Dynamic Verification Approach

• Dynamic Verification Approach is a set of formal methodologies that validate evolving system properties in environments with dynamic states, permissions, and agent knowledge.
• It employs interpreted systems, temporal-epistemic logic, and abstraction-refinement techniques to manage state space explosion and accurately assess access control policies.
• This approach uncovers subtle vulnerabilities, such as indirect information flows, ensuring robust system security in complex, time-dependent settings.

Dynamic verification approaches constitute a family of formal and algorithmic methodologies that validate or falsify system properties in environments where system state, agent knowledge, policies, and behaviors can evolve dynamically over time. Dynamic verification is particularly relevant for systems with security and access control requirements, multi-agent models, and policies subject to temporal evolution. These approaches enable the detection of subtleties such as indirect information flow or dynamically emergent vulnerabilities, going beyond static policy checking. Notably, dynamic verification often must address challenges related to the state space explosion inherent in temporal and epistemic reasoning for realistic systems.

1. Interpreted Systems Framework for Dynamic Access Control

Dynamic verification of access control policies in multi-agent systems is effectively modeled using interpreted systems. An interpreted system is formally defined as a tuple

$$I = \langle (L_i)_{i \in \Omega},\ (P_i)_{i \in \Omega},\ (ACT_i)_{i \in \Omega},\ S_0, \tau, \gamma \rangle$$

where $L_i$ denotes the local state space of agent $i$ (with a distinguished “environment” agent $e$), $P_i$ assigns enabled actions in each local state, $ACT_i$ gives available actions, $S_0$ is the set of initial global states, $\tau$ is the transition function (mapping joint actions to successor states), and $\gamma$ is the interpretation function for atomic propositions.

The global state space is $S = L_e \times L_1 \times \dots \times L_n$, and each agent's knowledge is captured by the epistemic equivalence relation: $s \sim_i s'$ iff $l_i(s) = l_i(s')$.

Dynamic policies are represented by introducing local state variables ($p', p''$) to track whether an agent has a given permission (e.g., read $p$) and, when such permission is active, to synchronize the agent's local copy with the global value. Thus, the evolution of access permissions and knowledge propagation is modeled within the interpreted system.

2. Temporal-Epistemic Logic and Dynamic Property Specification

Verification properties in this setting are specified in temporal-epistemic logics such as CTLK (CTL + knowledge modality $K$) or ACTLK (universal fragment of CTLK). These logics permit expression of properties that involve both temporal evolution and knowledge acquisition. A canonical example:

$$AG \big( \mathsf{reviewer}(p_1,a_2) \rightarrow \neg K_{a_1} \mathsf{reviewer}(p_1,a_2) \big)$$

This expresses that "always, if $a_2$ is the reviewer of paper $p_1$, then $a_1$ (say, the author) never knows who the reviewer is". Such formulas enable specification and verification of both direct (by reading) and indirect (by inference) information flows.

3. Abstraction and Refinement for State Explosion

Model checking interpreted systems for temporal-epistemic properties quickly becomes infeasible due to the exponential growth of the state space with the number of agents and propositions. The approach addresses this by introducing an abstraction framework: irrelevant local propositions are hidden, grouping together states that differ only on “invisible” variables.

For agent $i$, an equivalence $\mathcal{R}_i$ is defined on local states: $l_1 \mathcal{R}_i l_2$ iff, for every visible proposition $p$ in selected $\hat{\Phi}_i$, $\gamma_i(l_1, p) = \gamma_i(l_2, p)$.

The abstract system

$$\hat{I}_C = \langle (\hat{L}_i = L_i/\mathcal{R}_i)_i,\ (\hat{P}_i)_i,\ (\hat{ACT}_i)_i,\ \hat{S}_0,\ \hat{\tau},\ \hat{\gamma}\rangle$$

is structured so that both transition and epistemic relations are preserved at the abstract level.

A key soundness guarantee (Prop. “Verification” in the paper) is that if an ACTLK formula holds in the abstract system, it also holds in the concrete system.

4. CEGAR for Temporal-Epistemic Properties

When a specification is not satisfied in the abstract system, the counterexample reported by the model checker may be spurious, reflecting only behaviors admitted by the abstraction, not by the concrete system. The framework generalizes the classic CEGAR (CounterExample-Guided Abstraction Refinement) process to temporal-epistemic ACTLK safety properties by:

• Defining formal transition rules (e.g., “TemporalCheck”, “EpistemicCheck”) that relate abstract paths to concrete paths. One such rule for transitions labeled with an abstract action $\#1\{\alpha\}$ computes:

$$\Theta_{\#1\{\alpha\}}(st) = \{s[p \mapsto \top\ |\ +p \in \varepsilon][p \mapsto \bot\ |\ -p \in \varepsilon] : s \in st\ \text{and}\ s\ \text{satisfies}\ \ell\}$$

This operation determines which concrete global states are possible successors.

• Diagnosing whether concrete initial states exist that realize the abstract counterexample. If not, the counterexample is spurious.
• Refining the abstraction by “making visible” hidden propositions identified via conflict analysis between base and conflict formulas in the transition conditions.

This iterative process increases abstraction detail only as needed, thereby limiting state space growth.

5. Detection of Information Flow Vulnerabilities

A primary motivation for this approach is to uncover information flow vulnerabilities in dynamic access control scenarios. Because the interpreted systems framework and temporal-epistemic specification encompass both explicit read permissions and knowledge gained by inference, the model can capture subtleties such as an agent deducing confidential information (e.g., learning the identity of a reviewer without direct permission) due to policy evolution over time.

The approach thus allows robust detection of vulnerabilities that would be missed by static or access-based policies alone, by verifying ACTLK safety properties sensitive to both dynamic permission changes and epistemic consequences of state evolution.

6. Tool Support and Practical Scalability

The methodology is implemented in model checking tools such as MCMAS. The selective abstraction-refinement strategy is essential for scaling to realistic systems: initial verification is performed using an abstract (coarse) system, with concrete details introduced only as necessary to distinguish spurious from real counterexamples. This enables handling of systems where the fully concrete state space would otherwise be intractable.

Throughout, formal constructs—such as simulation relations between the concrete and abstract models—guarantee soundness of verification. The abstraction process involves formal requirements for simulation (preservation of initial states, truth of visible propositions, correspondence of transitions, and preservation of the epistemic relation).

7. Impact and Broader Significance

By combining the interpreted system model, temporal-epistemic logic, and iterative abstraction refinement targeting ACTLK safety, dynamic verification of access control policies attains both precision and computational tractability. The approach allows verification of nuanced, real-world policies and the exposure of subtle vulnerabilities, while controlling the computational cost typical of epistemic model checking.

This work delineates a methodology that generalizes to verification of temporal-epistemic properties in other domains requiring reasoning about evolving knowledge and permissions, and forms a foundation for further advances in dynamic verification of multi-agent and security-sensitive systems (Koleini et al., 2014).