Analysis updated 2026-05-18
Observe a macOS daemon's XPC traffic and entitlement checks over a set duration.
Fuzz a daemon with malformed XPC messages to see how it responds.
Diff code coverage between a baseline run and an experimental run.
Build a map of which daemons check which entitlements across multiple runs.
| jetnoir/poppy | ashishdevasia/ha-proton-drive-backup | benchflow-ai/skillsbench-trajectories | |
|---|---|---|---|
| Stars | 6 | 6 | 6 |
| Language | Python | Python | Python |
| Last pushed | — | — | 2026-06-14 |
| Maintenance | — | — | Maintained |
| Setup difficulty | — | moderate | easy |
| Complexity | — | 2/5 | 1/5 |
| Audience | researcher | ops devops | researcher |
Figures from each repo's GitHub metadata at analysis time.
Poppy is a security research toolkit for macOS that lets you watch and deliberately stress test the background services, called daemons, running on your system. Many of these services communicate through a mechanism called XPC, a way for processes to send structured messages to each other, and Poppy is designed to observe and probe that layer. The motivation is that static analysis, reading code without running it, struggles on modern macOS because of PAC (Pointer Authentication Codes), which can obscure call graphs, and because Swift and Objective-C dynamic dispatch is often invisible to traditional tools. Dynamic analysis, watching what actually happens at runtime, gets around these obstacles. Poppy combines two established tools: Frida, an instrumentation framework that injects JavaScript agents into a running process to trace its behavior, and DTrace, a macOS built in tracing system. On top of these, Poppy adds fault injectors that send malformed XPC messages to a daemon and capture how it responds. A typical workflow has four steps: observe a daemon to capture its normal XPC traffic and entitlement checks, the permissions it verifies before performing actions, run fault injection to send deliberately broken messages while watching for crashes, analyze the collected traces using built in tools that detect anomalies or diff code coverage between runs, and build a map correlating which daemons check which entitlements. All output is stored as JSONL files, a line by line JSON format, so the trace analysers and any other downstream tooling can consume a run's data without a custom parser. The project ships several ready made agents and DTrace scripts for common cases like XPC handler dispatch and entitlement checks, and its own philosophy statement stresses recording a calibration baseline before injecting any faults, so an experimental run can be compared against normal behavior rather than judged in isolation. The project is written in Python and licensed under MIT.
A macOS security research toolkit that observes daemon XPC traffic with Frida and DTrace, then fault-injects malformed messages to find crashes.
Mainly Python. The stack also includes Python, Frida, DTrace.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.