Decidable Administrative Controls based on Security Properties

It is a desirable goal for a protection system to be expressive (providing the desired protections), robust (enabling the system to change without invalidating protections), and analyzable (so it can be understood which protections are provided). Of particular interest in analyzing a system is the decidability of security properties. If the system is not analyzable, how does one know what protections are being provided? Protections can be provided at two levels: the ordinary privileges and the ability to change the system via administrative controls. Administrative controls provide a graceful means to perform the inevitable modifications to the system, that is to provide robust protection systems. To date, existing protection systems are able to achieve at most two of expressibility, robustness, and decidability. In this paper, we explore administrative controls which enable the security properties of information flow to be selectively enforced, and show that they have decidable information flow security properties, thus simultaneously achieving all three of these goals.