ICM-OS: An Intent-Centric Meta-Operating System

§ 01

Introduction

There is a fairly clean story you can tell about operating systems: each generation added a layer of abstraction, each layer made software more portable and composable, and each time the cost was some loss of transparency into what the machine was actually doing. Direct hardware access gave way to process and memory abstractions. Physical hardware gave way to virtual machines. Host environment assumptions gave way to containers.

What none of those transitions touched, though, is a more fundamental assumption: software is a thing you compile, package, and install. The costs of this model are not subtle. TLS stacks are re-implemented in every major browser, every HTTP library. ISA proliferation means a binary that runs on one machine may simply not run on another.

Claim I — CDM

Any user-facing software function can be decomposed into a graph of atomic capability primitives; the AMS performs this decomposition dynamically from intent, eliminating monolithic application installation.

Claim II — GBT

Cross-ISA execution is achieved by lifting source binaries into an ISA-agnostic semantic intermediate representation (SIR) and synthesizing target-native code—generalizing to unseen programs without hand-authored per-ISA-pair translation tables.

ICM-OS proposes a hybrid architecture: the AI meta-system (AMS) handles semantic reasoning, intent decomposition, and emulation strategy. Formally verified, deterministic primitives handle execution. The AI decides what to run. Verified code runs it.

§ 02

Related Work

2.1 Capability-Based and Microkernel OS

Capability-based OS designs [Dennis & Van Horn, 1966] introduced capabilities as access-control tokens. ICM-OS extends this: capabilities are semantic descriptors of computational function, composable by an AI orchestrator. Exokernel proposed eliminating OS policy to expose raw resources; ICM-OS inverts this.

ICM-OS has more in common with microkernel designs than with monolithic OSes. The IPC overhead problem that microkernel designers always fought is not the problem ICM-OS faces—LLM orchestration overhead is high-latency but amortized across an entire user intent.

2.2 Binary Translation

Instruction-level emulation (QEMU) faithfully replicates ISA semantics but incurs 2–10× overhead. Apple's Rosetta 2 achieves near-native x86→ARM performance but demanded substantial engineering investment for exactly one ISA pair. GBT's key advantage is the elimination of the per-pair engineering cost—translation strategy derives from semantic understanding, not handwritten rules.

2.3 LLMs in Systems Contexts

AIOS [Mei et al., 2024] integrates LLM agents with conventional OS process management but treats the LLM as an application-level agent above a standard OS, not as the OS itself. ICM-OS is architecturally distinct: the AI is the abstraction layer, not a user of one.

§ 03

Capability Decomposition Model

Consider what actually ships when you install a browser: a TLS stack, a DNS resolver, an HTTP client, an HTML parser, a CSS layout engine, a JavaScript runtime, a credential manager… Chrome carries its own TLS implementation. Firefox carries its own. Each application re-bundles everything it might need.

CDM dissolves this coupling. Capabilities are maintained in a shared, versioned, verified registry. The AMS composes them dynamically. No application is installed; user intents are compiled into capability graphs at request time.

A capability primitive c ∈ C is a 5-tuple:

c = ⟨id, τ, σ, φ, s⟩

id — unique identifier
τ = (T_in, T_out) — typed interface signature
σ — semantic descriptor (ontology-tagged description)
φ — reference to formally verified binary implementation
s ∈ {stateless, stateful} — persistence classification

A capability graph G = (V, E, λ) is a directed acyclic graph (DAG) where:

— Each node v ∈ V is labeled by λ(v) ∈ C
— Each edge (u,v) ∈ E is a typed data-flow dependency
— T_out(λ(u)) ⊑ T_in(λ(v)) (subtype compatibility)

Well-formed graphs satisfy: (i) type-correctness; (ii) acyclicity; (iii) absence of resource deadlock patterns

3.3 State Management: Stateful Primitives

A web-browsing session requires cookies, authentication tokens, and cached resources that must survive across multiple graph invocations. We address this through the stateful primitive class:

        [SESSION_STORE⟨K,V⟩] — typed key-value store scoped to session context
[CACHE_LAYER⟨K,V,TTL⟩] — TTL-bounded content cache for idempotent resources
[FILE_STATE⟨path, schema⟩] — typed persistent file binding with schema-validated read/write

      

3.4 Worked Example: Stateful Web Browsing

Intent I = "Log into example.com and bookmark the dashboard page."

// Graph G₁ — Login + Bookmark
[DNS_RESOLVE] → [TCP_CONNECT] → [TLS_HANDSHAKE] → [HTTP_GET]
  → [HTML_PARSE] → [CSS_LAYOUT] → [JS_EXECUTE] → [WINDOW_RENDER]
  → [SESSION_STORE⟨cookie, token⟩]

// Graph G₂ — Return to dashboard (session persisted)
[SESSION_STORE⟨cookie, token⟩] → [HTTP_GET(+auth)] → [HTML_PARSE]
  → [CSS_LAYOUT] → [JS_EXECUTE] → [WINDOW_RENDER]

No browser application was installed at any point.

§ 04

Generative Binary Translation

The standard approach to cross-ISA execution defines a mapping f: S_src → S_dst and implements it. Rosetta 2 represented years of Apple engineering effort for exactly one ISA pair. As the hardware landscape fragments—ARM variants, RISC-V, WASM, proprietary NPU instruction sets—the cost scales as O(N×M) in the number of source and target architectures.

4.2 The Semantic Translation Model

// Traditional DBT: syntactic, table-driven
f: S_src → S_dst

// GBT: via semantic intermediate space
ℓ: B_src ──── Semantic Lifting ────→ M (ISA-agnostic SIR)
s: M ──── Semantic Synthesis ───→ B_dst (target-native binary)

GBT(B_src, S_dst) = s(ℓ(B_src), S_dst)

4.3 The Semantic Intermediate Representation

M = ⟨CFG, DFG, Σ, Θ⟩

CFG — control-flow graph of B_src
DFG — data-flow graph annotating value dependencies
Σ: BasicBlock → SemanticSummary — natural-language + pre/post-conditions
Θ — identified high-level patterns (loops, memory alloc, synchronization)

4.5 Correctness Model and Applicability Boundary

GBT has defined applicability limits. Three classes of binary fall outside scope:

        Self-modifying code — defeats static lifting; falls back to instruction-level emulation
Timing-dependent code — hard real-time constraints cannot be guaranteed behaviorally equivalent
Hardware-intrinsic drivers — device drivers with tight coupling to hardware register layouts

      

§ 05

Case Studies

5.1 Stateful Text Reader via CDM

Intent I = "Open notes.txt and let me scroll through it and search for text."

[FILE_OPEN] → [FILE_READ] → [UTF8_DECODE] → [TEXT_LAYOUT]
                             [SEARCH_INDEX] ↘ ↗
                                              [TEXT_LAYOUT] → [WINDOW_RENDER] ↔ [SCROLL_INPUT]
                                                                           [FILE_STATE⟨preferences⟩]

The CDM efficiency claim is concrete: [UTF8_DECODE] and [TEXT_LAYOUT] are the same verified modules used by the email client, document editor, and terminal—there is no re-implementation, no redundant bundling.

5.2 Cross-ISA Execution via GBT

An ARM64 binary implementing a vectorized fused multiply-add loop (result[i] = a[i] * b[i] + c[i]) compiled with NEON FMLA instructions is lifted to SIR:

Σ(loop_body) = {
  description: 'vectorized fused multiply-add over aligned float32 arrays',
  roles: { SIMD_ARITHMETIC, ALIGNED_LOAD, ALIGNED_STORE },
  pre: 'a, b, c are 32-byte-aligned float32 arrays of length n',
  post: 'result[i] = a[i] * b[i] + c[i] for all i < n',
  safety: safe
}

GBT synthesizes a loop using AVX-512 VFMADD231PS on x86-64—potentially achieving higher throughput than the ARM64 original because synthesis exploits target-native register width without being constrained by the source ISA's instruction selection.

§ 06

Comparison with Existing OS Paradigms

Dimension	Traditional OS	VM / Hypervisor	Container	Microkernel	AIOS Agent	ICM-OS
App model	Monolithic binary	Guest OS + binary	Image + process	Service processes	GUI agent over OS	Dynamic cap. graph
ISA binding	Compile-time	Same ISA only	Host ISA	Host ISA	Host ISA	Runtime via GBT
Cap. sharing	Per-app duplicate	Per-VM duplicate	Partial layers	Shared services	None (OS intact)	Full CPR sharing
Correctness	Deterministic	Deterministic	Deterministic	Deterministic*	Probabilistic	Hybrid†
Composition	Static (dev-time)	Static	Static (config)	Static (IPC)	AI (task-time)	AI (intent-time)
State mgmt.	Process memory	VM memory	Container volume	Service state	Host OS delegate	Stateful primitives

* seL4 provides formal verification of microkernel correctness. † ICM-OS: probabilistic AI composition + deterministic verified primitive execution.

§ 07

Technical Challenges and Mitigations

7.1 Determinism: The Hybrid Correctness Architecture

The most common objection to AI-in-the-OS proposals is the determinism problem, and it is a real objection. ICM-OS does not dissolve this tension—it contains it through architectural separation. The AI reasons about semantics; verified primitives execute. The probabilism stays in the reasoning layer.

Correctness hierarchy: CPR primitive execution is formally verified and deterministic. Graph assembly validation acts as a hard filter. GBT synthesis outputs are verified before deployment. AI non-determinism affects only whether the assembled graph optimally satisfies the intent—not whether it executes correctly.

7.2 Graph-Structure Attacks

The threat model is broader than prompt injection. Any path that lets an adversary influence AMS graph assembly may produce a graph that passes type-checking but behaves badly. The graph validator performs full static analysis including resource-bound analysis, cycle detection, and liveness analysis.

The Confused Deputy problem maps cleanly onto the cross-primitive policy challenge. [FILE_READ(sensitive_key)] → [NLP_ENCODE] → [HTTP_POST(external_server)] is three legitimate operations chained into an exfiltration pipeline. Cross-primitive policy enforcement is implemented as a type-and-effect system over the capability graph.

7.3 Taint Tracking and Indirect Prompt Injection

Data entering through user-controlled external sources is tagged with a taint label at the primitive that ingests it. Taint propagates through the session-scoped dependency graph. The AMS intent channel is taint-isolated: tainted data may never be passed directly as input to the AMS's intent-parsing component.

7.4 Inference Latency and Cold-Start

LLM inference latency is currently 10–1000× higher than kernel system call overhead. ICM-OS must not place the AMS in the critical path of per-operation execution. Three patterns are employed:

        Compiled Intent Plans — δ(I) is cached as a compiled, validated execution plan
Hierarchical Model Cascade — edge model (<1B params) for frequent intents; full model for novel requests. Target: <50ms cached; <500ms novel
Cold-Start Mitigation — speculative precomputation, pre-seeded intent caches, progressive rendering

      

§ 08

Research Roadmap

PHASE 01

CDM Prototype with State Management

0 – 18 months

>90% correct intent decomposition on 300-intent benchmark
<200ms AMS latency (cached); <800ms (novel)
CPR primitive reuse ratio >3×
Zero graph-structure attacks escape validator

PHASE 02

GBT Prototype: ARM64 → x86-64

12 – 36 months

90% of functions pass all test cases
Zero memory-safety regressions (verified by Infer)
Cold-start within 5× of QEMU startup
Warm-path within 2× of Rosetta 2

PHASE 03

Integrated ICM-OS Kernel

24 – 60 months

Minimal kernel in hypervisor sandbox
Security red-team evaluation
End-to-end benchmarking vs Linux
Open-source prototype published

§ 09

Discussion and Conclusion

The assumption ICM-OS challenges is one that the field has largely stopped questioning: that software has to be a pre-compiled artifact, installed on a specific machine, compiled for a specific ISA. That assumption made sense when it was made. The argument here is that it no longer has to.

The Capability Decomposition Model proposes that any user-facing function can be assembled dynamically from atomic, shared, formally verified primitives—eliminating application installation as a concept. Generative Binary Translation proposes that cross-ISA execution can be achieved through semantic lifting and synthesis rather than syntactic instruction mapping.

"At bottom, what ICM-OS is arguing about is what an operating system is for. The purpose is mediation: bridging the gap between what a user or an application wants and what the hardware can do. LLMs offer a qualitatively different kind of answer, one that operates at the level of semantic intent rather than binary instruction."

What ICM-OS offers is a research agenda: a set of precise, tractable sub-problems that collectively define what an AI-first OS would require. Each sub-problem is independently publishable and practically valuable. The integrated vision provides the motivation for pursuing them together.

§ Refs

References

[1]Dennis, J. B., & Van Horn, E. C. (1966). Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3), 143–155.

[2]Levy, H. M. (1984). Capability-Based Computer Systems. Digital Press.

[3]Engler, D. R., Kaashoek, M. F., & O'Toole, J. (1995). Exokernel: an operating system architecture for application-level resource management. ACM SIGOPS, 29(5), 251–266.

[4]Liedtke, J. (1995). On μ-kernel construction. ACM SIGOPS, 29(5), 237–250.

[5]Heiser, G., & Leslie, B. (2010). The OKL4 microvisor: Convergence point of microkernels and hypervisors. APSys 2010.

[6]Klein, G., et al. (2009). seL4: Formal verification of an OS kernel. ACM SIGOPS, 43(4), 207–220.

[7]Bellard, F. (2005). QEMU, a fast and portable dynamic translator. USENIX ATC, 41–46.

[8]Apple Inc. (2020). Rosetta 2 – Run apps natively on Apple Silicon. Apple Developer Documentation.

[9]Dehnert, J. C., et al. (2003). The Transmeta Code Morphing Software. CGO 2003, 15–24.

[11]Solar-Lezama, A. (2008). Program Synthesis by Sketching. PhD thesis, UC Berkeley.

[14]Mei, K., et al. (2024). AIOS: LLM Agent Operating System. arXiv:2403.16971.

[15]Katz, O., et al. (2019). Towards neural decompilation. arXiv:1905.08325.

[21]Hardy, N. (1988). The Confused Deputy. ACM SIGOPS, 22(4), 36–38.

[22]Calcagno, C., et al. (2011). Compositional shape analysis by means of bi-abduction. JACM, 58(6), 1–66.

[26]Anthropic. (2024). Introducing computer use, a new Claude API feature. Anthropic Technical Blog.

[27]Myers, A. C., & Liskov, B. (1998). A decentralized model for information flow control. ACM SIGOPS, 31(5), 129–142.

[29]Abadi, M., et al. (2009). Control-flow integrity principles, implementations, and applications. ACM TISSEC, 13(1), 1–40.

[30]Meyer, B. (1992). Applying "Design by Contract." IEEE Computer, 25(10), 40–51.