Formalizing Semantic Differences between Combining Algorithms in XACML 3.0 Policies

XACML is a standard language for specifying attribute-based access control policies of computer and software systems. It offers a variety of combining algorithms for flexible policy composition. While they are intended to be different, they also bear similarities. Some combining algorithms can be functionally equivalent with respect to the given policy or policies. To correctly use the combining algorithms, it is important to understand the subtle similarities and differences. This paper presents a formal treatment of the semantic differences between the commonly used combining algorithms in XACML 3.0. For each pair of the selected combining algorithms, we identify when they are functionally equivalent and when they are not equivalent. This rigorous understanding helps minimize incorrect uses of combining algorithms that may lead to unauthorized access and denial of service. It also provides a foundation for determining equivalent mutants of combining algorithms in mutation testing of XACML policies.