own Minimum Viable OS was table stakes.
Obviously MIT's Fractal is vastly larger than anything we did back then - but is anyone in this space now, to comment on how special Fractal is...or isn't?
Worth noting this is pretty standard university PR. It is written with author involvement so it’s likely technically correct but it is aimed at getting it picked up so it often makes it sound flowery and contains multiple descriptions of generally the same thing with different analogies or simplifications that anyone writing an article from this can parrot easily.
The full paper, slides from my S&P talk, and all our experiment data can be found at the Fractal project website here: https://fractal-os.com
We've been building Fractal internally for a very long time (first commit was almost exactly 2 years ago), so it's exciting to finally share it with the world. Let me know what you think!
reply