Efficient Proving for Distributed Access-Control Systems

We present a new algorithm for generating a formal proof that an access request satisfies accesscontrol policy, for use in logic-based access-control frameworks. Our algorithm is tailored to settings where credentials needed to complete a proof might need to be obtained from, or reactively created by, distant components in a distributed system. In such contexts, our algorithm substantially improves upon previous proposals in both computation and communication costs, and better guides users to create the most appropriate credentials in those cases where needed credentials do not yet exist. At the same time, our algorithm offers strictly superior proving ability, in the sense that it finds a proof in every case that previous approaches would (and more). We detail our algorithm and empirically evaluate an implementation of it using policies in active use in a testbed at our institution for experimenting with access-control technologies.