From a6dc5644701b66cc1d930994113af950632821a0 Mon Sep 17 00:00:00 2001
From: actyp <actypaldos@gmail.com>
Date: Thu, 29 Jan 2026 16:51:55 -0500
Subject: [PATCH 1/3] Add timing probe in README

---
 README.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 48 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index fe3f668e..9ccb53a1 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@
 * [Setup](#setup)
 * [Learning](#learning)
 * [Testing](#testing)
+* [Timing](#timing)
 * [Visualizing](#visualizing)
 * [File Structure](#file-structure)
 
@@ -17,10 +18,12 @@
 EDHOC-Fuzzer is a protocol state fuzzer of EDHOC clients and servers.
 It is built upon [ProtocolState-Fuzzer](https://github.com/protocol-fuzzing/protocol-state-fuzzer).
 
-EDHOC-Fuzzer supports the following functionality:
+EDHOC-Fuzzer supports the following functionality for a protocol-specific client or server implementation:
 
-1. Learning a state machine model of an EDHOC client or server implementation.
-2. Testing (executing sequences of inputs) of an EDHOC client or server implementation.
+1. Learning the state machine model of the implementation.
+2. Testing the implementation by executing test input sequences.
+3. Timing the implementation on test input sequences to suggest timeout values
+   for avoiding time-related non-determinism during Learning or Testing.
 
 More information about the functionality of EDHOC-Fuzzer, its design and architecture,
 and some of its early uses cases can be found in this
@@ -74,10 +77,10 @@ and the following directories should be created:
 After setting up the EDHOC-Fuzzer and the SUL of interest, one can learn the model of that SUL
 using one of the argument files in the [experiments/args](experiments/args) subdirectories
 (or using a file similar to them).
-Command-line arguments can be also provided, in order to overwrite those in the argument file.
+Command-line arguments can also be provided to overwrite those in the argument file.
 The `@` symbol before the argument file can be omitted.
 The simplest command is:
-```bash
+```
 java -jar edhoc-fuzzer.jar @path/to/argfile
 ```
 The above command without the argument file lists all the available command line options.
@@ -105,6 +108,46 @@ Additional Testing Parameters:
 ```
 
 
+## Timing
+Timing is an extension of testing and requires the `-test` and `-probeCmd` parameters to be specified.
+It is used to find timing values that prevent non-deterministic outputs from the SUL.
+It uses the same initial range for all commands in `-probeCmd` and performs the search
+based **only** on the provided tests of `-test`. Thus for learning, the timing values
+might need further manual adjustment.
+The timing probe command is:
+```
+java -jar edhoc-fuzzer.jar @path/to/arg/file -test path/to/test/file -probeCmd <probe commands> [-additional_param]
+
+
+Available comma-separated probe commands:
+    - responseWait    (time to wait for an SUL response)
+    - startWait       (time to wait after starting the SUL)
+    - <input symbol>  (time to wait for the response of this alphabet input symbol)
+
+    Example: -probeCmd responseWait,startWait,input1,input2
+
+
+Additional Timing Parameters:
+
+-times N
+  Run each test sequence N number of times, defaults to 1
+
+-probeLow N
+  The lowest non-negative integer probe timing value, defaults to 0
+
+-probeHigh N
+  The highest integer probe timing value, defaults to 1000
+
+-probeTol N
+  Search tolerance value that defines the desired precision, defaults to 10
+  Small tolerance increases accuracy but may require more iterations
+
+-probeExport path/to/alphabet/out
+  The output file for the alphabet augmented with timing values
+  Useful when an input symbol has been provided in -probeCmd
+```
+
+
 ## Visualizing
 After the learning process has generated the **learnedModel.dot** file, EDHOC-Fuzzer tries to:
 

From eaee625c1acc2296a9d67a21ee35927bb51adbfa Mon Sep 17 00:00:00 2001
From: actyp <actypaldos@gmail.com>
Date: Sat, 31 Jan 2026 03:08:45 -0500
Subject: [PATCH 2/3] Bump commit hash of PSF

---
 scripts/setup_fuzzer.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/setup_fuzzer.sh b/scripts/setup_fuzzer.sh
index 3d75fd70..dc004f88 100755
--- a/scripts/setup_fuzzer.sh
+++ b/scripts/setup_fuzzer.sh
@@ -8,7 +8,7 @@ readonly BASE_DIR
 setup_psf() {
     # setup protocol-state-fuzzer library
 
-    CHECKOUT="42392348464ab4cebb3a4c7b149c21caf6ee9c4e"
+    CHECKOUT="1387a0a315c2025dcab0ab412b876198e8ad40c8"
 
     set -e
     cd "${BASE_DIR}"

From e77a94011c9195aacae99241f40043d93a2a4070 Mon Sep 17 00:00:00 2001
From: actyp <actypaldos@gmail.com>
Date: Sat, 31 Jan 2026 09:38:13 -0500
Subject: [PATCH 3/3] Simplify phrasing and use Java 21

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 9ccb53a1..23f47651 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@
 EDHOC-Fuzzer is a protocol state fuzzer of EDHOC clients and servers.
 It is built upon [ProtocolState-Fuzzer](https://github.com/protocol-fuzzing/protocol-state-fuzzer).
 
-EDHOC-Fuzzer supports the following functionality for a protocol-specific client or server implementation:
+EDHOC-Fuzzer supports the following functionality for an EDHOC client or server implementation:
 
 1. Learning the state machine model of the implementation.
 2. Testing the implementation by executing test input sequences.
@@ -32,8 +32,8 @@ published in the proceedings of ISSTA 2023.
 
 ## Prerequisites
 
-* Java 17 JDK.
-* maven correctly setup to point to Java 17 JDK.
+* Java 21 JDK.
+* maven correctly setup to point to Java 21 JDK.
 * graphviz library, containing the dot utility, which should be located in the system's PATH.
 * python >=3.6 and pydot interface >=1.4.2, in order to use the [beautify_model.sh](scripts/beautify_model.sh) script.
 * (suggested) make utility, rust and cargo required by the setup of some SULs.