By using one of the above (or some other) mathematical basis, we can automatically evaluate the parameters of interest (e.g. the equivalencies of subjects, and the effect of collusions under a given configuration of a protection system) by implementing the algorithms dictated by the mathematics of the analysis. We may further augment this basic capability with a set of rules that determine whether a given configuration is allowable, given installation dependent parameters, to form a configuration evaluator tailored for a given environment. We may then form a dynamic analysis system by performing static evaluations on configurations resulting from proposed moves, and reporting on the effects. Finally, we may augment this capability with a method for proposing moves that are likely to be acceptable to the protection system while fulfilling desired information flow requests.

Since a rule based system (RBS) can be quite simple in design and implementation, it is a natural choice for implementing an automated administrative assistant. Once a basic RBS has been developed we need only provide rules for a given policy. Secrecy, integrity, and other properties of systems may be evaluated provided that rules in the RBS are mathematically complete and consistent. The architecture of such an RBS might look like the one in figure 2.

--------------- -------------- |Administrator|<------->| Move | --------------- --->| Suggestion | | -------------- | -------------- ------------- --->| Rule Based |<---Rules | Data Base |<------>| System |<--- ------------- -------------- | --------------- | |Access Matrix|<-- --------------- Figure 2 - Architecture of an Automated Administrative Assistant

This architecture consists of an access matrix, which is used by the OS to control information flow; a rule based system, which is used to evaluate moves with respect to rules and a database; the rules used by the RBS; the database maintained by the RBS; a move suggestion technique for translating administrative requests into sets of potential moves for analysis by the RBS; and an administrator who expresses desires for system behavior.

In order for a set of rules to be of practical utility, we must restrict them in at least some basic ways. If the set of rules are inconsistent, then we will never be able to make a modification because there will be no configuration for which all rules agree. If the rules are incomplete, then we may have cases where rules cannot produce a result. We restrict ourselves to a finite set of rules since an infinite set of rules cannot be evaluated in a finite time. Similarly each rule must be decidable so that decisions are made in a finite time. Finally, we require that the rules reflect the desired policy of the protection system for if they do not, they are of little use. We note that many desirable policies are in practice unattainable, and that we must restrict ourselves to attainable goals if we wish to attain them.

A simple implementation of an assistant that maintains security, integrity, and compartments, while allowing arbitrary information flow controls within those restrictions may be formed by implementing the following moves, and using the previously explored techniques to validate resulting configurations.

To add an individual, we require the minimum and maximum security and integrity levels, the set of compartments, and the maximum effect of the individual are within system limits.

Add-individual A (min-sec,max-sec, min-int,max-int,effect,comp,comp,...): Min Sec A >= Min Sec System Max Sec A <= Max Sec System Min Int A >= Min Int System Max Int A <= Max Int System Max Effect A <= Max Effect System Comp A SUBSET Comp System

To add a given user ID for individual A, we need to know the individual, the compartment, the security level, and the integrity level for the given user ID, and must verify that these don't cause the configuration to go beyond the allowable constraints on the individual.

Add-ID Ax (sec,int,comp): Min Sec A <= Sec Ax <= Max Sec A Min Int A <= Int Ax <= Max Int A Comp Ax ELEMENT Comp A Effect A <= Max Effect A

To add an information flow between from user ID Ax to user ID By, we must verify that the flow doesn't violate security, integrity, compartment, or effect constraints:

Add-flow (Ax f By): Sec Ax <= Sec By Int By <= Int Ax Comp Ax = Comp By Effect A <= Max Effect A

Although considerable mathematical work is still required to investigate underlying policy issues for static and dynamic configurations of protection systems, simple automated assistants of the sort shown above are a significant step towards eliminating errors in the administration and configuration of secure computer systems and networks. Several systems of this sort have been prototyped for administration and configuration of secure networks, and further developments along these lines are expected to follow further mathematical results.