Since CMC cannot exhaustively explore the state space of real protocols it takes a different approach and instead tries to explore the ``most interesting'' portions of them. It does so by attempting to focus on states that are the most different from previously explored states. The intuition for this is that the more different a state is from previous states the more likely it is to have new behaviors and, as a result, bugs. We describe two techniques CMC uses below.
The first uses the abstract protocol state to find states that will generate new behaviors. Conceptually, a protocol implementation state can be viewed at two levels. There is the concrete state, which is the heap, stack, global variables and registers -- all the memory values that define the current computation. There is also the abstract, protocol state encoded in the concrete state -- for example, whether TCP is in the LISTEN or CLOSED state. Many different concrete states may in fact define the same abstract state. We want to focus on concrete states that correspond to new abstract protocol states since they will generate new behaviors.
For TCP, the state of the reference model
(6) corresponds to the the abstract
state of the protocol. We can thus use it to preferentially explore
system states whose corresponding reference model state has not been
seen before. We further tune this process by doing a series of symmetry reductions [10] on the abstract state, which allow
us to determine when two superficially different abstract states will in
fact generate the same behavior. The simplest example is sequence number
standardization where, a state with all sequence numbers at 
can
be considered equivalent to a state with all sequences numbers at 
(which can be reached, for instance, from the first state after successful
data transfer of bytes). While performing such reductions on
the concrete state is difficult the small size of the abstract state
(
bytes) makes it relatively easy.
The second technique also explores states that appear to be different from previous ones. It uses the heuristic that on balance, a change in a variable that never or rarely changed before is more interesting than in one that changes often. CMC tracks the values of all variables in the states generated. If a particular variable (as determined by its byte location in the state) takes on more than a threshold number of distinct values, CMC eliminates those variables from subsequent hash computations. Different CMC runs can use different threshold values (including infinity) to guard against cutting off searches too soon.
A simple example of how this helps are the many counters and and statistics variables present in protocol implementations that do not affect the execution of the protocol, but whose changed values cause unnecessary blowup of the state space. Ideally, a user would identify such variables and provide them to CMC as annotations. However, providing such manual annotations for the entire TCP implementation (and in our case, the entire Linux Kernel) is impractical. CMC's variable pruning will automatically weed out such counter variables.