






















Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners 
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. 
 
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. 
• You may not further distribute the material or use it for any profit-making activity or commercial gain 
• You may freely distribute the URL identifying the publication in the public portal  
 
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately 
and investigate your claim. 
   
 
Downloaded from orbit.dtu.dk on: Dec 20, 2017
Time dependent policy-based access control
Vasilikos, Panagiotis; Nielson, Flemming; Nielson, Hanne Riis
Published in:
Leibniz International Proceedings in Informatics





Publisher's PDF, also known as Version of record
Link back to DTU Orbit
Citation (APA):
Vasilikos, P., Nielson, F., & Nielson, H. R. (2017). Time dependent policy-based access control. Leibniz
International Proceedings in Informatics, 90. DOI: 10.4230/LIPIcs.TIME.2017.21
Time Dependent Policy-Based Access Control∗
Panagiotis Vasilikos1, Flemming Nielson2, and Hanne Riis Nielson3
1 Department of Applied Mathematics and Computer Science, Technical
University of Denmark, Lyngby, Denmark
panva@dtu.dk
2 Department of Applied Mathematics and Computer Science, Technical
University of Denmark, Lyngby, Denmark
fnie@dtu.dk
3 Department of Applied Mathematics and Computer Science, Technical
University of Denmark, Lyngby, Denmark
hrni@dtu.dk
Abstract
Access control policies are essential to determine who is allowed to access data in a system without
compromising the data’s security. However, applications inside a distributed environment may
require those policies to be dependent on the actual content of the data, the flow of information,
while also on other attributes of the environment such as the time.
In this paper, we use systems of Timed Automata to model distributed systems and we
present a logic in which one can express time-dependent policies for access control. We show
how a fragment of our logic can be reduced to a logic that current model checkers for Timed
Automata such as UPPAAL can handle and we present a translator that performs this reduction.
We then use our translator and UPPAAL to enforce time-dependent policy-based access control
on an example application from the aerospace industry.
1998 ACM Subject Classification D.4.6 Security and Protection, D.2.4 Software/Program Veri-
fication, C.2.4 Distributed Systems, F.4.1 Mathematical Logic
Keywords and phrases Access Control, Timed Automata, Time-Dependent Policies, UPPAAL
Digital Object Identifier 10.4230/LIPIcs.TIME.2017.21
1 Introduction
Motivation. Cyberphysical systems play an increasingly important role in the technology
development in many industries such as the aerospace, the automotive and the medical.
Embedded systems are key components to cyberphysical systems and while verifying their
safety goals has received a significant focus until now, security has been left for later. As more
and more cyberphysical systems are integrated with real-time hardware, complex software,
and internet connected devices through wireless connections, ensuring security goals of those
systems is becoming essential. Particularly, assuring the confidentiality or the integrity of the
information manipulated by the different components of a cyberphysical system is a crucial
security goal.
Information security is usually achieved by access control policies, which formally specify
desired flows of information inside a system. Access requests to the resources/data (objects)
∗ The authors are supported in part by the IDEA4CPS Reseearch Centre studying the Foundations
for Cyber-Physical Systems and granted by the Danish Research Foundation for Basic Research
(DNRF86-10).
© Panagiotis Vasilikos, Flemming Nielson, and Hanne Riis Nielson;
licensed under Creative Commons License CC-BY
24th International Symposium on Temporal Representation and Reasoning (TIME 2017).
Editors: Sven Schewe, Thomas Schneider, and Jef Wijsen; Article No. 21; pp. 21:1–21:18
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany










Figure 1 The processes and channels of the gateway example.
of the system by users (subjects) are then either denied or allowed by a monitor that enforces
the access control policies. The literature offers a vast number of access control models,
where among all, the most used in practice are the discretionary access control (DAC) [29],
mandatory access control (MAC) [28] and role-based access control (RBAC) [12], while lately
a great attention has been given to the attribute-based access control (ABAC) model [17],
wherein access control may depend on the attributes of the accessed data or the attributes
of the environment such as the time.
Although access control policies is a well-established approach for information security
at the subject-object level, distributed systems require precise policies that express also the
desired information flows that occur at the application level, such as explicit flows. As an
example, consider the explicit flow from the variable y to the variable x that arises from
the assignment x := y and the access control policy "x can only be modified by p", where
p is a trusted process in the system. Although the assignment x := y executed by p does
not violate the access control policy of the system, the fact that p resides in a distributed
environment together with potential bugs inside its source code gives no guarantees that the
value of y was written by p. For instance, the value of y could have been influenced by an
untrusted process p′ after a communication between p and p′ and consequently p′ would have
also influenced the value of x. To see more challenges that arise inside distributed systems
consider the work of [25] where it illustrates that security policies may need to depend on the
actual content of the data, while ABAC [17] models also address the need for time-dependent
security policies.
Contribution. It is natural then to extend the enforcement of safety properties of embedded
systems with enforcement of access control policies. The idea is that having an abstract model
of an embedded system, one could eliminate possible security violations in the trusted part
of the system before the actual run of the system happens. We use Timed Automata [3, 1] to
model distributed systems and we specify an information flow instrumented semantics that
allows us to record information about the accesses being performed; we call this information
a behaviour of the system. To deal with formal definitions of security policies we present
a behaviour logic (based on the behaviours of the system) that supports the specification
of content, time and information dependent access control policies. Verification of Timed
Automata has been successfully achieved by model checkers based on the timed computation
tree logic (TCTL) [2], and consequently, we propose a reduction of a substantial fragment
of our logic to a logic that can be handled by the well-established model checker UPPAAL
[30]. Finally, we present a translator that performs this reduction and we illustrate our
development using an example from the aerospace industry. Figure 1 sketches the example: A
gateway with two processes, each of them produces data for different targets, uses a multiplexer
and a demultiplexer to successfully deliver the data to the intended target. The multiplexer
merges the data from the producers and sends it to the demultiplexer who is responsible for
delivering it to the right target. The target of the data depends both on the time of the system
while also on the content of it and thus it is challenging to express the appropriate security
policy. The example is based on the secure gateway presented in [22], where a seperation
P. Vasilikos, F. Nielson, and H. R. Nielson 21:3
kernel is used to allow the accesses to the resources of the system by the system’s processes
to be temporal (based on time) and based on an information flow policy. The seperation of
the resources is used to ensure that untrusted processes such as passenger’s devices can have
access to onboard communication systems, without alerting the safe operation of the aircraft.
Related work. There are many other papers dealing with access control [27, 19, 15, 14, 34,
32], however without considering time-dependent security policies; a survey of access control
models is available at [11].
A rich logic that allows reasoning about time-dependent policies, together with a proof
checker for the logic is considered in [10], however there are no information flow considerations
at the application level such as explicit flows. SecPAL [5] is another logic that supports
time-dependent policies, as well as the encoding of many well-known policy idioms such as
DAC, MAC, RBAC, and ABAC, however the enforcement of time constraints is external
to the language. A somewhat different approach has been taken in [4], where a monitor is
used to enforce time-dependent access control, by checking a system’s logs that records the
different actions of the users in a database system. Our contribution focuses on the challenges
of time-dependent access control for embedded systems modeled as Timed Automata.
The work of [20] presents a formal specification and verification of the temporal role-
based access control (TRBAC) model [6], a flexible model in which the roles of the users
of the system are enabled or disabled depending on the time of the system. They then
use UPPAAL [30] to model a TRBAC system and verify the desired security policies. The
same authors of this paper, present in [21], an extension of this model which is based on
the generalized-TRBAC (GTRBAC) model [18]. The work of [13] considers spatial-TRBAC
(STRBAC) models [7] in which the rights of the user may depend on the time as well as
on the location of the user; again the different roles of the system are modeled as timed
automata and verified in UPPAAL. Carlo Combi et.al in [9] merges temporal role-based
access control with workflows, while in [8] he defines access-controlled temporal networks, an
extension of the conditional simple temporal networks with uncertainty which allows you to
model users and temporal authorization constraints. Although all of those models deal with
an important number of access control policies at the subject-object level considering time
dependencies, they are not able to express time-dependent policies with information flow
considerations that occur at the application level of the system (e.g does a process running
on behalf of a user respects the access control policy?).
The work of [26] formalizes the timed decentralised label model (TDLM) an extension of
the traditional and well-established decentralised label model (DLM) [23], which deals with
both information flow and time-dependent security policies; however, their work does not
consider an enforcement mechanism for the policies. Our key contribution is to develop a
logic that allows the specification of time, data’s content and information flow dependent
policies for access control, and to make use of current model checkers such as UPPALL [30]
for the enforcement of the policies.
Organisation. The remainder of this paper is organized as follows. In Section 2, we give the
definition of a Timed System (a system of Timed Automata) and in Section 3 we define an
information flow instrumented operational semantics for Timed Systems. Section 4 presents
the syntax and the semantics of our behaviour logic called BTCTL (behaviour TCTL) and
we illustrate how we can successfully express security policies for our gateway example. In
Section 5 we present the reduction of the BTCTL logic to a variation of the TCTL [2],
called TCTL+ and in Section 6 we present our translator. Finally, in Section 7, we give our
TIME 2017
21:4 Time Dependent Policy-Based Access Control
conclusions and we outline our future work, while in appendix A we give the proof of our
main theorem.
2 Systems of Timed Automata
2.1 Timed Systems
A Timed System TS
p1 : TA1 || ... || pn : TAn (n ≥ 1)
which sometimes we will call system, is the parallel composition of n timed automata called
processes, written as TS=(TAi)i≤n.
The processes are able to exchange information via synchronous message passing, using
polyadic channels from the finite set Chan. Each of the processes in the timed system,
is labelled with a unique identifier p ∈ P={p1, ..., pn} and we write Varp and Clockp for
the data variables and clocks appearing in the process p. We also require that the sets of
data variables and clocks for the processes are mutually disjoint (∀i 6= j : Varpi ∩Varpj =





overall data variables and clocks apperaring in the timed system.
2.2 Timed Automata
Formally, we model a Timed Automaton [3, 1] TA as a 4-tuple (q◦,E, I,Q) where q◦ is the
initial location of the automaton, E is a finite set of edges, I is mapping from the automaton’s
locations to conditions that impose invariants, and Q is the set of the automaton’s locations.
The edges are labelled with actions g → act: ~r and take the form (qs, g → act: ~r, qt)
where the syntax of the act is given by
act ::= ~x :=~e | ch!~e | ch?~x
and qs ∈ Q is the source location and qt ∈ Q is the target location.
Every action g → act: ~r consists of a guard g which has to be true in order for the action
to be performed and it ends with a reset on the clocks ~r. The assignment action g → ~x :=~e: ~r
performs multiple assignments ~x :=~e, while the action g → ch!~e: ~r is used to communicate
the data of the expressions in ~e using the channel ch and the action g → ch?~x: ~r is used to
receive data and store it in the variables of the vector ~x. We shall assume that the sequences
~x and ~e of data variables and expressions, respectively, have the same length and that ~x does
not contain any repetitions. Finally, we write ~x(i) (and also ~e(i)) for the i-th element of the
vector ~x (and ~e respectively). To cater for special cases of the assignment action, we shall
allow to write g → skip: ~r when ~x (and hence ~e) is empty; also for any kind of action we
shall allow to omit the guard g when it equals to tt and to omit the clock resets when ~r is
empty. If it is the case that all of the above take place together we omit the whole action.
I Example 1. The timed system of our gateway example is given in Figure 2. The timed
system consists of six processes P = {p1, p2,m, d, c1, c2}. Two producers p1 and p2 send their
data via the channels in1 and in2 respectively. The multiplexer m collects the data from
the producers using the channel ch and then forwards it to the demultiplexer d, who then
distributes it to the consumers c1 and c2 via the channels out1 and out2 respectively. The
access policy that we want to impose here is that the consumers c1 and c2 read data only
from the producers p1 and p2, respectively.





(a) The producers p1 (top) and p2 (bottom)
5 67
0 ≤ t ∧ t ≤ 7→ in1?x: v
t=10 → skip: t
ch!(1, x)
5 ≤ t ∧ t ≤ 10→ in2?x: v
ch!(2, x)
(b) The multiplexer m
8 9
ch?(y, z): r
y = 1→ out1!z
y = 2→ out2!z





(d) The two consumers c1 (top) and c2 (bottom)
Figure 2 The timed system for the gateway example.
We use clocks to model the temporal accesses to the resources of the system as required
in [22]. In particular we use two clocks v (in the multiplexer) and r (in the demultiplexer) to
model instantaneous transitions (time does not pass) and we use a clock t (in the multiplexer)
to split the overall execution time of the timed system into periods of 10-time units. In each
period the multiplexer m reads data from the channel in1 only whenever t ∈ [0, 7], while it
reads data from the channel in2 only whenever t ∈ [5, 10]. Whenever t ∈ [5, 7] the multiplexer
chooses non-deterministically to read either from in1 or in2. The multiplexer then transports
the data together with a constant, using the dyadic channel ch to the demultiplexer d; the
constant is used as a mark to indicate the source of the data. Finally, the demultiplexer
delivers the data to the right consumer according to the constant.
The expressions e, guards g and conditions c that label the locations are defined as follows
using boolean tests b:
e ::= e1 opa e2 | x | n
b ::= tt | ff | e1 opr e2 | ¬b | b1 ∧ b2
g ::= b | r opc n | (r1 − r2) opc n | g1 ∧ g2
c ::= b | r opd n | (r1 − r2) opd n | c1 ∧ c2
The arithmetic operators opa and the relational operators opr are as usual. For comparisons
of clocks we use the operators opc ∈ {<,≤,=,≥, >} in guards and the less permissive set of
operators opd ∈ {<,≤,=} in conditions.
3 Information Flow Instrumented Semantics
3.1 Behaviours
The transitions of the timed systems are labeled with behaviours. A behaviour records
information relevant to the action that has occurred and also information about the processes
TIME 2017
21:6 Time Dependent Policy-Based Access Control
that were involved in the action. Formally a behavior takes the form
b ∈ Blocal ∪ Bcom
where
Blocal = P×−−→Var×−−→Exp
are the behaviours that occur due to assignments and
Bcom = P×Chan×−−→Var×−−→Exp×P
are the behaviours that occur due to the communication between two processes. We write−−→Var and −−→Exp for the sets of vectors with elements over the data variables and arithmetic
expressions respectively.
For instance, the local behaviour p : (~x,~e) records that the process p has performed an
assignment in which the vector ~e is used to modify the variables of the vector ~x, while the
behaviour p : ch(~x,~e) : p′ records that a communication between the processes p (the sender)
and p′ (the receiver) has happened, using the channel ch, and the vector ~e is the vector of
expressions whose values have been communicated and have been bound to the variables of
the vector ~x.
In all of the behaviours, the vectors that are being used must have the same length while
for the delay action we will write the empty behaviour .
3.2 Operational Semantics
To specify the semantics of timed systems, let σ be a state mapping data variables to values
(which we take to be integers), let δ be a clock assignment mapping clocks to non-negative
reals and let κ be a mapping from data variables to sets of processes which we will call
writers. The mapping κ is used to monitor the explicit flows that occur from the assignments
and the communication between two processes in the system; we explain the use of κ in more
detail in a while. We then have total semantic functions [[.]] for evaluating the expressions,
boolean tests, guards, and conditions; we evaluate expressions either with a state σ or the
mapping κ, where for the first case the evaluation returns a value and in the second it returns
the writers of the expression. The evaluation of boolean expressions only depends on the
states, whereas that of guards and conditions also depend on the clock assignments.
The configurations of a timed system TS = (TAi)i≤n are of the form 〈~q, σ, δ, κ〉, where ~q
is a vector of nodes and we write ~q(i) for the i-th element of the vector ~q, ~q [q′/q] to substitute
the node q with the node q′ in ~q, we have that ∀i : ~q(i) ∈ Qi and finally we shall assume that
the sets of nodes of the processes are mutually disjoint (∀i 6= j : Qi ∩ Qj = ∅).
The transitions of a timed system take the form
〈~qs, σ, δ, κ〉 b=⇒ 〈~qt, σ′, δ′, κ′〉
and the initial configurations are of the form 〈~q◦, σ, λr.0, κ0〉 where ~q◦ is the vector whose
elements are the initial locations of the timed automata of the system and κ0 maps each
variable to the process that it belongs to (κ0(x) = {p} iff x ∈ Varp). The transition relation
is given in Table 1.
The rule for the assignment, ensures that the guard is satisfied in the starting configuration
and updates the mappings σ, δ, κ and the location of the process pj and finally ensures that
the invariant is satisfied in the resulting configuration. The behaviour pj : (~x,~e) records
P. Vasilikos, F. Nielson, and H. R. Nielson 21:7
Table 1 Semantics for Timed Systems.
〈~qs, σ, δ, κ〉
pj :(~x,~e)=⇒ 〈~qt, σ′, δ′, κ′〉 if

(q, g → ~x :=~e: ~r, q′) is in Ej
[[g]](σ, δ) = tt
σ′ = σ[~x 7→ [[~e]]σ]
δ′ = δ[~r 7→ ~0]
κ′ = κ[~x 7→ [[~e]]κ]
~qt = ~qs[q′/q]∧n
i=1[[Ii(~qt(i))]](σ
′, δ′) = tt
〈~qs, σ, δ, κ〉 ph:ch(~x,~e):pl=⇒ 〈~qt, σ′, δ′, κ′〉 if

h 6= l
(q1, g1 → ch!~e: ~r1, q′1) is in Eh
(q2, g2 → ch?~x: ~r2, q′2) is in El
σ′ = σ[~x 7→ [[~e]]σ]
δ′ = (δ[~r1 7→ ~0])[~r2 7→ ~0]
κ′ = κ[~x 7→ [[~e]]κ]
~qt = ~qs[q′1/q1][q′2/q2]∧n
i=1[[Ii(~qt(i))]](σ
′, δ′) = tt
〈~q, σ, δ, κ〉 =⇒ 〈~q, σ, δ′, κ〉 if
{
∃ d > 0 : δ′ = λr. δ(r) + d,∧n
i=1[[Ii(~q(i))]](σ, δ
′) = tt
that the process pj is performing an assignment to the vector ~x using the vector ~e, and κ′
records the information flow that occurs due to this behaviour, by updating the writers of
each variable ~x(i) with the writers of the expression ~e(i), where for a single expression e′,
[[e′]]κ =
⋃
y∈fv(e′) κ(y) and fv(e′) is the set of free variables occuring in e′.
To understand the rule for the communication one could see it as an assignment of the
form ~x :=~e where ~e are the expressions which are used at the channel output action and ~x
the variables that are used in the channel input action.
Finally, the delay rule only modifies the clock assignment with a delay d ensuring that
the invariant is satisfied in the resulting configuration. The mapping κ remains the same
since the delay action produces the empty behaviour .
I Example 2. To see how the semantics for the κ mapping works, return to Example 1 and
consider the transition
〈~q, σ, δ, κ〉 p1:in1(x,x1):m=⇒ 〈~q[6/5], σ[x 7→ σ(x1)], δ[v 7→ 0], κ[x 7→ {p1}]〉
which corresponds to the communication between the the producer p1 and the multiplexer
m. We have that ~q = (1, 2, 5, 8, 3, 4), and let
κ = [x1 7→ {p1} , x2 7→ {p2} , x 7→ {m} , y 7→ {m} , z 7→ {d} , z1 7→ {c1} , z2 7→ {c2}]
and the resulting mapping κ[x 7→ {p1}] records that p1 has written its value into the variable
x, since there is an explicit flow from the variable x1 to the variable x and x1 has previously
been written by p1.
4 Time Dependent Policies in BTCTL
In this section, we present our behaviour based logic BTCTL which serves to specify time-
dependent security policies for access control, based on the behaviours of the system. The
access control policies can then be enforced statically before the execution of the system.
TIME 2017
21:8 Time Dependent Policy-Based Access Control
4.1 The Logic
The syntax of the BTCTL formulas φ is given by
φ ::= g | set1 rel set2 | ∀b(φ1, φ2) | φ1 ∧ φ2 | ¬φ
where
set ::= e |W .
We have basic formulas which can be either a guard g, or relations between two sets of writers,
set1 rel set2, where rel = {⊆,⊇} . The underlined set expression e denotes the set of writers
of the expression e and W ∈ P(P) is a set of writers. We use the box operator ∀b(φ1, φ2)
to speak about pre- and post-conditions whenever the non-empty behaviour b 6=  happens.
Informally speaking, a configuration γ will satisfy the ∀b(φ1, φ2) formula whenever for all
of the system runs starting at γ, if a transition labelled with the behaviour b occurs, then φ1
should hold at the configuration before the transition and φ2 at the configuration after it.
As we will see shortly, the box operator will be the key formula to express access control
policies. The ¬φ and φ1 ∧ φ2 cases are the usual ones. Finally, we sometimes write φ1 ⇒ φ2
for ¬(φ1 ∧ ¬φ2).
I Example 3. Going back to Example 1, each of the variables has a time-dependent policy
which specifies the maximum set of permitted writers of the variable. We are interested in
the policies of the variables of the multiplexer, the demultiplexer and the two consumers:
Px = (0 ≤ t ∧ t < 5⇒ x ⊆ {p1})∧
(5 ≤ t ∧ t ≤ 7⇒ x ⊆ {p1, p2})∧
(7 < t ∧ t ≤ 10⇒ x ⊆ {p2}) ,
Py = y ⊆ {m} ,
Pz = (0 ≤ t ∧ t ≤ 7 ∧ y = 1⇒ z ⊆ {p1})∧
(5 ≤ t ∧ t ≤ 10 ∧ y = 2⇒ z ⊆ {p2}) ,
Pz1 = z1 ⊆ {p1} ,
Pz2 = z2 ⊆ {p2} .
The first line of the policy for the variable x, expresses that whenever t ∈ [0, 5), only the
process p1 is allowed to write data to x, while both p1 and p2 may write to x if t ∈ [5, 7]
and similarly to the first line, if t ∈ (7, 10] then only p2 can write to x. On the other hand,
looking at the policy for the variable y, a write action to y is allowed only by the multiplexer.
The rest of the policies can be explained accordingly.
We then perform the enforcement of the access control policies by checking the following
formulas:
Φx = ∀p1:in1(x,x1):m(tt, Px) ∧ ∀p2:in2(x,x2):m(tt, Px) ,
Φy,z = ∀m:ch((y,z),(1,x)):d(tt, Py ∧ Pz) ∧ ∀m:ch((y,z),(2,x)):d(tt, Py ∧ Pz) ,
Φz1 = ∀d:out1(z1,z):c1(tt, Pz1) ,
Φz2 = ∀d:out2(z2,z):c2(tt, Pz2) .
Each of the formulas express that whenever someone is writing to the variable (or variables)
appearing as a subscript, then the policy of the variable (or variables) is imposed as a post
P. Vasilikos, F. Nielson, and H. R. Nielson 21:9
condition. The variable x is accessed (someone is writing data to x) whenever p1 and p2
communicates with the multiplexer and thus we have to impose the policy of the variable
x for both of those actions, while the variables y and z are being accessed whenever the
multiplexer communicates with the demultiplexer and that happens with two communication
actions. Similarly, we define the formula for the variables z1 and z2.
4.2 Semantics of BTCTL
The formal rules that define whenever a configuration γ satisfies a BTCTL formula φ are
given below:
γ |= g iff γ = 〈~q, σ, δ, κ〉 ⇒ [[g]](σ, δ)
γ |= set1 rel set2 iff γ = 〈~q, σ, δ, κ〉 ⇒ [[set1]]κ rel [[set2]]κ
γ |= ∀b(φ1, φ2) iff ∀γ0 b1⇒ γ1 b2⇒ .. ∈ Traceγ :
∀i ≥ 1 : bi = b⇒ γi−1 |= φ1 and γi |= φ2
γ |= φ1 ∧ φ2 iff γ |= φ1 and γ |= φ2
γ |= ¬φ iff γ 6|= φ
A guard g is then satisfied by a configuration γ whenever g holds in γ. For the case of
the set relation rel, γ satisfies it whenever set1 rel set2 evaluates to true and we do that
check by lifting the definition of [[.]]κ to set expressions, by [[e]]κ = [[e]]κ and [[W ]]κ = W . A
configuration γ satisfies the box formula ∀b(φ1, φ2) whenever for all the execution paths
that start from γ, if a behaviour b′ occurs and b′ is syntactically equal to b, then the
pre-condition φ1 has to hold at the configuration before the behaviour and the post-condition
φ2 at the configuration after it. The rest of the cases are the usual ones.
I Example 4. Consider now the prefix of an execution trace of the timed system from
Example 1
pr = γ0
p1:in1(x,x1):m=⇒ γ1 m:ch((y,z),(1,x)):d=⇒ γ2 d:out1(z1,z):c1=⇒ γ3
where for the initial configuration γ0 = 〈~q0, σ0, δ0, κ0〉, we have that ~q0 = (1, 2, 5, 8, 3, 4), σ0
is arbitrary, δ0 = λc.0 and
κ0 = [x1 7→ {p1} , x2 7→ {p2} , x 7→{m }, y 7→ {d} , z 7→ {d} , z1 7→{ c1 }, z2 7→ {c2}]
and for the rest of the configurations
γ1 = 〈~q1, σ1, δ1, κ1〉, ~q1 = ~q0[6/5], σ1 = σ0[x 7→ σ0(x1)], δ1 = δ0[v 7→ 0], κ1 = κ0[x 7→ {p1}]
γ2 = 〈~q2, σ2, δ2, κ2〉, ~q2 = ~q1[5/6][9/8], σ2 = σ1[y 7→ 1, z 7→ σ1(x)], δ2 = δ1[r 7→ 0],
κ2 = κ1[y 7→ ∅, z 7→ {p1}]
γ3 = 〈~q3, σ3, δ3, κ3〉, ~q3 = ~q1[8/9], σ3 = σ2[z1 7→ σ2(z)], δ3 = δ2, κ3 = κ2[z1 7→ {p1}].
Now consider the formulas Φx, Φy,z, Φz1 from Example 3 and to illustrate how the semantics
work for the box operator, we will do the appropriate checks for those formulas on pr.
The formula Φx is the conjuction of two box operators, where for the first one because of
the behaviour p1 : in1(x, x1) : m of the transition γ0
p1:in1(x,x1):m=⇒ γ1, we have to check that
γ1 |= Px where
Px = (0 ≤ t ∧ t < 5⇒ x ⊆ {p1})∧
(5 ≤ t ∧ t ≤ 7⇒ x ⊆ {p1, p2})∧
(7 < t ∧ t ≤ 10⇒ x ⊆ {p2}) .
TIME 2017
21:10 Time Dependent Policy-Based Access Control
This check evaluates to true, since γ satisfies only the guard of the first line of the policy
and κ1(x) = {p1}. For the transition γ1 m:ch((y,z),(1,x)):d=⇒ γ2, because of the formula Φy,z we
have to check that γ2 |= Py ∧ Pz where
Py = y ⊆ {m} ,
Pz = (0 ≤ t ∧ t ≤ 7 ∧ y = 1⇒ z ⊆ {p1})∧
(5 ≤ t ∧ t ≤ 10 ∧ y = 2⇒ z ⊆ {p2}) .
This check evaluates to true, since κ2(y) = ∅ and γ2 satisfies only the condition at the first
line of the policy Pz and also κ2(z) = {p1}. Finally for the last transition γ2 d:out1(z1,z):c1=⇒ γ3,
because of the Φz1 formula, we have to check that γ3 |= Pz, and this check evaluates to true,
since κ3(z1) = {p1} and Pz = z1 ⊆ {p1}.
5 Reduction of BTCTL to TCTL+
In this section, we perform a transformation of the original time system, and of the BTCTL
formulas. The transformation is based on the work done in [16], where the action-based logic
ATCTL (action-TCTL) is being reduced to TCTL [2]. A transformed formula produces a
formula in TCTL+, a logic based on TCTL and in the next section we show how a fragment
of TCTL+ can be handled by the model checker UPPAAL [30].
5.1 Behaviour Automata
A timed system TS = (TAi)i≤n yields a behaviour automaton BA = (v◦,E, I,Q, L), which is
a kind of timed automaton in that it is the product automaton of the system, extended to
contain auxiliary vertices that represent the actions of the system and a labelling function
L that assigns to each vertex a property. A property is either a behaviour or a location
vector of the system TS; auxiliary vertices of the system will be labeled with the behaviour
that corresponds to the particular action of the vertex, while genuine vertices that represent
locations of the system TS are labeled with a location vector. The initial vertex v◦ will be
labeled with the initial location vector of the system ~q◦. The behaviour automaton BA has
the same set of variables as the timed system TS, while for the clock variables it has an extra
clock t. Similarly to the timed automata, E is a finite set of edges, the mapping I imposes an
invariant on each vertex and Q is the finite set of vertices.
The algorithm for constructing the edges E, the labelling functions I and L and the set of
vertices Q = Qgen ∪Qaux (Qgen ∩Qaux = ∅) where Qgen and Qaux contain the genuine and
auxiliary vertices respectively, is given in Figure 3.
In the first step, we create the genuine vertices and we label them with the invariant of
the location vector that they represent; each of those vertices is inserted in Qgen, which will
be used in the next steps to create the auxiliary vertices.
In step 2 we create the auxiliary vertices and the edges that correspond to the assignment
actions of the system. For each process pi, we start looking at all of its assigment edges
(qi, g → ~x :=~e: ~r, q′i) ∈ Ei. For each one of those edges and for all the vertices vs ∈ Qgen and
vt ∈ Qgen, where the label of vs, L(vs) corresponds to a vector location where this assignment
could have been performed and would have moved the system to the location L(vt), we
create the edges (vs, g → skip: t, v) and (v, ~x :=~e: ~r, vt), where v is a fresh auxiliary vertex;
whereas in the construction of the product automaton one would have constructed only the
edge (vs, g → ~x :=~e: r, vt). The auxiliary vertex v is labelled with the assignment behaviour
P. Vasilikos, F. Nielson, and H. R. Nielson 21:11
(1) let Qgen = ∅; let Qaux = ∅;
for all ~q: create fresh v; let L(v) = ~q; let I(v) =
∧n
i=1 Ii(~q(i)); insert v in Qgen
(2) for all (qi, g → ~x :=~e: ~r, q′i) ∈ Ei:




∀j : j 6= i : L(vs)(j) = L(vt)(j)
:
create fresh v;
insert (vs, g → skip: t, v) in E; insert (v, ~x :=~e: ~r, vt) in E ;
let L(v) = pi : (~x,~e); let I(v) = (t = 0) ∧ I(vt)[~e/~x][~0/~r]; insert v in Qaux
(3) for all (qi, g1 → ch!~e: ~r1, q′i) ∈ Ei and (qj , g2 → ch?~x: ~r2, q′j) ∈ Ej such that i 6= j:
for all vs ∈ Qgen, vt ∈ Qgen such that

L(vs)(i) = qi ∧ L(vs)(j) = qj
L(vt)(i) = q′i ∧ L(vt)(j) = q′j
∀l : l 6= i ∧ l 6= j : L(vs)(l) = L(vt)(l)
:
create fresh v; let g = g1 ∧ g2; let ~r = ~r1~r2;
insert (vs, g → skip: t, v) in E; insert (v, ~x :=~e: ~r, vt) in E;
let L(v) = pi : ch(~x,~e) : pj ; let I(v) = (t = 0) ∧ I(vt)[~e/~x][~0/~r]; insert v in Qaux
(4) let Q = Qgen ∪Qaux
Figure 3 The algorithm for constructing E, I, Q and L.
vs v vt
g → skip: t ~x :=~e: ~r
Figure 4 Edge construction of BA.
pi : (~x,~e) and its invariant is being set to (t = 0) ∧ I(vt)[~e/~x][~0/~r], to first ensure that the
action of the edge leaving v will be performed instantenous and secondly that we can not
get stuck at an auxiliary vertex. Figure 4 illustrates the construction and note that each
auxiliary vertex v has exactly one predecessor and exactly one successor.
Similarly to step 2, in step 3 we construct the auxiliary vertices for the communication
actions of the system and finally in step 4 we define the set Q.
5.2 Trace Equivalence
From the construction of the behaviour automaton BA, it is essential that every execution
trace in the original system TS can be interpreted as an execution trace in the behaviour
automaton BA and vice versa. Particularly, each transition in the system TS is equivalent
to a single step transition (in the case of a delay) or a two-step transition (in the case of an
action) in its behaviour automaton BA. To overcome the vagueness of this explanation we
will later define an equivalence relation between execution traces of the system TS and the
behaviour automaton BA.
First, we give the operational semantics of the behaviour automata in Table 2. The
semantics is similar to the semantics of the timed automata, however now, the transitions
are not labelled with behaviours.
TIME 2017
21:12 Time Dependent Policy-Based Access Control
Table 2 Semantics for Behaviour Automata.
〈vs, σ, δ, κ〉 −→ 〈vt, σ′, δ′, κ′〉 if

(vs, g → ~x :=~e: ~r, vt) is in E
[[g]](σ, δ) = tt
σ′ = σ[~x 7→ [[~e]]σ]
δ′ = δ[~r 7→ ~0]
κ′ = κ[~x 7→ [[~e]]κ]
[[I(vt)]](σ′, δ′) = tt
〈v, σ, δ, κ〉 −→ 〈v, σ, δ′, κ〉 if
{
∃ d > 0 : δ′ = λr. δ(r) + d,
[[I(v)]](σ, δ′) = tt
Now let γ and γ′ to be two configurations of a timed system TS and its behaviour
automaton BA respectively. We define the relation ∼=: ConfigTS ×ConfigBA → {tt,ff} to
be
〈~q, σ, δ, κ〉 ∼= 〈v, σ′, δ′, κ′〉 iff
~q = L(v) ,
σ = σ′ ,
∀r ∈ Clock : δ(r) = δ′(r) ,
κ = κ′ ,
where we recall that Clock is the set of the clocks appearing in the system TS and thus the
clock t of the behaviour automaton BA is not included in Clock. It is straightforward by the
definition of ∼= that configurations of the system TS can only be related with configurations
that correspond to genuine vertices in the behaviour automaton BA.
For the behaviour automata BA, we define a macro transition t to be a single step delay
transition γ′s −→ γ′t or a two-step transition γ′s −→ γaux −→ γ′t, where γaux is an auxiliary
configuration (a configuration that corresponds to an auxiliary vertex) and γs and γt are
genuine configurations (configurations that correspond to genuine vertices). We then lift
the definition of ∼= to single step transitions of the system TS and macro transitions of the
behaviour automaton BA as
γs









γaux = 〈v, σ, δ, κ〉 ⇒ b = L(v)
Now for each genuine configuration γ′ of the BA, we have that every execution trace
tr′ = γ′0 −→ γ′1.... ∈ Traceγ′ of γ′, with length greater than 0, can be parsed as a macro
transition trace Ttr′ = t′1t′2t′3..... where each t′j is a macro transition. For example the finite
execution trace γ′0 −→ γ′1 −→ γaux1 −→ γ′2 −→ γaux2 −→ γ′3 −→ γ′4, which is a sequence of







4 where t′1 = γ′0 −→ γ′1, t′2 = γ′1 −→ γaux1 −→ γ′2, t′3 = γ′2 −→ γaux2 −→ γ′3 and
t′4 = γ′3 −→ γ′4.
Similarly to the macro transition traces, for each configuration γ of the system TS, we
can write each nonzero-length execution trace, tr = γ0
b1=⇒ γ1 b2=⇒ γ2... ∈ Traceγ of γ, as a
transition trace Ttr = t1t2... where ti = γi−1
bi=⇒ γi (for all i ≥ 1).
P. Vasilikos, F. Nielson, and H. R. Nielson 21:13
Finally we lift the definition of ∼= to execution traces of length n > 0, that start in genuine
configurations inside the timed system TS and its behaviour automaton BA as
tr ∼= tr′ iff
{
Ttr and Ttr′ have the same length
∀i ≥ 1 : Ttr(i) ∼= Ttr′(i)
tr ∼= tr′, then results to true if and only if the transition trace Ttr of tr and the macro
transition trace Ttr′ of tr′ have the same length and they are equivalent stepwise.
The following fact follows from the method of constructing a behaviour automaton and
states that equivalent configurations in the timed system TS and its behaviour automaton
BA, produce equivalent execution traces.
I Fact 5. For every timed system TA, its behaviour automaton BA and two configurations
γ and γ′ such that γ ∼= γ′ we have that:
∀tr ∈ Traceγ : ∃tr′ ∈ Traceγ′ : tr ∼= tr′ ,
∀tr′ ∈ Traceγ′ : ∃tr ∈ Traceγ : tr ∼= tr′ .
5.3 TCTL+
For the behaviour automata, we define a new logic called TCTL+ patterned after TCTL [2],
and the syntax of a TCTL+ formula ψ is given by
ψ ::= prop | g | set1 rel set2 | ∀ψ | ∃(ψ1Uψ2) | ¬ψ | ψ1 ∧ ψ2 .
The basic formula prop is a proposion which is either a behaviour or a location vector and it
holds in a configuration if its vertex is labelled with prop; the rest of the basic formulas are
the same as in BTCTL . The ∀ψ formula holds in a configuration if for all of its execution
traces, ψ holds in all the configurations of the trace, while for the ∃(ψ1Uψ2) to hold, it is
sufficient that there exists an execution trace where ψ1 holds for a prefix of the trace and
eventually ψ2 also holds. The rest of the operators are the same as in BTCTL . The formal
semantics of the TCTL+ is given by:
γ′ |= prop iff γ′ = 〈v, σ, δ, κ〉 ⇒ L(v) = prop
γ′ |= g iff γ′ = 〈v, σ, δ, κ〉 ⇒ [[g]](σ, δ)
γ′ |= set1 rel set2 iff γ′ = 〈v, σ, δ, κ〉 ⇒ [[set1]]κ rel [[set2]]κ
γ′ |= ∀ψ iff ∀γ′0 −→ γ′1 −→ γ′2.... ∈ Traceγ′ : ∀i ≥ 0 : γ′i |= ψ
γ′ |= ∃(ψ1Uψ2) iff ∃γ′0 −→ γ′1 −→ γ′2.... ∈ Traceγ′ :
∃i : γ′i |= ψ2 and ∀j < i : γ′j |= ψ1
γ′ |= ψ1 ∧ ψ2 iff γ′ |= ψ1 and γ′ |= ψ2
γ′ |= ¬ψ iff γ′ 6|= ψ
Our goal is to transform a BTCTL formula φ into a TCTL+ formula ψ and then show that
for two equivalent configurations γ and γ′ of a timed system TS and its behaviour automaton
BA respectively, checking the formula φ in γ it is sufficient to check the transformed formula
ψ in γ′ and vice versa. We perform the transformation of the formulas using a function T [[.]]
TIME 2017













(b) The behaviour automaton of p
as follows
T [[g]] = g ,
T [[set1 rel set2]] = set1 rel set2 ,
T [[∀b(φ1, φ2)]] = ∀(b⇒ (T [[φ1]] ∧ ∃(b U(¬b ∧ T [[φ2]])))) ,
T [[φ1 ∧ φ2]] = T [[φ1]] ∧ T [[φ2]] ,
T [[¬φ]] = ¬T [[φ]] .
For the special cases ∀b(tt, φ2) (φ2 is not tt) and ∀b(φ1, tt) (φ1 is not tt) we shall omit the
transformed formula that corresponds to the trivial formula tt, by writting T [[∀b(tt, φ2)]] =
∀(b ⇒ b U(¬b ∧ T [[φ2]])) for the first case and T [[∀b(φ1, tt)]] = ∀(b ⇒ T [[φ1]]) for the
second case. Finally, we shall assume that formulas in the pre-condition of the ∀b(φ1, φ2)
are not nested. To justify this assumption consider the following example
I Example 6. Consider the timed automaton of a process p (Figure 5a) with a variable
x and a clock r, and its behaviour automaton BA (Figure 5b), where b1 = p : (x, 1) and
b2 = p : (x, 2) are the behaviours of the actions x:=1 and x:=2 respectively, and all the
location invariants in the timed automaton of p are tt.
Now let φ = ∀b1(∀b2(tt, x = 1), tt) and observe that every initial configuation of the
process p does not satisfy φ, whereas every initial configuration of the behaviour automaton
does satisfy the transformed formula T [[φ]] = ∀(b1 ⇒ (∀(b2 ⇒ ∃(b2 U(¬b2 ∧ x = 1))))).
Since the proposed formula transformation is sufficient to express and enforce access
control policies of our interest we leave the development of transformations that support the
entire BTCTL as future work.
Finally, we state the correctness of the function T [[.]] with the following theorem
I Theorem 7. For a timed system TS, its behaviour automaton BA, a BTCTL formula φ
and for every configuration γ and γ′ of TS and BA respectively, we have that if γ ∼= γ′ then
γ |= φ iff γ′ |= T [[φ]]
The proof of Theorem 7 can be found in Appendix A.
5.4 Reduction Complexity
We give a computation bound for the algorithm of Figure 3, that given a timed system
TS = (TAi)i≤n constructs the behaviour automaton BA = (v◦,E, I,Q, L). Assuming that the
computation time of all the simple operations (creation of fresh vertices, setting of invariants
e.t.c) is constant, we have that : let K = |Q1|+ ...+ |Qn| and E = |E1|+ ...+ |En| then the
first part of the algorithm is bounded by Kn. The second part iterates over the assignement
edges and all the pairs of the auxiliary vertices and that is bounded by E ×K2n × n, where







Figure 6 Architecture of the Translator.
n corresponds to the computation bound of checking the third condition of the branch of
the for-loop. Similarly to the second part of the algorithm the third part is bounded by
E2 ×K2n × n and therefore for the total sum of those bounds we obtain a complexity of
O(E2 ×K2n × n) . Finally, for a BTCTL formula φ the complexity of the transformation
T [[φ]] is linear to the size of φ.
6 The Translator
We have implemented a translator in Java that works together with the model checker
UPPAAL version 4.0 [30]. Figure 6 depicts the architecture of the translator.
UPPAAL is using a graphical interface in which one can model (draw) a system of timed
automata. We first do that and next UPPAAL saves it as a file in the eXtensible Markup
Language (XML) [33]; the xml file together with a text file that contains the desired property
φ that we want to check, are being passed to the translator. The translator parses the two
files and produces an xml file which contains the behaviour automaton of the system together
with a UPPAAL query file that includes the property T [[φ]]. The two files are imported to
UPPAAL and then one can check if the desired property holds.
Since UPPALL does not allow nested formulas nor supports the operator ∃φ1Uφ2,
we had to find a workaround for some of the transformed formulas. The guards g are
translated directly; for the set1 rel set2, we model a set as a bit array since UPPALL supports
multidimensional integer arrays and then we check the bit version of the relation rel . In case
of the T [[∀b(φ1, φ2)]] = ∀(b⇒ (T [[φ1]] ∧ ∃(b U(¬b ∧ T [[φ2]])))), UPPAAL allows labelling
a vertex with a string (the name of the vertex) and thus auxiliary vertices with label b have
as a name a string that corresponds to the behaviour b. For the part b U(¬b ∧ T [[φ2]]) we
annotate the outgoing edges of the auxiliary vertices with an assignment to a fresh variable
a that works as a switch. We switch on by a := 1, only when we leave the auxiliary vertex,
and we switch off by a := 0, whenever we leave the successor of the auxiliary vertex. Thus
the formula b U(¬b ∧ T [[φ2]]) is transformed into the formula a = 1⇒ T [[φ2]].
Finally, since the mapping κ is not part of the timed automata of UPPAAL, we first
enumerate each variable and each process of the system and we then model κ as a two-
dimensional array, whose first index corresponds to a variable and whose second to a process.
For instance, if a variable x is enumerated with 1 and κ(x) = {p}, where p is a process of
the system and p is enumerated with 2, then κ[1][2] = 1, while for any other index j 6= 2,
κ[1][j] = 0, modelling in that way that only p has written data in x. The edges of the
automaton are also annotated with assignments to κ to capture the updates to it whenever
the system performs an action.
7 Conclusions
We have successfully shown how to enforce access control policies on Systems of Timed
Automata using a behaviour-based logic. The logic allows specification of time, data’s content
and information flow dependent security policies, an essential need in the modern world of
TIME 2017
21:16 Time Dependent Policy-Based Access Control
cyberphysical systems. We have developed a sound reduction of a substantial fragment of
our logic to a logic based on TCTL [2], so that the model checking of the formulas can be
performed by existing model checkers such as UPPAAL [30]. We implemented a translator
which performs the reduction and together with UPPAAL it enforces access control policies.
Finally, we illustrated our development using an example from the aerospace industry, where
ensuring data’s integrity is a life critical goal.
There are several ways in which we can extend our work. We are currently exploring how
our development can be extended to capture more complex information flows such as implicit
flows [31]. We have shown in [24] that the time aspect, as well as the non-deterministic
semantics of Timed Automata, poses a challenge for that.
We are considering extensions to our logic that allow expressing richer access control
policies and also how to develop a reduction which supports the entire syntax of the BTCTL
logic. Another possibility is to explore new algorithms for determining if a formula of our
logic holds in a timed system rather than reducing the formula to current TCTL-based logics.
References
1 Luca Aceto, Anna Ingolfsdottir, Kim Guldstrand Larsen, and Jiri Srba. Reactive Systems:
Modelling, Specification and Verification. Cambridge University Press, 2007.
2 Rajeev Alur, Costas Courcoubetis, and David L. Dill. Model-checking in dense real-time.
Inf. Comput., 104(1):2–34, 1993.
3 Rajeev Alur and David L. Dill. A theory of timed automata. Theor. Comput. Sci.,
126(2):183–235, 1994.
4 David A. Basin, Matús Harvan, Felix Klaedtke, and Eugen Zalinescu. Monitoring usage-
control policies in distributed systems. TIME, pages 88–95, 2011.
5 Moritz Y. Becker, Cédric Fournet, and Andrew D. Gordon. Secpal: Design and semantics
of a decentralized authorization language. Journal of Computer Security, 18(4):619–665,
2010.
6 Elisa Bertino, Piero A. Bonatti, and Elena Ferrari. Trbac: A temporal role-based access
control model. ACM Trans. Inf. Syst. Secur., 4(3):191–233, 2001.
7 Hsing-Chung Chen, Shiuh-Jeng Wang, Jyh-Horng Wen, Yung-Fa Huang, and Chung-Wei
Chen. A generalized temporal and spatial role-based access control model. JNW, 5(8):912–
920, 2010.
8 Carlo Combi, Roberto Posenato, Luca Viganò, and Matteo Zavatteri. Access controlled
temporal networks. ICAART (2), pages 118–131, 2017.
9 Carlo Combi, Luca Viganò, and Matteo Zavatteri. Security constraints in temporal role-
based access-controlled workflows. CODASPY, pages 207–218, 2016.
10 Henry DeYoung, Deepak Garg, and Frank Pfenning. An authorization logic with explicit
time. CSF, pages 143–165, 2008.
11 Sabrina De Capitani di Vimercati, Pierangela Samarati, and Ravi Sandhu. Access control.
Computing Handbook, 3rd ed., 1:47:1–25, 2014.
12 David F. Ferraiolo, Ravi S. Sandhu, Serban I. Gavrila, D. Richard Kuhn, and Ramaswamy
Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst.
Secur., 4(3):224–264, 2001.
13 Emsaieb Geepalla, Behzad Bordbar, and Kozo Okano. Verification of spatio-temporal role
based access control using timed automata. NESEA, pages 1–6, 2012.
14 Yong-Zhong He, Zhen Han, and Ye Du. Context active rbac and its applications. ISECS,
pages 1041–1044, 2008.
15 Xuezhen Huang, Jiqiang Liu, and Zhen Han. A privacy-aware access model on anonymized
data. INTRUST, pages 201–212, 2014.
P. Vasilikos, F. Nielson, and H. R. Nielson 21:17
16 David N. Jansen and Roel Wieringa. Extending ctl with actions and real time. J. Log.
Comput., 12(4):607–621, 2002.
17 Xin Jin, Ram Krishnan, and Ravi S. Sandhu. A unified attribute-based access control
model covering dac, mac and rbac. DBSec, pages 41–45, 2012.
18 James Joshi, Elisa Bertino, Usman Latif, and Arif Ghafoor. A generalized temporal role-
based access control model. IEEE Trans. Knowl. Data Eng., 17(1):4–23, 2005.
19 M. Fahim Ferdous Khan and Ken Sakamura. A discretionary delegation framework for
access control systems. OTM Conferences, pages 865–882, 2016.
20 Samrat Mondal and Shamik Sural. Security analysis of temporal-rbac using timed automata.
IAS, pages 37–40, 2008.
21 Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. Security analysis of gtrbac and
its variants using model checking. Computers and Security, 30(2-3):128–147, 2011.
22 Kevin Mueller, Michael Paulitsch, Sergey Tverdyshev, and Holger Blasum. Mils-related
information flow control in the avionic domain: A view on security-enhancing software
architectures. DSN Workshops, pages 1–6, 2012.
23 Andrew C. Myers and Barbara Liskov. A decentralized model for information flow control.
In ACM Symposium on Operating System Principles, SOSP 1997, pages 129–142. ACM,
1997.
24 Flemming Nielson, Hanne Riis Nielson, and Panagiotis Vasilikos. Information flow for timed
automata. Accepted for Springer Lecture Notes in Computer Science, 2017.
25 Hanne Riis Nielson and Flemming Nielson. Content dependent information flow control. J.
Log. Algebr. Meth. Program., 87:6–32, 2017.
26 Martin Leth Pedersen, Michael Hedegaard Sørensen, Daniel Lux, Ulrik Nyman, and
René Rydhof Hansen. The timed decentralised label model. NordSec, pages 27–43, 2015.
27 Carlos Ribeiro, Andre Zuquete, Paulo Ferreira, and Paulo Guedes. Spl: An access control
language for security policies and complex constraints. NDSS, 2001.
28 Ravi S. Sandhu. Lattice-based access control models. IEEE Computer, 1993.
29 Ravi S. Sandhu and P. Samarati. Access control: Principles and practice. IEEE Com.
Mag., 1996.
30 UPPALL. http://www.uppaal.com/index.php?sida=200&rubrik=95.
31 Dennis M. Volpano, Geoffrey Smith, and Cynthia E. Irvine. A sound type system for secure
flow analysis. Journal of Computer Security, 4(2/3):167–188, 1996.
32 OASIS eXtensible Access Control Markup Language. https://www.oasis-open.org/
committees/tc_home.php?wg_abbrev=xacml.
33 eXtensible Markup Language(XML) . https://www.w3.org/XML/.
34 Wenrong Zeng, Yuhao Yang, and Bo Luo. Content-based access control: Use data content
to assist access control for large-scale content-centric databases. BigData Conference, pages
701–710, 2014.
A Proof of Theorem 7
Proof. The proof proceeds by structural induction on φ. The base cases are trivial since
T [[φ]] = φ, the formula φ does not include any constraint about the clock t, and γ ∼= γ′.
The case ∀b(φ1, φ2).
Assume that γ |= ∀b(φ1, φ2) and thus by definition:
∀γ0 b1⇒ γ1 b2⇒ .. ∈ Traceγ : ∀i ≥ 1 : bi = b⇒ γi−1 |= φ1 and γi |= φ2 . (1)
TIME 2017
21:18 Time Dependent Policy-Based Access Control
Now take arbritary trace tr′ = γ′0 −→ γ′1 −→ ... ∈ Traceγ′ , where γ′ = γ′0 and prove that
∀j ≥ 0 : γ′j |= b⇒ (T [[φ1]] ∧ ∃(b U(¬b ∧ T [[φ2]]))) .
Now if tr′ has length 0 then tr′ = γ′ and the proof is trivial since γ′ is a genuine
configuration and thus γ′ 6|= b. Similarly, if tr′ has length greater than 0 and γ′j is
a genuine configuration then the proof holds. Now if γ′j is an auxiliary configuration,
consider the macro tranistion trace Ttr′ = t′1t′2... of the trace tr′ and let t′i be the macro
tranistion which corresponds to the transition in which γ′j is being involved and thus we
have that Ttr′(i) = γ′j−1 −→ γ′j −→ γ′j+1. Next, let γ′j = 〈v, σ, δ, κ〉 and using Fact 5 we
have that ∃tr ∈ Traceγ : tr ∼= tr′ and thus
∀h ≥ 1 : Ttr(h) ∼= Ttr′(h)
⇒ Ttr(i) ∼= Ttr′(i)
⇔ γi−1 bi=⇒ γi ∼= γ′j−1 −→ γ′j −→ γ′j+1
⇔ γi−1 ∼= γ′j−1 and γi ∼= γ′j+1 and L(v) = bi (2)
Now if γ′j 6|= b then the proof is trivial. Otherwise, because of (2) (L(v) = bi) we have
that also bi = b and using (1) we have that γi−1 |= φ1 and γi |= φ2. Next, using (2)
(γi−1 ∼= γ′j−1) and our induction hypothesis we have also that γ′j−1 |= T [[φ1]] and since φ1
does not contain any nested formulas we also have that γ′j |= T [[φ1]] as required. Finally,
using (2) ( γi ∼= γ′j+1) and our induction hypothesis we have also that γ′j+1 |= T [[φ2]] and
thus γ′j |= ∃(b U (¬b ∧ T [[φ2]])) as required.
For the other direction now assume that γ′ |= ∀b⇒ (T [[φ1]] ∧ ∃(b U(¬b∧ T [[φ2]]))) and
thus
∀γ′0 −→ γ′1 −→ γ′2.... ∈ Traceγ′ : ∀i ≥ 0 : γ′i |= b⇒ (T [[φ1]] ∧ ∃(b U(¬b ∧ T [[φ2]])))
(3)
and take arbitrary trace tr = γ0
b1=⇒ γ1 b2=⇒ ... ∈ Traceγ , where γ0 = γ and prove that
∀j ≥ 1 : bj = b⇒ γj−1 |= φ1 and γj |= φ2 .
For the cases where the length of tr is 0 or bj 6= b then the proof is trivial. Therefore
take j such that bj = b and consider the transition trace Ttr = t1t2.... of the trace tr and
thus, using Fact 5 we have that ∃tr′ ∈ Traceγ′ : tr ∼= tr′ and consequently
∀h ≥ 1 : Ttr(h) ∼= Ttr′(h)
⇒ Ttr(j) ∼= Ttr′(j)
⇔ γj−1 bj=⇒ γj ∼= γ′s −→ γaux −→ γ′t
⇔ γj−1 ∼= γ′s and γj ∼= γ′t and if γaux = 〈v, σ, δ, κ〉 then L(v) = bj . (4)
Therefore because of (4) (L(v) = bj) and (3) we have that γaux |= T [[φ1]] ∧ ∃(b U (¬b ∧
T [[φ2]])) and thus since φ1 does not contain any nested formulas, γ′s |= T [[φ1]] and
γ′t |= T [[φ2]]; but then using (4) (γj−1 ∼= γ′s and γj ∼= γ′t) and our induction hypothesis we
get the required result.
The cases φ1 ∧ φ2 and ¬φ can be proved straightforwardly using structural induction on
φ1, φ2 and φ. J
