The effectiveness of an access control mechanism in implementing a security
policy in a centralized operating system is often weakened because of the
large number of possible access rights Involved, informal specification of
security policy and a lack of tools for assisting systems administrators. H
erein we present a logical foundation for automated tools that assist in de
termining which access rights should be granted by reasoning about the effe
cts of an access control mechanism on the computations performed by an oper
ating system. We demonstrate the practicality and utility of our logical ap
proach by showing how it allows us to construct a deductive database capabl
e of answering questions about the security of two real-world operating sys
tems. We illustrate the application of our techniques by presenting the res
ults of an experiment designed to assess how accurately the configuration o
f an access control mechanism implements a given security policy.