AACL (Artificial Adaptive Control Language) is a language-theoretic state-transition enforcement framework for web applications.
Instead of validating only authentication tokens or headers, AACL treats every sensitive request as a sentence in a server-issued, single-use grammar. Requests are validated using deterministic finite automata (DFA) before reaching application business logic.
Note: This sample website is in-progress and is not implemented based on AACL model full fledgedly.
Modern web security mechanisms (CSRF tokens, nonces, JWTs) validate request authenticity and freshness. However, they do not formally constrain whether a request represents a valid state transition in the application.
AACL addresses this gap by enforcing:
- Structural validity
- State consistency
- Single-use constraints
- Deterministic transition enforcement
The goal is to reduce unauthorized state transitions, replay attacks, and structural tampering.
AACL models a web application as a state machine.
Let:
- S = Set of application states
- Gₛ = Grammar issued for state
s - L(Gₛ) = Valid request language
- T(s, r) = State transition function
A request r is valid iff:
r ∈ L(Gₛ)T(s, r)is definedris unused (single-use grammar)ris within validity window
If any condition fails, the request is rejected before business logic execution.
- Firstly, make sure to install flask python package. If not then use pip3 install flask / pip install flask
- **Start the server using the following command:
- cd Prototype && python3 app-new.py
- Then access the website in the following URL: http://loclahost:5000
- Login with as a user. Ex- alice/alice123 or bob/bob123
The system consists of:
-
Client
- Requests grammar before sensitive actions
- Constructs payload matching server-issued grammar
-
AACL Gateway
- DFA-based validation engine
- Checks structure, required keys, entropy, expiry
- Enforces single-use constraints
-
Application Server
- Executes business logic only after AACL validation
Optional:
- AI-assisted grammar refinement (experimental)
AACL provides:
- Replay resistance (single-use grammar)
- Structural tamper detection
- State-transition enforcement
- Reduced attack surface for control-flow attacks
AACL complements, but does not replace:
- Input sanitization
- Output encoding
- Parameterized queries
- Authentication systems
The repository includes a sample transactional web application:
- Multi-user login
- Dashboard with dynamic state (user + balance)
- Actions:
- Change Password ( Doesn't have specific user mechanism )
- Transfer Money
All sensitive actions are protected by AACL.
- Replay attack → Rejected
- Modified payload → Rejected
- Expired grammar → Rejected
- Valid request → Executed
- Python (Flask)
- HTML / CSS / JavaScript
- DFA-based validation logic
- Ephemeral grammar issuance
Attacker can:
- Observe requests
- Replay requests
- Modify parameters
- Attempt structural tampering
Attacker cannot:
- Break cryptographic primitives
- Compromise server memory
- Phase 1: Language specification ✅
- Phase 2: AACL Gateway + demo app ✅
- Phase 3: Client-side SDK ✅
- Phase 4: Formal DFA validation (On-Going Research)
- Phase 5: Adaptive grammar refinement using AI (future work)
AACL explores the idea that:
Security failures in web applications often reduce to unauthorized state transitions.
Future work includes:
- Formal proofs of replay resistance
- Complexity analysis
- Scalability evaluation
- Semantic constraint extensions
- Boundary enforcement models (proxy / browser-side)
AACL does not inherently prevent:
- SQL injection
- XSS
- Business logic flaws
- Server-side authorization misconfiguration
It focuses on control-flow integrity and transition enforcement.
This project is released for academic and research purposes.
Developed as an independent research project exploring language-theoretic approaches to web security.