PTaCL: A Language for Attribute-Based Access Control in Open Systems

Many languages and algebras have been proposed in recent years for the specification of authorization policies. For some proposals, such as XACML, the main motivation is to address real-world requirements, typically by providing a complex policy language with somewhat informal evaluation methods; others try to provide a greater degree of formality (particularly with respect to policy evaluation) but support far fewer features. In short, there are very few proposals that combine a rich set of language features with a well-defined semantics, and even fewer that do this for authorization policies for attribute-based access control in open environments. In this paper, we decompose the problem of policy specification into two distinct sub-languages: the policy target language (PTL) for target specification, which determines when a policy should be evaluated; and the policy composition language (PCL) for building more complex policies from existing ones. We define syntax and semantics for two such languages and demonstrate that they can be both simple and expressive. PTaCL, the language obtained by combining the features of these two sub-languages, supports the specification of a wide range of policies. However, the power of PTaCL means that it is possible to define policies that could produce unexpected results. We provide an analysis of how PTL should be restricted and how policies written in PCL should be evaluated to minimize the likelihood of undesirable results.

💡 Research Summary

The paper introduces PTaCL, a formal language designed for attribute‑based access control (ABAC) in open systems. PTaCL is built from two sub‑languages: the Policy Target Language (PTL) and the Policy Composition Language (PCL). PTL specifies when a policy should be evaluated by defining “targets” that match requests. Requests are modeled as sets of name‑value pairs, allowing arbitrary attributes beyond the classic subject‑object‑action triple. PTL provides three kinds of atomic targets—null, attribute‑name only, and (attribute‑name, value) pairs—and combines them with logical operators (and, or, opt, not). Evaluation of a target yields one of three decisions: 1_T (match), 0_T (attribute present but value mismatched), or ⊥_T (attribute absent). These three‑valued decisions are manipulated using weak and strong Kleene operators, giving a mathematically precise semantics for target matching, including the ability to distinguish missing attributes from mismatched values.

PCL uses PTL‑defined targets to attach leaf policies that return a conclusive decision (allow, deny) or “not applicable”. Complex policies are built as trees whose internal nodes combine child results using composition operators such as deny‑overrides, permit‑overrides, or first‑applicable. The paper defines the syntax and semantics of these operators, ensuring that the overall language is functionally complete: any policy expressible in richer languages like XACML can be encoded in PTaCL with a simpler, formally defined syntax.

A major contribution is the analysis of “attribute‑hiding attacks”, where a user deliberately omits certain attributes to obtain a more favorable decision. The authors demonstrate this problem with a simple corporate confidentiality policy and show how PTaCL can detect and mitigate it. Two mitigation strategies are proposed: (1) distinguishing mandatory from optional attributes and treating missing mandatory attributes as an evaluation‑error decision, and (2) enforcing monotonicity of targets so that adding attributes cannot improve the decision outcome. Monotonicity is formalized using the total order 1_T > 0_T > ⊥_T and the least‑upper‑bound operator on the decision set.

The paper also addresses malformed requests and evaluation errors by introducing a dedicated “evaluation‑error” decision, which allows the system to fail safely (typically defaulting to deny) without crashing or producing ambiguous results.

The structure of the work proceeds as follows: Section 2 defines the ABAC request model and illustrates the attribute‑hiding threat. Section 3 presents PTL’s syntax, three‑valued decision set, and evaluation rules. Section 4 details PCL’s policy syntax, composition operators, and overall evaluation algorithm. Section 5 discusses restrictions on PTL (monotonicity, mandatory attributes) and secure evaluation practices for PCL. Section 6 reviews related work, highlighting PTaCL’s unique blend of expressive power and formal rigor, and outlines future directions such as policy optimization, automated verification tools, and just‑in‑time compilation of XACML policies into PTaCL.

In summary, PTaCL offers a concise yet expressive policy language that retains the rich feature set of practical standards while providing a mathematically grounded semantics. Its explicit handling of missing attributes, three‑valued logic, and systematic defenses against attribute‑hiding attacks make it a compelling foundation for secure ABAC implementations in open, heterogeneous environments.