In this paper, we extend previous results [1] in the protection and administration of information networks under partial orderings. We summarize previous results, and extend them to cover hierarchical networks. We consider distributed hierarchical administration, show a hierarchical network, and demonstrate a provably secure communications technique in which partial orderings are used to control flow, traffic analysis is minimized, local compromise does not cause global compromise, and distributed hierarchical administration works. We show means by which trusted and untrusted computing bases may be connected to form provably secure distributed information networks under partial orderings, and a risk analysis technique which takes advantage of the POset structure to reduce the complexity of analysis for these networks. We, summarize results and propose further extensions of this work.

Protection of information in modern information networks depends primarily on the ability to control the flow of information [1,2,3,4,5,6]. The partial ordering appears to be the most general mathematical structure required to accurately model the information flow behavior of a general purpose transitive information network [1]. Due to the complexity of modern information networks, manual analysis of information flow properties by administrators is impractical. Even with automated administrative assistance, large networks with a single administrator present tremendous exposures because one individual has total control, even if only at a flow policy level. In physically distributed networks, local administrators may require control over local information flow, while the global network may have higher level flow properties that must be enforced [6]. The potential compromise of a localized portion of a trusted network also makes nondistributed administration hazardous, and leads to a desire to analyze the effects of partial compromise. This leads us to the discussion of distributed and hierarchical control of information networks.

Unless otherwise stated, we assume throughout this paper that general purpose computing systems are used, and thus that transitivity holds for information flow [2]. We assume that there is no real difference from the standpoint of an information network between subjects and objects [1], and study the effects of information flow disregarding this distinction. We call the undistinguished subject/object an "information domain", abbreviated "domain". We view the effects of a human subject having access to multiple domains as a collusion between domains, and thus keep the mathematical analysis simple and yet general. The information flow relation "f" is specified in [1] as:

- Assume transitivity of the flow relation, and thus that pairs (and sets)
of domains with mutual flow are equivalent.

Collapse each equivalence class into a single domain, and get an antisymetric transitive binary algebra.

(S,{f}): (a f b) and (b f c) => (a f c) ;transitive (a f b) and (b f a) => (a = b) ;antisymetric

Note that in a structure where equivalence classes collapse, information in two non identical equivalence classes A and B can not be related so that ((A f B) and (B f A)) since this would make A and B identical by antisymetry. Furthermore, there can be no structure in which information flowing from A to B can reenter A since this would mean that (A f B) and (B f A) (by transitivity), and thus that A and B (and all other elements of this ring) are equivalent.

Thus, we have a relation "<" such that A < B iff (A != B) and (A f B). If there is a domain "b" so that not(b f b), then in all cases where there is a domain "a" so that a<b and a domain "c" so that b<c, we may eliminate domain b, and use instead, a<c. Thus we systematically eliminate any such domain from the structure without changing the effective information flow behavior. We conclude that the structure of interest is a reflexive, transitive, antisymetric, binary relation, commonly called a partial ordering, and that this seems the most general structure we can use to guarantee restricted information flow. We use the term "POset" to indicate a set whose elements are related by a partial ordering.

(S,{f}): for all a,b,c in S, [(a f a) ;reflexive and (a f b) and (b f c) => (a f c) ;transitive and (a f b) and (b f a) => (a = b)] ;antisymetric

The effective POset under transitivity is formed by applying transitivity to information flow, and is easily displayed in a matrix form. This answers the question of reachability immediately without undue complexity to the observer. We call the effective POset under transitivity a "Flow Control POset" (FCP). An example network and its corresponding FCP are given in figure 1. Domains can always be labeled so as to produce an upper triangular FCP matrix since, if there is no reordering of a non upper triangular matrix to an upper triangular matrix, there must be two equivalent entries under our transitivity assumption. Every upper triangular boolean matrix maps into a unique POset, but not all upper triangular matrices map into a unique FCP. Finally, we note that completely independent subsets of a system can exist within a partial ordering, and that many distinct yet equivalent FCPs can thus exist.

a b c d e f g a f - f f - f - b - f - f f f f c - - f - - - - d - - - f - f - e - - - - f f f f - - - - - f - g - - - - - - f Figure 1 - An FCP ExampleThe corruptive effects of domain collusion can be easily determined by ORing rows of any set of colluding domains to find their effective joint flow. Similarly, the information accessible to a set of colluding domains can be derived by ORing the respective columns of the FCP matrix.

We note that the POset in this context may be thought of as a classification scheme, just as the Bell-LaPadula [3] and Biba [4] models are classification schemes. We may have distinct yet equivalent domains in an actual system, but the distinction isn't "real" from the information flow standpoint. We must be aware of the fact that they are equivalent from a flow standpoint in order to determine their actual informational effects. We note that the POset model is designed to be used to design flow controls in a given application. That is, the application drives the need to flow information from place to place. Once the information flows for an application are established, human users may be allowed to effect or observe information in various domains in the network.

In order to precisely determine the largest set of domains which can effect a given domain in a network with time variant flow control, we assume an initial configuration of the protection system, and maintain a precise configuration that reflects the maximal set of domains that could have effected each domain after each change in the information flow (called a move). We call this configuration a "time flow configuration" (TFC), and calculate it by remembering all transitive flows into each domain for all moves as follows:

TFC @ move 0 = FCP for N>0, TFC @ move N "(A f B)" = 1 for all X,Y s.t. TFC(X,Y) @ move N-1 => TFC(X,Y) @ move N 2 for all X s.t. TFC(X,A) @ move N-1 => TFC(X,B) @ move N 3 TFC(A,B) @ move N 4 for all X s.t. FCP(B,X) @ move N, for all Y s.t. TFC(Y,B) @ move N => TFC(Y,X) @ move NOur initial TFC is just the FCP of the initial configuration, since this indicates all potential flows into each domain from each other domain under transitivity. From this point forward, every move "(A f B)", introduces the possibility that a previous information flow to A transits to B and all objects in the transitive closure of B's information flow. Rule 1 states that previous flows remain after a move. Rule 2 states that all previous flows into A are added to B. Rule 3 states that A is added to the flows to B. Rule 4 states that all resulting flows into B are added to all objects in the transitive closure of flow from B. Rule 3 is implied by TFC(X,A) => TFC(X,B) if we assume (A f A).

Except for the FCP, this maintenance of the TFC takes at most N squared time and space in the number of domains, and is linear in the number of moves considered. The FCP computation takes at most N squared time and space in the number of domains, and is performed only once per TFC calculation. It is thus quite feasible to maintain the TFC throughout the lifetime of a typical network.

By using the above mathematical basis, we may automatically evaluate the FCP, TFC, equivalencies of domains, and the effect of collusions under a given configuration of a protection system with a flow relation. We may augment this basic capability with a set of rules that determine whether a given configuration is allowable given installation dependent parameters, to form a configuration evaluator tailored for a given system. We may form a dynamic analysis system by performing evaluations on configurations resulting from proposed moves, and reporting on the effects. Finally, we may augment this capability with a set of rules for proposing moves that are likely to be acceptable to the protection system while fulfilling desired information flow requests. This results in a provably correct automated administrative assistant for maintaining policy constraints in such a network.

## 2 - Hierarchical Flow Control

A hierarchy is comprised of a set 'S' and a parent relation 'p', where:

for all s in S, 1) exists s' in S s.t. (s' p s) and 2) not exists s'' in S s.t. (s != s' != s'' != s) and (s'' p s) and 3) only one s in S s.t. (s p s)A hierarchical flow control system is a system 'S' in which domains correspond to elements of S, and s controls the flow of information to and from s' iff (s p s'). Thus each domain controls flow between all domains of which it is a parent. A hierarchy of administrators thus exists, and discretionary controls of a "parent" administrator are mandatory controls of a "child" administrator. The analysis of valid moves over time for each level in the hierarchy is used to enforce mandatory policies at that level. Information on actual configurations may be used by parent administrators to allow more accurate configuration control at the parent level, while localized control allows distribution of responsibility. We may consider a hierarchical system as being composed of a set of levels. No communication may take place between domains at different levels without the consent of administrators in each of the higher domain administrators up to the SUP of the communicating domains.

Domains which are parents of other domains are not general purpose processing domains in that there functionality is limited to command, control, communications, and Intelligence functions (C3I) required to administer the information flow within the network. The hierarchical POset given in Figure 2 and its corresponding analysis demonstrate this point.

With a hierarchical structure, we may divide the network into subnetworks which are independent except in that connections to external portions of the network exist through the consent of appropriate parents. Since a parent controls all flow to and from a child, and since the child acts as a single domain to the parent, the child sees only generically labeled incoming and outgoing information flows. Flows may be added or removed at the parents whim, with the child capable of arbitrarily using these flows from the standpoint of the parent. This independence allows each domain to be independently administered by its parent. The hierarchical structuring also decreases the complexity of administration and the potential damage caused by a wrong move by any single administrator.

--- --- |A|-------------------------------|B| (AfB) --- --- / \ / \ / \ / \ / \ / \ ------------ --------- | X---Z--o| | R---U| | / \ / | (WfX)+(WfY)+(XfY)+ | / | (ifR)+(ifS)+ |W---Y | (XfZ)+(YfZ)+(Zfo) |i-S---T| (RfU)+(SfT) ------------ --------- / \ / \ / \ -------------- |i1---D--- | | \ \ | (i1fD)+(i2fE)+(EfG)+ |i2-E---F o2| (DfF)+(EfF)+(Gfo2)+(Dfo2) | \ / | | G--- | -------------- Figure 2 - A Hierarchical POset NetworkIn figure 2, we show a hierarchical POset network and the corresponding flow relations (ignoring identity flows). Note that external flows are designated by generic "i" and "o" domains. The corresponding access matrices are provided in figure 3. The final access matrix in figure 3 is the combination of all of the hierarchical access matrices with generic inputs and outputs replaced by the actual flows, and is thus the access matrix of the entire network. Domains representing branches in the hierarchy are eliminated as they are C3I domains, and can't themselves flow information to or from other domains (except possibly through covert channels).

\ A B \ W X Y Z o \ i R S T U ------ ---------------- ---------------- A | f f W | f f f - - i | f f f - - B | - f X | - f f f - R | - f - - f Y | - - f f - S | - - f f - Z | - - - f f T | - - - f - o | - - - - f U | - - - - f \ i1 i2 D E F G o2 \ W X D E F G Z R S T U ----------------------- ---------------------------------- i1 | f - f - - - - W | f f - f - - - - - - - i2 | - f - f - - - X | - f f - - - f - - - - D | - - f - f - - D | - - f - f - f - - - - E | - - - f f f - E | - - - f f f - - - - - F | - - - - f - - F | - - - - f - - - - - - G | - - - - - f f G | - - - - - f f - - - - o2 | - - - - - - f Z | - - - - - - f f f - - R | - - - - - - - f - - f S | - - - - - - - - f f - T | - - - - - - - - - f - U | - - - - - - - - - - f Figure 3 - Hierarchical Access MatricesFigure 4 shows the effective POset resulting from applying transitive closure to the network shown above. Note that no single administrator in the network is capable of computing the effective flow matrix of the entire network from only local knowledge.

\ W X D E F G Z R S T U ---------------------------------- W | f f f f f f f f f f f X | - f f - f - f f f f f D | - - f - f - f f f f f E | - - - f f f f f f f f F | - - - - f - - - - - - G | - - - - - f f f f f f Z | - - - - - - f f f f f R | - - - - - - - f - - f S | - - - - - - - - f f - T | - - - - - - - - - f - U | - - - - - - - - - - f Figure 4 - The Effective POset from Figures 2 and 3To further limit the arbitrary use of flows without explicit structural knowledge provided to administrators, an expert system of the same sort provided in [1] may be used with a set of rules which are to be enforced on the global access matrix. The computation of transitive closure, time transitivity, and other required factors may be carried out within the assistant without any administrator being aware of more than a subset of the global information. Each administrator may independently assure themselves that the matrices presented them meet their flow requirements, and local administrative assistants may be used by local administrators for added assurance.

In the hierarchical case, the network wide automated administrative assistant is augmented to maintain a set of access matrices, rules, databases, move suggestion methods, and administrators. If global information flows are of import, a global access matrix may be generated for each RBS checking procedure, and global computations may be performed. Cases may arise where perfectly reasonable flows from each administrative perspective are turned down by the global administrative assistant because of global information effects (e.g. the total number of transitive flows to a given node are limited to a global maximum so as to limit the potential for illicit dissemination). We may be forced to automate the process of suggesting modifications to the network so as to allow local requests to be fulfilled whenever possible without a large number of trials being rejected by the global administrative assistant.

--- --- --- --- --- --- |A| |A| |A| |A| |A| |A| --- --- --- --- --- --- | | | ... | | | --- --- --- --- --- --- |I| |I| |I| |I| |I| |I| --- --- --- --- --- --- | | | ... | | | ---------------------------------- Dbase----| |---Rules Dbase----| |---Rules Global Dbase--| RBS |-------Global Rules Dbase----| |---Rules Dbase----| |---Rules ---------------------------------- | | | ...|... | | | --- --- --- | --- --- --- |M| |M| |M| | |M| |M| |M| --- --- --- | --- --- --- --------------- |Global Matrix| --------------- Figure 5 - A Hierarchical Rule Based AssistantAn architecture for a global rule based administrative assistant for hierarchical POset networks is given in figure 5. Note the multiplicity of administrators (A), move suggestion methods (I), rules, databases, and access matrices (M), and the presence of a global set of rules, access matrix, and database. Alternative architectures are plausible, and further work is needed to determine the optimal architecture of such an administrator for a given set of applications. The design given is simply used to demonstrate the principal, and to illustrate the global nature of some of the information used in the global restriction of data flow properties.

If there are no global requirements that can't be expressed in terms of purely local requirements, we may construct a distributed administrative assistant with completely independent administrative domains. If we can express global requirements in terms of the requirements of a proper subset of the network administrators, we may construct a distributed administrative system in which multiple administrators effect varying subsets of the network, but still avoid a global administration system. This class of distributed administrative systems does not require that hierarchies of administrators exist, but the analysis is significantly complicated with the introduction of loops in administrative dependence. The potential exists for a seemingly rational set of local rules to produce inconsistent results in the global network, and it is fairly clear that the problem of determining the behavior of such a system is NP-complete in the general case. Further work is needed in this area.

The hierarchical administration of systems suggests a network flow control scheme that would reduce traffic analysis and routing problems. The scheme is to flow information towards the root of the C3I tree as far as is appropriate, and then back down the appropriate branches to the recipient. The reduction of traffic analysis comes from the use of multiple encryptions wherein the sender successively encrypts (recipient,data) pairs with the public keys of the successive recipients of the message. Each recipient can only remove one level of encryption, and thus can only know the routing information required to make the next routing decision. Figure 6 shows an example hierarchy in which we wish to send a message (Mb) from B to D.

+-+ |A| +-+ / \ +-+ +-+ |B| |C| +-+ +-+ | +-+ |D| +-+ Figure 6 - An Example Message Routing in a Hierarchical SystemThe encryption, decryption, and routing for this scheme are given below. We assume that public encryption keys Ex for each domain 'x' in the system are globally available, and the the corresponding decryption keys Dx for each domain 'x' are private to x. The RSA cryptosystem [8] might be used for this purpose, but any sufficiently secure public key system would suffice. Note that at each phase of the routing, only a single step of the routing is known to the involved domain. In particular, the local decryption of a message only reveals the next receiver to the holder, and missending the message doesn't allow any further routing or decryption.

Mb - message at B B creates Ea(C,Ec(D,(Ed(Mb))), and sends it to A A does Da(Ea(C,Ec(D,(Ed(Mb)))), and gets C,Ec(D,(Ed(Mb))) A now knows to send Ec(D,Ed(Mb)) to C and does so C does Dc(Ec(D,(Ed(Mb)))), and gets D,(Ed(Mb)) C now knows to send Ea(Mb) to D and does so D does Dd(Ed(Mb)), and gets the original message Mb!Flow in such a network may be limited by restricting access to public keys so that A has Ex iff (A f x), but this makes the routing problem significantly more difficult in that each key along the route from the root of the tree to the recipient domain must be in the set of domains that the source of the message may flow to. Since all messages to non children must pass through a parent, parents have flow control over the transmission of messages.

In a trusted network such as that described above, a network domain 'N' could reside in parallel with each domain so that information passing through a portion of the tree need only have the public key of N. This allows information to pass through the network without effect on intermediate domains, and thus the public keys for routing domains could be provided globally without requiring flow to all of the intermediate domains. In the case of a compromise in a network domain, only local routing information would be lost, and thus massive collusion is necessary in order to attain complete message paths for any significant portion of the network.

## 3 - Flow Between UCBs and TCBs

We now consider the problem of connecting trusted computing bases (TCBs) and untrusted computing bases (UCBs) [5] to form a network which enforces POset properties. Two communications environments are considered; those with trusted paths, and those with untrusted paths [7]. Simple design rules are given for the connectivity of systems, and these rules are extended transitively to networks.

The implementation of a POset based TCB appears to be straight forward. As an example, we could use a standard FCP matrix in which we force the matrix to be upper triangular in hardware. A simple implementation technique would be the use of ROM for the lower triangular portion of the matrix, or a matrix access algorithm that refuses requests to write into the lower triangular portion of the matrix. We could augment this with a set of mappings (collusions) between humans subjects and domains which would serve as a basis for collusion analysis and permit automated administrative assistance.

In an untrusted computing base, we cannot trust the system to prevent flow between domains, and therefore, from the standpoint of systems which flow information to or from a UCB, the UCB must be treated as a single domain. This is proven mathematically as follows:

by assumption, for all domains "A" and "B" within the UCB, (A f B) and (B f A) From antisymetry for all "a" and "b" [(a f b) and (b f a) => (a = b)] thus A=BIn an environment with trusted communications paths, two UCBs can communicate iff they are the same domain. If we have a means for unidirectional communication, we can further permit UCBa to communicate to UCBb iff (a f b). In such an environment, we can form a POset TCB by using the physical properties of unidirectional connectivity to protect information from illicit flow, and the physical structure of the network to form the POset. Figure 7 shows these conclusions pictorially.

UCB UCB UCB ----------------- ----- \ / ----- | --- \ / --- | | A |<-X->| B | | |A| X |B| | ----- / \ ----- | --- / \ --- | ----------------- UCB UCB UCB (AfB) UCB ----- ----- ----- ----- | A |<--->| A | | A |---->| B | ----- ----- ----- ----- Figure 7 - Flow Rules Between UCBsIn the case of TCBs communicating in a trusted communications environment, we may permit any domain (A) in TCB1 to communicate to any domain (B) in TCB2 iff (A f B). Again, this requires unidirectional communication. If bidirectional communications are used, we may only allow connections of the form:

(A f B) if A=B since, by antisymetry [(a f b) and (b f a) => (a=b)].As shown above, for any UCB (X), X must be single domain (Xd). UCBs they can be used for passing information, so long as:

for all domains A that flow to X, (A f Xd) AND for all domains C that X flows to, (Xd f C) Figure 8 shows examples of legal connections: TCB TCB UCB TCB ----------- ----------- --------- ----------- | --- | | --- | | | | --- | | |A|<----------->|A|<------------>A | +------|A| | | ---\ | | ---\ | +----/ | | | ---\ | | --- | | --- | | | | | | --- | | |C| | +------->|C|<---+ --------- | | |C| | | --- | | | --- | |+-------->--- | | ---/-------+ | ---/ | UCB || | ---/ | | |B|------------>|B|--------+ --------- || | |B| | | ---\ | | ---\ | | | <-----+| | ---\ | | --- | | --- | +----->C<------+ | --- | | |D| | | |D| | | | | |D| | | --- | | --- | | | | --- | ----------- ----------- --------- ----------- Figure 8 - Connections Between TCBs and TCBs or UCBsAn implementation of unidirectional communications between TCBs that is particularly appealing is one where the domain being flown to (B) provides a public key to the domain being flown from (A). This must be done in trust of the A's TCB (TCB1) to prevent the key from being used to communicate information from B to A. The appeal of this scheme is that we guarantee that flow goes only to B regardless of violations in TCB1. This does not guarantee that a violation in TCB1 will not allow other domains to communicate to B, but assures that no flow can occur from TCB1 to a domain in B's TCB (TCB2) that does not exist in TCB1. Thus we protect the integrity of some of the data in TCB2 even if TCB1 becomes untrusted.

Because the POset has the transitivity property, a network comprised of TCBs and UCBs connected by the above rules will maintain the flow control properties of the network's POset. In the case of a violation of the POset policy within a TCB, the damage to the entire network can be no worse than making all domains in that TCB equal since:

for all domains (Dx,Dy) in the TCB, (Dx f Dy) and (Dy f Dx) => (Dx = Dy)Any violation in a UCB effects only that UCB's domain. We may straight forwardly use collusion analysis to determine the effects of flow violations and time transitivity. In fact, the use of a computer network to implement an information network in this case is completely transparent, and all analysis that is operative in the information network applies directly to the computer network. Thus we may connect computer networks without loss of assurance so long as we follow the connection rules, again because of transitivity.

In a network with untrusted communications paths, we may encrypt and authenticate connections of the same form as those in the trusted communications case, and we will still have an appropriately connected network with the transitive flow protection properties stated above. Some care must be taken to assure that the cryptosystems offer sufficient protection for the application at hand and that communications protocols do not introduce covert channels. The sufficiency of cryptosystems is application dependent, and has been covered in previous works [5] [7] [8]. A scheme with arbitrary delay on end to end confirmations and a constant portion of system time and space dedicated to the network functions would tend to reduce covert channels, but their complete elimination is unlikely.

We may also attempt to form a communications scheme in which we pass information through domains which are not supposed flow from or to the communicating domains. If we ignore the traffic analysis and routing problems, have a suitable end to end encryption and authentication technique, and use only TCBs for encryption and decryption, we should be able to form a network with any physical connections we desire. This places a high degree of risk in the cryptosystem, and does not prevent denial of services attacks, etc. This is an appropriate topic for further research.

In our method, we include a "network" domain in each of the computer network's TCBs and use the RSA [8] for authentication and encryption. To flow information, we forcibly encrypt it with the recipient's public key and authenticate it with the sender's private key. We then flow it to the network domain. This domain is limited to network functions and must be proven correct. Normal routing operations are then performed to communicate with other TCBs and flow information to the appropriate recipient, who may decrypt information using the sender's public key for authentication and the recipient's private key for decryption. Since the encryption and decryption functions as well as the key distribution are provided for by TCBs, domains may only communicate to appropriate domains. Since only the recipient's TCB has the recipient's private key, and only the sender's TCB has the sender's private key, the previously stated network assurances are maintained. This is analogous to the analysis of more restricted cases [7], and similar problems, solutions, and restrictions apply in these more general networks.

## 4 - Risk Assessment in Distributed Domain Networks

In a network based on distributed domains, communication, and thus the ability to disseminate and modify information are limited. If we assume that the system is properly implemented and that external attackers are successfully thwarted by common techniques, we are left with the effects of internal abuse. We note that our discussion is based on the launching of attacks by individuals or groups of individuals, but the method works equally well in the analysis of accidental leaks and corruption of information.

Since individuals in such a network may access multiple domains, it is convenient to consider individuals as collusions of domains. We may quickly see that the maximal effect of an individual is the combined transitive effects of all domains which that individual can effect, and that the maximal dissemination is the combined transitive domains effecting the individual. To consider groups of individuals who might collude to launch an attack, we assume collusion and treat them as a single individual.

In order to assess risk in such a system, we consider corruptive effects and dissemination effects independently, and the add them for the joint effect. Just as in standard risk assessment techniques [9], we assign dollar values to resources and probabilities to attacks, but unlike the standard analysis, we have a firm basis for separation of resources, and thus a means for reducing the complexity of analysis. Our technique is then quite simple:

Assign each domain a dissemination value (Vd) and a modification value (Vm) which correspond to the financial value of illicit dissemination and modification respectively.

Assign each human subject a yearly probability of illicit dissemination (Pd) and a yearly probability of illicit modification (Pm) which correspond to the likelihood of a successful attack of the type described being launched by each individual in a given year.

Determine a yearly expected loss for each subject (Ls) as the sum of Vd*Pd for each domain which can flow to the subject and Vm*Pm for each domain which the subject can flow to. This is easily done by using collusion analysis where a subject is represented as the collusion of all flows to and from that subject's domains.

Determine the system wide expected loss (Lsys) as the sum of Ls for all subjects 's'.

To reduce Lsys, we have a number of alternatives, combinations of which may lead to optimizations. The technique indicates that Lsys may be reduced by the following techniques:

reduce |s| - the number of subjects with access, without increasing the access of the remaining subjects.

reduce Vd, Vm for domains - the values of domains, perhaps by eliminating unnecessary information or making more domains with lower individual values.

reduce Ls - the expected loss per individual, perhaps by separation or reallocation of duties

reduce Pd, Pc - the likelihood of employee attack, perhaps by increased background checks or increased security awareness.

We note again that we assume that we have implemented a provably correct flow control system, and that it is operating properly. Thus, we are considering the "normal loss" expected of a system. A mathematical programming package might be well suited to the optimization of this type of system. The optimal solution of this problem appears to be quite complex, and further work in this domain might be of some interest. Finally, we note that determining the probabilities of attacks is essentially impossible without good statistics, and since this is so critical to accurate prediction, it is a limiting factor in any such technique.

We have extended previous results in structuring information networks for protection against illicit dissemination and modification to include distributed and hierarchical administration whereby the threat of even administrators may be reduced significantly. We have shown a method of routing information in these networks which prevents all preventable traffic analysis, maintains a high degree of security and integrity, and allows distributed and hierarchical administration. We have shown the connection rules for forming trusted POset computer networks with trusted and untrusted flow control computing bases. We have given a risk analysis technique which takes advantage of the mathematical structure of POsets to reduce the complexity of analysis and optimization, and shown that specific risk reduction techniques are indicated because of the mathematical results.

We conclude that the design of provable secure distributed information networks based on POsets with distributed administration is feasible, and that the use of such networks may significantly reduce the risk due to illicit uses of information networks. We further conclude that a significant research and development effort will be necessary in order to bring this type of network into fruitful application.

Further research will be required in order to design practical systems of this sort. In particular, the derivation of a method for the generation of moves for analysis by automated administrative assistants is a significant problem. The use of distributed administrative assistants without global knowledge depends on the development of policies for flow control which are adequate for the desired result while not requiring global knowledge. These policy developments are critical to the eventual use of these networks, and basic research in this area is required to establish the classes of policies that make this feasible. Approximations of globally dependent policies to localized independent policies also offers considerable hope, and is of considerable interest to other areas in distributed processing. The extension of these results to administrative POset dependence rather than hierarchical dependence are likely to coincide with the development of better understanding of policy limits.

Cryptographic protocols for operation in these networks must be detailed and proven secure. Results in this area are dependent on a cryptographic protocol theory which has yet to be fully developed. Minimization of expected loss and cost benefit analysis in the implementation of available techniques is required if the ramifications of design and policy decisions are to be well understood.

[1] F. Cohen, "Protection and administration of information networks with partial orderings." Computers and Security, V5#3, 1986

[2] F. Cohen, "Computer Viruses", Dissertation at U. of Southern California, Jan. 1986

[3] D. Bell and L. LaPadula, "Secure Computer Systems: Mathematical Foundations and Model", The Mitre Corp. 1973

[4] K. Biba, "Integrity Considerations for Secure Computer Systems", USAF Electronic Systems Division, 1977

[5] M. Klein, "Department of Defense Trusted Computer System Evaluation Criterion", 1983, Department of Defense, Ft. George G. Meade, Md.

[6] Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security, New Orleans, La. March 19-22, 1985.

[7] F. Cohen, "A Secure Computer Network Design", Computers and Security, V5#3, 1985

[8] R. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems", CACM V21#2 (Feb. 1978) PP120-126

[9] T. Saltmarsh, P. Browne, "Data Processing - Risk Assessment", Advances in Computer Security Management, V2, 1983.