Auth Invariant Tester: Temporal Authorization Correctness Verification for Distributed Systems

preprint OA: closed
Full text JSON View at publisher
Full text 6,886 characters · extracted from preprint-html · click to expand
Auth Invariant Tester: Temporal Authorization Correctness Verification for Distributed Systems | Authorea try { document.documentElement.classList.add('js'); } catch (e) { } var _gaq = _gaq || []; _gaq.push(['_setAccount', 'G-8VDV14Y67G']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); Skip to main content Preprints Collections Wiley Open Research IET Open Research Ecological Society of Japan All Collections About About Authorea FAQs Contact Us Quick Search anywhere Search for preprint articles, keywords, etc. Search Search ADVANCED SEARCH SCROLL This is a preprint and has not been peer reviewed. Data may be preliminary. 8 January 2026 V1 Latest version Share on Auth Invariant Tester: Temporal Authorization Correctness Verification for Distributed Systems Author : Zeeshan Ali 0009-0002-3395-9384 [email protected] Authors Info & Affiliations https://doi.org/10.22541/au.176790800.08611684/v1 149 views 53 downloads Contents Abstract Supplementary Material Information & Authors Metrics & Citations View Options References Figures Tables Media Share Abstract Authorization is often modeled as a pure function from request context to an allow or deny decision. In production systems, however, authorization is implemented as a distributed process: decisions are cached, revocations propagate asynchronously, policies refresh periodically, and credentials such as JSON Web Tokens (JWTs) may outlive the policy state that originally justified them. These realities introduce security failures that are temporal in nature and therefore frequently invisible to conventional unit and integration testing. This paper presents Auth Invariant Tester, a reference-model-based verification framework for detecting temporal authorization safety violations. The framework executes authorization scenarios under controlled fault injection, records execution traces, and checks invariants that capture safety properties including revocation correctness, token invalidation, tenant isolation, and policy-version alignment via Policy Epoch Safety. Authorization behavior is compared against a synchronous reference authorizer that serves as an executable oracle. We evaluate three distinct authorization architectures under identical invariants: (1) a decision-cachebased RBAC system with delayed invalidation, (2) a stateless JWT system that snapshots roles into tokens, and (3) a policy-cached enforcement system that refreshes policy periodically. Across parameterized executions, violations arise conditionally, only when authorization checks intersect stale enforcement windows. Across 20 executions of buggy systems, the framework reports 4 critical violations, while corrected implementations produce 0 violations. These results demonstrate that temporal authorization failures are predictable consequences of performance and availability tradeoffs, and that executable invariants provide a practical, reproducible method to detect and eliminate them. Supplementary Material File (auth_invariant_tester.pdf) Download 125.51 KB Information & Authors Information Version history V1 Version 1 08 January 2026 Copyright This work is licensed under a Creative Commons Attribution 4.0 International License Keywords authorization caching computing and processing distributed systems jwt policy enforcement temporal safety verification Authors Affiliations Zeeshan Ali 0009-0002-3395-9384 [email protected] View all articles by this author Metrics & Citations Metrics Article Usage 149 views 53 downloads .FvxKWukQNSOunydq8rnd { width: 100px; } Citations Download citation Zeeshan Ali. Auth Invariant Tester: Temporal Authorization Correctness Verification for Distributed Systems. Authorea . 08 January 2026. DOI: https://doi.org/10.22541/au.176790800.08611684/v1 If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download. For more information or tips please see 'Downloading to a citation manager' in the Help menu . Format Please select one from the list RIS (ProCite, Reference Manager) EndNote BibTex Medlars RefWorks Direct import Tips for downloading citations document.getElementById('citMgrHelpLink').addEventListener('click', function() { popupHelp(this.href); return false; }); $(".js__slcInclude").on("change", function(e){ if ($(this).val() == 'refworks') $('#direct').prop("checked", false); $('#direct').prop("disabled", ($(this).val() == 'refworks')); }); View Options View options PDF View PDF Figures Tables Media Share Share Share article link Copy Link Copied! Copying failed. Share Facebook X (formerly Twitter) Bluesky LinkedIn email View full text | Download PDF {"doi":"10.22541/au.176790800.08611684/v1","type":"Article"} Now Reading: Share Figures Tables Close figure viewer Back to article Figure title goes here Change zoom level Go to figure location within the article Download figure Toggle share panel Toggle share panel Share Toggle information panel Toggle information panel Go to previous graphic Go to next graphic Go to previous table Go to next table All figures All tables View all material View all material xrefBack.goTo xrefBack.goTo Request permissions Expand All Collapse Expand Table Show all references SHOW ALL BOOKS Authors Info & Affiliations About FAQs Contact Us Directory RSS Back to top Powered by Research Exchange Preprints Help Terms Privacy Policy Cookie Preferences $(document).ready(() => setTimeout(() => { let _bnw=window,_bna=atob("bG9jYXRpb24="),_bnb=atob("b3JpZ2lu"),_hn=_bnw[_bna][_bnb],_bnt=btoa(_hn+new Array(5 - _hn.length % 4).join(" ")); $.get("/resource/lodash?t="+_bnt); },4000)); (function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9fdfea9e0b66ad07',t:'MTc3OTE2MDMwOQ=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

crossref
last seen: 2026-05-20T01:00:02.076388+00:00
europepmc
last seen: 2026-05-20T01:45:00.602351+00:00