Protocol testing faces two key challenges: (1) generating high-quality inputs—syntactically and semantically valid messages that cover diverse behavioral scenarios—and (2) reliably verifying outputs due to the absence of effective test oracles. To address these, this paper introduces I/O Grammar, the first formalism unifying message syntax, state transitions, and interactive behavior across multiple protocol roles (e.g., client and server), enabling systematic test generation, mock-based simulation, and response validation. Built upon the FANDANGO framework, our approach integrates user-defined constraints with a k-path guided exploration strategy, establishing a cohesive tripartite framework encompassing test generation, mocking, and oracle-free response judgment. Experimental evaluation on DNS, FTP, and SMTP protocols demonstrates that our method significantly outperforms random testing in both input-space and response-space coverage efficiency, achieving faster and more comprehensive functional coverage.

Generating software tests faces two fundamental problems. First, one needs to _generate inputs_ that are syntactically and semantically correct, yet sufficiently diverse to cover behavior. Second, one needs an _oracle_ to _check outputs_ whether a test case is correct or not. Both problems become apparent in _protocol testing_, where inputs are messages exchanged between parties, and outputs are the responses of these parties. In this paper, we propose a novel approach to protocol testing that combines input generation and output checking in a single framework. We introduce _I/O grammars_ as the first means to _completely_ specify the syntax and semantics of protocols, including messages, states, and interactions. Our implementation, based on the FANDANGO framework, takes a single I/O grammar, and can act as a _test generator_, as a _mock object_, and as an _oracle_ for a _client_, a _server_, or both (or actually any number of parties), a versatility not found in any existing tool or formalism. User-defined _constraints}_can have the generator focus on arbitrary protocol features; $k$-path guidance systematically covers states, messages, responses, and value alternatives in a unified fashion. We evaluate the effectiveness of our approach by applying it to several protocols, including DNS, FTP, and SMTP. We demonstrate that I/O grammars can specify advanced protocol features correctly and completely, while also enabling output validation of the programs under test. In its evaluation, we find that systematic coverage of the I/O grammar results in much quicker coverage of the input and response spaces (and thus functionality) compared to the random-based state-of-the-art approaches.