git404hub

what is poppy fr?

jetnoir/poppy — explained in plain English

Analysis updated 2026-05-18

6PythonAudience · researcherLicense

tl;dr

A macOS security research toolkit that observes daemon XPC traffic with Frida and DTrace, then fault-injects malformed messages to find crashes.

vibe map

mindmap
  root((Poppy))
    What it does
      XPC observability
      Fault injection
      Trace analysis
    Tech stack
      Python
      Frida
      DTrace
    Use cases
      Daemon observation
      XPC fuzzing
      Entitlement mapping
    Audience
      Security researchers
      macOS researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Observe a macOS daemon's XPC traffic and entitlement checks over a set duration.

VIBE 2

Fuzz a daemon with malformed XPC messages to see how it responds.

VIBE 3

Diff code coverage between a baseline run and an experimental run.

VIBE 4

Build a map of which daemons check which entitlements across multiple runs.

what's the stack?

PythonFridaDTracePySide6

how it stacks up fr

jetnoir/poppyashishdevasia/ha-proton-drive-backupbenchflow-ai/skillsbench-trajectories
Stars666
LanguagePythonPythonPython
Last pushed2026-06-14
MaintenanceMaintained
Setup difficultymoderateeasy
Complexity2/51/5
Audienceresearcherops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

in plain english

Poppy is a security research toolkit for macOS that lets you watch and deliberately stress test the background services, called daemons, running on your system. Many of these services communicate through a mechanism called XPC, a way for processes to send structured messages to each other, and Poppy is designed to observe and probe that layer. The motivation is that static analysis, reading code without running it, struggles on modern macOS because of PAC (Pointer Authentication Codes), which can obscure call graphs, and because Swift and Objective-C dynamic dispatch is often invisible to traditional tools. Dynamic analysis, watching what actually happens at runtime, gets around these obstacles. Poppy combines two established tools: Frida, an instrumentation framework that injects JavaScript agents into a running process to trace its behavior, and DTrace, a macOS built in tracing system. On top of these, Poppy adds fault injectors that send malformed XPC messages to a daemon and capture how it responds. A typical workflow has four steps: observe a daemon to capture its normal XPC traffic and entitlement checks, the permissions it verifies before performing actions, run fault injection to send deliberately broken messages while watching for crashes, analyze the collected traces using built in tools that detect anomalies or diff code coverage between runs, and build a map correlating which daemons check which entitlements. All output is stored as JSONL files, a line by line JSON format, so the trace analysers and any other downstream tooling can consume a run's data without a custom parser. The project ships several ready made agents and DTrace scripts for common cases like XPC handler dispatch and entitlement checks, and its own philosophy statement stresses recording a calibration baseline before injecting any faults, so an experimental run can be compared against normal behavior rather than judged in isolation. The project is written in Python and licensed under MIT.

prompts (copy fr)

prompt 1
Show me how to run Poppy against a specific macOS daemon to observe its XPC traffic.
prompt 2
Explain the difference between Poppy's observe mode and its fault injection mode.
prompt 3
What does the entitlement_map.py analyser produce, and how do I read it?
prompt 4
What are the dependencies and macOS requirements for running Poppy?

Frequently asked questions

what is poppy fr?

A macOS security research toolkit that observes daemon XPC traffic with Frida and DTrace, then fault-injects malformed messages to find crashes.

What language is poppy written in?

Mainly Python. The stack also includes Python, Frida, DTrace.

Who is poppy for?

Mainly researcher.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.