The secure and correct implementation of network protocols for resource discovery, device conﬁguration and network management is complex and error-prone. Protocol speciﬁcations contain ambiguities, leading to implementation ﬂaws and security vulnerabilities in network daemons. Such problems are hard to detect because they are often triggered by complex sequences of packets that occur only after prolonged operation.
The goal of this work is to ﬁnd semantic bugs in network daemons. Our approach is to replay a set of input packets that result in high source code coverage of the daemon and observe potential violations of rules derived from the protocol specification. We describe SYMNV, a practical veriﬁcation tool that first symbolically executes a network daemon to generate highcoverage input packets and then checks a set of rules constraining permitted input and output packets. We have applied SYMNV to three different implementations of the Zeroconf protocol and show that it is able to discover non-trivial bugs.