State based protocols are protocols in which the handling of one message depends on the contents of previous messages. Testing such protocols, for security or for other purposes usually means specifying the state space of the protocol in some manner. This paper introduces a novel method of using an existing client to explore the state space. The messages exchanged between the client and test system are captured and mutated. To send the mutated test messages, the previous messages must be resent. Constraints expressed in an extended version of the Security Constraints Language are used to automatically derive the data dependencies between the messages.
Songtao Zhang, Thomas R. Dean, Scott Knight