Machete is a research prototype for temporal software debloating. It profiles an unmodified Linux binary, learns which code pages are needed in each execution phase, and enforces a phase-specific memory view in user space.
The goal is simple: keep less executable code available at any moment, so code-reuse attacks have fewer gadgets to work with.
Machete was developed as part of the MSc thesis Machete: Thwarting Code-Reuse Attacks Through Temporal Permission Tightening in User Space, also available from the TU Delft repository. It is built on the system-call interposition substrate from K23 by Voulimeneas et al..
Machete has three moving parts:
- Profiler — records page-granularity memory-access traces from target executions.
- Policy learner — turns traces into a compact finite-state phase model using a modified Blue-Fringe / EDSM learner.
- Runtime enforcer — runs the target with per-phase page permissions and execute-only memory over shared physical memory.
Unlike static debloating, Machete is temporal: initialization, steady-state work, and later phases can expose different executable pages.
machete/ Main Machete launcher binary
k23/ Baseline launcher used by the substrate
lib/machete-* Machete runtime, bootstrap, and shared types
lib/k23-* Interposition substrate crates
lib/procmaps /proc/<pid>/maps parser
lib/smol_bitmap Small bitmap/set utility crate
parser/ Trace browser, policy learner, simulator, sweep tools
tools/sandbox-viz React visualizer for sandbox graphs
Command-line launcher for running a program under Machete. It builds the runtime configuration, injects the Machete loader, and starts the target process.
Example shape:
cd machete
cargo run --release -- --online --out ./logs -- /path/to/program arg1 arg2For enforcement with a learned policy:
cargo run --release -- --sandbox sandbox.json -- /path/to/program arg1 arg2In-process runtime library. It handles phase transitions, page permission changes, signal/system-call paths, synchronization, and runtime bookkeeping.
Bootstrap library loaded into the target process. It initializes the sandbox environment and prepares process state for enforcement.
Shared configuration, messages, queues, runtime types, and transition data structures used by the launcher, bootstrap, parser, and runtime.
Analysis tooling for logs and policies:
- interactive shell and GUI for browsing execution logs;
- sandbox simulation against recorded traces;
- Graphviz export for policies;
- modified Blue-Fringe / EDSM learner;
- parameter sweeps for tuning the security/performance tradeoff.
Useful command families are exposed as parser subcommands such as shell, gui, simulate, sandbox-dot, edsm, and sweep.
React visualizer for sandbox/policy graphs.
This is research code. It is useful for reproducing ideas, studying the implementation, and experimenting with temporal permission tightening. It is not packaged as a production-ready sandbox.
MIT. See LICENSE.