Apple Silicon arrived with a security reputation that Intel chips never had. The M1 launched without the Spectre mitigations that had been patched into x86 processors for years, because it was designed after those attacks became public. Early independent research found fewer microarchitectural quirks than Intel or AMD chips. Over time, that became a general assumption: Apple Silicon is different, and probably safer. MIT’s Fractal OS kernel has now found the first evidence of Apple M1 Phantom speculation, and overturned prior published conclusions about the M1’s conditional branch predictor. The assumption deserves a second look.
Where the “Safer Apple Silicon” Idea Came From
When Intel’s Spectre and Meltdown vulnerabilities became public in early 2018, Apple’s ARM-based chips for Macs barely existed. The iPhone chips received microcode updates, but the M1 (launched in 2020) was designed with Spectre in mind from the start. Early research found no equivalent to Intel’s indirect branch predictor vulnerabilities. The absence of bad news became a proxy for safety.
That proxy was never fully warranted. Apple Silicon is ARM64 with Apple-designed branch predictors. Those had not been studied with the same depth as Intel or AMD chips. Part of the reason was tooling. Experiments run on top of macOS pick up noise from the operating system’s scheduler and interrupt handlers, making results ambiguous. Conflicting published findings about M1 branch predictor behavior were partly a symptom of this problem.
What Apple M1 Phantom Speculation Actually Shows
Fractal is a bare-metal research kernel developed by Joseph Ravichandran and Mengjia Yan at MIT CSAIL. It boots directly on hardware without macOS, removing the operating system noise that has muddied earlier research. Running on Apple Silicon Macs, it found the first published evidence that Apple M1 Phantom speculation occurs.
Phantom is a class of speculative execution attack in which the CPU misinterprets non-branch instructions, including no-ops, as branch instructions. The processor then speculatively fetches code it was never asked to execute. This class was previously demonstrated only on AMD and Intel chips. Fractal’s results show M1 is not exempt.
The researchers observed Phantom fetches on the M1 across user-to-user, user-to-kernel, and cross-ASID configurations. Speculative execution itself did not complete in the tested scenarios. But the instruction cache fetches were observable as a side channel. Side channel leakage through speculative fetches can be enough to extract sensitive data without needing a full exploit chain reaching execution. The specific exploitability of these M1 fetches is a question for follow-on work, but the behavior is confirmed.
The Conditional Branch Predictor Finding Is More Immediately Concrete
Beyond the Apple M1 Phantom speculation result, Fractal also found that the M1’s conditional branch predictor has no privilege isolation on either the performance or efficiency cores. This directly contradicts earlier published research, which had suggested some isolation existed.
Earlier research was almost certainly run on top of macOS. Thread migration during system calls changed branch predictor state there in ways that looked like isolation. Fractal’s bare-metal setup removed that confounding effect. The result is that user-mode code can reliably mistrain the conditional branch predictor across privilege levels and ASIDs. There is no branch predictor boundary between user-space and kernel-space on M1, and no boundary between separate processes.
This is not a minor qualification. Any defense strategy for Apple Silicon workloads that assumed conditional branch predictor isolation was built on a false premise. That includes security analyses, threat models, and mitigations written before this research.
Apple’s Response Is Strange
After disclosure, Apple’s security engineers asked to examine Fractal itself. That is an unusual response to a microarchitecture finding. Typically, disclosed hardware vulnerabilities lead to a CVE, an advisory, and eventually a patch or mitigation guidance. None of that has appeared here.
Apple examining Fractal could mean several things. The company may be studying whether these findings have practical exploitability in production workloads. It may also be evaluating Fractal as a tool for its own internal security research. Neither possibility explains why no public guidance has appeared. Developers and security teams working on Apple Silicon have no official advisory to act on, only the research paper.
What Still Holds, and What Doesn’t
Apple Silicon is not Intel circa 2018. The Apple M1 Phantom speculation finding is evidence of speculative instruction cache fetches, not confirmed arbitrary kernel code execution. The CSV2 timing gap leaks instruction cache observations, not arbitrary memory. These are real findings, but they are bounded ones.
What no longer holds is the assumption that Apple Silicon has been studied thoroughly enough to be given a clean bill of health. Fractal shows that the M1 has microarchitectural behaviors that eluded prior research because prior research was conducted with tools that introduced too much noise. Better tooling produces different answers.
Security researchers working on Apple Silicon defenses should treat these findings as a starting point. The conditional branch predictor results in particular suggest that earlier analyses of M1 security properties may need revisiting. And the broader lesson is simple: the absence of published vulnerabilities is not the same thing as the absence of vulnerabilities.