 to accurately verify wireless protocols using a sniffer. I have to be able to address the uncertainty introduced by the sniffer. What do I mean by this? So let's say that the controller sends three packets back to the Xbox base station. P1, P2, and P3. Now, the sniffer does not have a perfect view of the wireless environment. Wireless propagation is always sort of fraught with uncertainties. It's possible that there's interference. It might miss the starter frame delimiter or something. And so it's possible that the sniffer only sees P1 and P3. So already here I have an example of the uncertainty that's introduced by the sniffer. Specifically, the sniffer doesn't actually see the packets that were sent by the controller back to the Xbox. It only sees a subset of them. So in this case, it missed P2. Now, there's another source of uncertainty. So in this case, the sniffer can miss packets that the controller might have received. But there's another source of uncertainty because it's possible that the controller only heard, let me get this too wide, P1 and P2. So in this case, I can observe sort of two types of uncertainty. There is a packet that the controller received that the sniffer did not, P2. There's also a packet that the sniffer received that the controller did not, P3. And so the trace that's provided by the sniffer for verification has these problems. It contains packets that the devices that are under test never received. And it also misses packets that the devices under test did receive. So how do we incorporate this? So the verification process, the Jing Hao came up with, starts with a protocol state machine. I'm going to create the simplest possible protocol state machine. It's not even a real protocol. Where I have two states in my protocol, S1 and S2. And transitions from S1 to S2 happen when the device receives a certain packet of type P1. So if I'm in S1 and I receive packet P1, I transition to S2. And these states could indicate that I'm going to send a particular packet or that I'm waiting to receive some more information or whatever. This is the protocol state machine and this has to be provided by the developer. Now the goal then becomes given the sniffer trace, the trace of packets that have actually been observed by the sniffer, can I determine whether or not the protocol state machine accepts or rejects that trace. Now if I use the state machine as provided, I have this problem where the state machine does not incorporate the uncertainty in the sniffer's measurements. And so what we do is we take the original state machine and we compute something called the augmented state machine. So how do I augment the state machine to incorporate the sniffer uncertainty? I need to do two things. The first thing is I need to create a null transition on this state. And then the second thing is I need to create a null transition from S1 to S2. So this transition indicates that it's possible that the device under test can get to S2 because the sniffer missed P1. So it's possible that the sniffer, sorry this should be P1, not null. So it's possible that the sniffer missed P1 but the device under test received it and so it got from S1 to S2. It's also possible that the sniffer saw P1 but the device under test didn't and so it stayed in S1. And so there is a programmatic and mechanical way that I can take this original state machine and look for various transitions that result from receiving packets and introduce these null transitions and these self transitions that incorporate the uncertainty in the sniffer's measurements. Armed with this augmented state machine I can return to the challenge of determining whether the state machine accepts or rejects a particular trace collected by the sniffer. On the other hand you'll probably notice that I've introduced a bunch of new transitions into the state machine and that makes it possible for the state machine to incorporate, to actually accept a much, much, much larger set of traces. And what I want to do is I want to make sure that the traces that are accepted by the state machine are actually high likelihood traces. And so Jinghao and Chavendu were actually able to prove that the problem of verifying a trace in this augmented state machine is NP complete. But I can prune the search intelligently using a couple of simple heuristics. For example, if the state machine has to drop so many packets that it's not behaving like the sniffer. So if accepting the trace requires that I drop 90% of the packets in the trace whereas the sniffer could be measured to only drop 5% of the packets then that trace ends up being very, very unlikely. And so as we're doing the search in real time in the first version of the system the search algorithm is pruning states once they become highly unlikely. And so rather than branching off in a lot of different directions that I would have to I'm looking at each state that I'm in figuring out what the probability of that state is based on some heuristics that I apply and if that probability gets too low I drop it and I don't continue down that particular path. So the specific heuristics that we used are described in more detail in the paper. But the goal here is to make this search over the augmented state machine feasible and not have it blow up an exponential time. And this can be done and so what's outputted from this is given a particular sniffer trace what is the probability that this trace would be accepted by the augmented state machine. Now there are still cases where the state machine can actually get stuck and can completely reject the trace. So there are certain cases where the trace is wrong and I can show that there's a violation with 100% probability. However I cannot accept the trace with 100% probability because there's always a case that there was actually a violation that it was hidden in some packets that I missed. And so in certain cases I can reject the trace outright. In other cases I have to accept or reject the trace based on the probability of the augmented trace that the search found depending on properties of the sniffer. So this is the overall approach. I take the original state machine. I automatically augment it with these extra transitions that allow me to incorporate uncertainty introduced by the sniffer. And then I can use the sniffer trace to verify the protocol in a probabilistic fashion where the output is the probability that this particular trace would be accepted by the state machine given some heuristics and some information that I know about the sniffer itself.