Globally reasoning about localised security policies in distributed systems

In this report, we aim at establishing proper ways for model checking the global security of distributed systems, which are designed consisting of set of localised security policies that enforce specific issues about the security expected. The systems are formally specified following a syntax, defined in detail in this report, and their behaviour is clearly established by the Semantics, also defined in detail in this report. The systems include the formal attachment of security policies into their locations, whose intended interactions are trapped by the policies, aiming at taking access control decisions of the system, and the Semantics also takes care of this. Using the Semantics, a Labelled Transition System (LTS) can be induced for every particular system, and over this LTS some model checking tasks could be done. We identify how this LTS is indeed obtained, and propose an alternative way of model checking the not-yet-induced LTS, by using the system design directly. This may lead to over-approximation thereby producing imprecise, though safe, results. We restrict ourselves to finite systems, in the sake of being certain about the decidability of the proposed method. To illustrate the usefulness and validity of our proposal, we present 2 small case-study-like examples, where we show how the system can be specified, which policies could be added to it, and how to decide if the desired global security property is met. Finally, an Appendix is given for digging deeply into how a tool for automatically performing this task is being built, including some implementation issues. The tool takes advantage of the proposed method, and given some system and some desired global security property, it safely (i.e. without false positives) ensures satisfaction of it.

💡 Research Summary

The paper addresses the problem of verifying global security properties of distributed systems whose components are governed by locally attached security policies. It begins by introducing a formal language for describing such systems: a set of locations, each hosting one or more processes, and a set of security policies that are syntactically attached to locations. Policies are expressed as logical rules that can encode access‑control lists, permission checks, or more complex constraints. The authors then define a two‑layer operational semantics. The first layer captures ordinary process actions (message passing, internal computation, etc.). The second layer checks, for each action, whether the policy attached to the current location permits it. By composing these layers, a labelled transition system (LTS) is obtained where each state represents the global configuration of all locations and processes, and each transition is labelled with the performed action together with the outcome of the policy check.

Traditional model‑checking approaches would first construct the entire LTS and then apply temporal‑logic model checkers (CTL, LTL, μ‑calculus) to verify a desired global property. However, explicit LTS construction suffers from state‑space explosion, especially when many locations and policies interact. To mitigate this, the authors propose an alternative “design‑directed verification” technique. Instead of materialising the LTS, the verification engine works directly on the high‑level system description. It generates an over‑approximation of the transition relation by embedding policy constraints as additional guards on the transition rules. This over‑approximation is safe: if the over‑approximated model satisfies a property, the concrete system certainly does as well. The trade‑off is the possibility of false positives (the analysis may report a violation that cannot actually occur). By restricting attention to finite systems—i.e., systems with a bounded number of locations, processes, and policy rules—the authors guarantee decidability of the verification problem even under over‑approximation.

Two illustrative case studies demonstrate the approach. The first models a distributed file‑storage service where files are replicated across nodes. Local policies enforce read/write permissions per node. The global property “no unauthorized access” is expressed in temporal logic and verified using the design‑directed method, which confirms the property without constructing the full LTS. The second case study involves a multi‑agent coordination scenario where agents negotiate tasks. Policies prevent privilege escalation by forbidding agents from acquiring rights beyond their initial assignment. The verification shows that the system respects the “no privilege escalation” property, and also highlights a potential policy conflict that would need resolution.

An extensive appendix describes a prototype tool that automates the entire workflow. The tool parses the system and policy specifications into an abstract syntax tree, applies the over‑approximated transition generation, and feeds the resulting model into an off‑the‑shelf model checker (e.g., NuSMV). Implementation challenges discussed include state compression techniques, efficient detection of policy conflicts, and generation of user‑friendly verification reports. The tool guarantees safety (no false positives) in the sense that any reported satisfaction of a property is sound for the concrete system, while acknowledging that false negatives may arise due to over‑approximation.

In summary, the paper contributes a formal framework for reasoning about globally enforced security in distributed systems built from locally defined policies, a novel over‑approximating verification method that avoids explicit LTS construction, and a prototype implementation that validates the approach on realistic examples. By focusing on finite systems, the authors ensure decidability and provide a practical pathway for integrating security verification early in the design phase of distributed architectures.