whatisgithub

What is poppy?

jetnoir/poppy — explained in plain English

Analysis updated 2026-05-18

6PythonAudience · researcherLicense

In one sentence

A macOS security research toolkit that observes daemon XPC traffic with Frida and DTrace, then fault-injects malformed messages to find crashes.

Mindmap

mindmap
  root((Poppy))
    What it does
      XPC observability
      Fault injection
      Trace analysis
    Tech stack
      Python
      Frida
      DTrace
    Use cases
      Daemon observation
      XPC fuzzing
      Entitlement mapping
    Audience
      Security researchers
      macOS researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Observe a macOS daemon's XPC traffic and entitlement checks over a set duration.

USE CASE 2

Fuzz a daemon with malformed XPC messages to see how it responds.

USE CASE 3

Diff code coverage between a baseline run and an experimental run.

USE CASE 4

Build a map of which daemons check which entitlements across multiple runs.

What is it built with?

PythonFridaDTracePySide6

How does it compare?

jetnoir/poppyashishdevasia/ha-proton-drive-backupbenchflow-ai/skillsbench-trajectories
Stars666
LanguagePythonPythonPython
Last pushed2026-06-14
MaintenanceMaintained
Setup difficultymoderateeasy
Complexity2/51/5
Audienceresearcherops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

So what is it?

Poppy is a security research toolkit for macOS that lets you watch and deliberately stress test the background services, called daemons, running on your system. Many of these services communicate through a mechanism called XPC, a way for processes to send structured messages to each other, and Poppy is designed to observe and probe that layer. The motivation is that static analysis, reading code without running it, struggles on modern macOS because of PAC (Pointer Authentication Codes), which can obscure call graphs, and because Swift and Objective-C dynamic dispatch is often invisible to traditional tools. Dynamic analysis, watching what actually happens at runtime, gets around these obstacles. Poppy combines two established tools: Frida, an instrumentation framework that injects JavaScript agents into a running process to trace its behavior, and DTrace, a macOS built in tracing system. On top of these, Poppy adds fault injectors that send malformed XPC messages to a daemon and capture how it responds. A typical workflow has four steps: observe a daemon to capture its normal XPC traffic and entitlement checks, the permissions it verifies before performing actions, run fault injection to send deliberately broken messages while watching for crashes, analyze the collected traces using built in tools that detect anomalies or diff code coverage between runs, and build a map correlating which daemons check which entitlements. All output is stored as JSONL files, a line by line JSON format, so the trace analysers and any other downstream tooling can consume a run's data without a custom parser. The project ships several ready made agents and DTrace scripts for common cases like XPC handler dispatch and entitlement checks, and its own philosophy statement stresses recording a calibration baseline before injecting any faults, so an experimental run can be compared against normal behavior rather than judged in isolation. The project is written in Python and licensed under MIT.

Copy-paste prompts

Prompt 1
Show me how to run Poppy against a specific macOS daemon to observe its XPC traffic.
Prompt 2
Explain the difference between Poppy's observe mode and its fault injection mode.
Prompt 3
What does the entitlement_map.py analyser produce, and how do I read it?
Prompt 4
What are the dependencies and macOS requirements for running Poppy?

Frequently asked questions

What is poppy?

A macOS security research toolkit that observes daemon XPC traffic with Frida and DTrace, then fault-injects malformed messages to find crashes.

What language is poppy written in?

Mainly Python. The stack also includes Python, Frida, DTrace.

Who is poppy for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.