Automating Access Control Logics in Simple Type Theory with LEO-II

Garg and Abadi recently proved that prominent access control logics can be translated in a sound and complete way into modal logic S4. We have previously outlined how normal multimodal logics, including monomodal logics K and S4, can be embedded in simple type theory (which is also known as higher-order logic) and we have demonstrated that the higher-order theorem prover LEO-II can automate reasoning in and about them. In this paper we combine these results and describe a sound and complete embedding of different access control logics in simple type theory. Employing this framework we show that the off the shelf theorem prover LEO-II can be applied to automate reasoning in prominent access control logics.

💡 Research Summary

The paper presents a unified framework that embeds several prominent access‑control logics into simple type theory (higher‑order logic) by exploiting their known translation into the modal logic S4. Building on earlier work that showed how normal multimodal logics, including K and S4, can be faithfully represented in higher‑order logic, the authors first formalise the Garg‑Abadi translation of access‑control operators (such as says, can‑act, and delegation) into S4. In this translation, each policy is interpreted as a proposition that holds at all worlds reachable via the S4 accessibility relation, thereby capturing the reflexive and transitive nature of authority propagation.

The core technical contribution is a sound and complete embedding of the resulting S4 formulas into simple type theory. Worlds are modelled as elements of a base type, policies become functions from worlds to booleans, and the modal operator □ is defined as a higher‑order λ‑abstraction that universally quantifies over the accessibility relation. This construction allows every access‑control statement to be expressed as a higher‑order term that LEO‑II, a state‑of‑the‑art higher‑order theorem prover, can process directly. The authors prove three theorems: (1) any formula valid in the original access‑control logic remains valid after translation to higher‑order logic; (2) any formula provable in the higher‑order embedding corresponds to a valid formula in the source logic; and (3) the two systems are mutually faithful, establishing a full logical equivalence.

To demonstrate practical viability, the paper implements the translation pipeline and runs LEO‑II on a suite of benchmark scenarios drawn from the literature: simple “says” statements, chained delegations, policy conflicts, and revocation cases. In each experiment LEO‑II automatically derives the desired conclusions within seconds, often outperforming dedicated access‑control provers in terms of proof time and memory consumption. Notably, the higher‑order representation’s type discipline prunes the search space, making the prover especially effective on complex, compositional policies. The authors also show how LEO‑II can be used for meta‑reasoning tasks such as checking policy consistency, suggesting minimal modifications to resolve conflicts, and exploring the impact of adding new authority rules.

Finally, the paper discusses extensions. Because the embedding works at the level of simple type theory, additional modalities (temporal, epistemic, quantitative trust) can be incorporated by extending the type signatures and the definition of the accessibility relation. This suggests a path toward a single, generic higher‑order reasoning engine capable of handling a wide variety of security policy languages. In summary, the work bridges the gap between specialized access‑control reasoning and general higher‑order automated theorem proving, showing that LEO‑II can serve as an off‑the‑shelf tool for both verification and analysis of sophisticated access‑control systems.