Runtime validation of wireless protocol implementations cannot always employ direct instrumentation of the device under test (DUT). The DUT may not implement the required instrumentation, or the instrumentation may alter the DUT’s behavior when enabled. Wireless sniffers can monitor the DUT’s behavior without instrumentation, but they introduce new validation challenges. Losses caused by wireless propagation prevent sniffers from perfectly reconstructing the actual DUT packet trace. As a result, accurate validation requires distinguishing between specification deviations that represent implementation errors and those caused by sniffer uncertainty. We present a new approach enabling sniffer-based validation of wireless protocol implementations. Beginning with the original protocol monitor state machine, we automatically and completely encode sniffer uncertainty by selectively adding non-deterministic transitions. We characterize the NP-completeness of the resulting decision problem and provide an exhaustive algorithm for searching over all mutated traces. We also present practical protocol-oblivious heuristics for searching over the most likely mutated traces. We have implemented our framework and show that it can accurately identify implementation errors in the face of uncertainty.

中文翻译：

---

不确定性下的无线协议验证

无线协议实现的运行时验证不能总是使用被测设备 (DUT) 的直接仪器。DUT 可能无法实现所需的仪器，或者仪器在启用时可能会改变 DUT 的行为。无线嗅探器可以在没有仪器的情况下监控 DUT 的行为，但它们带来了新的验证挑战。无线传播造成的损失会阻止嗅探器完美地重建实际的 DUT 数据包跟踪。因此，准确的验证需要区分代表实施错误的规范偏差和由嗅探器不确定性引起的规范偏差。我们提出了一种新方法，可以对无线协议实现进行基于嗅探器的验证。从最初的协议监视器状态机开始，我们通过选择性地添加非确定性转换来自动且完全地编码嗅探器的不确定性。我们描述了由此产生的决策问题的 NP 完整性，并提供了一种详尽的算法来搜索所有变异的痕迹。我们还提出了实用的协议忽略启发式方法，用于搜索最有可能发生突变的痕迹。我们已经实施了我们的框架，并表明它可以在面对不确定性时准确识别实施错误。