 All right, thanks for your patience. You're probably working. I kind of know how that helps a lot. If you plug in the board just correctly in your computer, hard to record, it's not plugged in all the way. It's similar to programming, right? Hard to record if you're not using it correctly. Okay. So we have maybe like 10 more minutes or so on the overview, so there's a few things we kind of closed on Tuesday with an interesting question at the end, but we'll talk about some other things and we'll return to that. So we're still talking about security and we're talking about... So why do we care about laws or customs? Do those factor into, let's say, security analysis, security decisions, any of that? If they're part of a bug banning program, then you might not be able to reward them. Yeah, it works. You may be thrown in jail for breaking into somebody's system without their permission. So we can think about this as important to understand this from an offensive grade. Let's say as a security researcher, somebody who's trying to maybe find bugs in systems. Oftentimes you can work as a pen tester, so people will hire you to break into a company's... Like the company itself will hire you to break into their own systems. And other than that, there are bug bounty programs that they have. We'll go over them in a bit, but... So basically, the company gives you the right to test their systems as long as you follow their regulations. And if you're not following their regulations, then they can maybe come after you during breach of that. People at the right can see something. They might want to expose some of that in ways that I don't want to. Interesting. Do you have an example in mind? If you could keep it in a completely secure database off the network, that would be a lot more secure than keeping it on the network. So the idea would be if there's laws, let's say, maybe a good example would be a medical database with medical records, like maybe for security reasons. You want to keep that off-site in a secure facility, but of course, if people can't access their medical records, that's a huge problem, right? So if they can't get the proper care they need. I'm sure there's probably some kind of laws against that. Interesting. So yeah, there may be laws that impact what kind of mechanisms or policies we can put in place. So I guess the question is how do those things actually exist and do they make a difference? Anybody work at a company? Do you have a computer that you use at that company? Do you think they're tracking or do you know if they're tracking the websites that you visit? Do you know how they're doing it? It shouldn't be the case because we're using HTTPS, but does anybody have a corporate machine that they can hold up? We won't ask you the corporation. We don't have security policies that are dictated by the organization, software that's pre-installed on it. What they'll do is they'll put in a certificate on your device that is your device trust and then they'll have an endpoint that actually terminates your SSL connection. Essentially it performs a man in the middle on you, but your computer thinks that the trust leads to the trust out of your certificate that it got. So this way they command familiar traffic, see all the websites you're visiting. Make sure you're happy. Shouldn't there be laws against that and then we just talk about it? It's their device. It's their device, so they can do whatever they want with it? You don't have to work there. Don't you sign a user agreement when you accept a device? Yeah, you probably signed some user agreement or something, maybe it was buried in the terms of your employment on page 5 of a 50-page document Yeah. As long as you're doing anything like tremendously illegal what's the matter? You're buried in anonymity. There's not going to be somebody going through every single website and visiting by hand. There's too many connections. Unless you're doing something to draw into yourself or give them reasons to have to work your machines. But what about, let's say going to visit LinkedIn for the company and they can maybe plot your LinkedIn usage versus other people's and see when you spike. They can go on this automatically without looking at the traffic, without looking at it manually. Then all of a sudden you get products your manager's office. Are you unhappy here? Then maybe actually the more subtle thing would be if they start putting you on an unimportant project. They just start sidelining you into things that aren't mission critical to your customers. Governance surveillance. Governance surveillance. What are you believing to be that you have any specifics? I remember there was a terrible country where they had, I think it was they managed Google or something and so people were getting certificates that were not necessarily Google but it was like they go to Google but their government could still know what they were searching. It was to find some group that they were searching. Yeah, so kind of thinking about now up from an organizational perspective now to the country level. So the laws of the country could dictate what they can and cannot do if they can do large scale surveillance on this order or whatever they can do. I remember that story but I don't remember the country if anybody remembers. Feel free to say something. What other laws could impact your, let's say your ability to secure, defend an organization? Yeah. What was the name of the log in? Oh, nice. Did you just make up that acronym? Yeah, so you may actually have more requirements if you're not threat modeling and thinking about the laws that apply to you. Maybe you're leaving yourself open to liability risk that you should be aware of. Yeah. There was an interesting story about GDPR where someone pretended to be making a request on someone else's well, they were making a request as well as they could have with their data and the company was legally enforced to provide that. So it was kind of a great area of what the requirements were. Yeah, so with GDPR, if anybody hasn't heard of that that's something that the European Union has kind of dictated a whole set of privacy laws, some of which I don't remember all the details of some of which is you have the right to access, like get a copy of all the data that the company has on you. You also have the right to deletion so they have to be able to delete you if... Was anybody involved in any GDPR work at a company? I've heard some horror stories from... Oh yeah, you were? We're making an application for companies to use. Oh, interesting. Awesome. Yeah, so I had no friend to work at a company and he said that it was really cool to... Because you have this thing of... Let's say you have an app that's like whatever, a chat app or something and you have groups with group names. Those group names now are considered GDP... What's the acronym? GDPR. GDPR, yeah, sorry. GDPR Relevant and so now you can no longer host those names. Those names have to be considered sensitive and so you have to architect a lot of their app so countries might require you to put it in the backboard and no longer host those names. Yeah, so a company could force you to insert a backboard in your system? Why would they want to do that? Well, if it's a country, it could be for criminal reasons such as we're doing some sort of black marketing and they just want to... Hopefully the opposite, so like law enforcement, right? So to tech criminals, not for real, they like to be just about your hair and they want law enforcement access, right? So you have to understand as a company what are your legal obligations, what are you required to do, what kind of things can you use to protect yourself? You could actually think of maybe architecting your application in such a way that it's impossible for you to get that data, right? So, I mean, it'd be possible if you're not storing data, they can't request any data that you don't already have in the past, but yeah. So all these things are important things to figure out. So other crazy things that may be crazy, it used to be, I think even in the US I had an export law on cryptography. So certain cryptography algorithms and software could not be shipped outside of the country. There was a weird exemption that I remember about, which was that books were fine. So they would print the source code of crypto software into books and then ship those out of the country and then people on the other side would then write those back in. So, fortunately it's the US that got away from this a little bit of mandating crypto and cryptography and these type of things. So, let's use an example of, let's assume whatever you had to as a company or let's say every crypto encryption scheme, whatever, the US government wants to be able to access that, so they want some key. What are some of the threats or reasons maybe for or against that? Right, so yeah, so you could say, so one side on the against to paraphrase would be maybe the government is unfairly targeting people or targeting people for political reasons, not law enforcement reasons. So, you would have, maybe you could say then well, but we'll put some checks and balances there where you have to go before some impartial judge to prove your face before you get access to this key. Yeah. You might lose the key is actually a threat, maybe that's a good thing right? Yeah, so that lose is kind of an interesting thing, right? I guess lose control of the key, so could you then revoke that key on every single piece of encryption that exists in the country easily? Hard enough to get people to update their Microsoft windows or they're kind of less on time. Kind of like a betrayal that the customers too are selling them that, you know, it's just going to be a privilege to hear the whole time you're just standing out from the actual key to something else. Yeah, that's maybe exactly, it's going to put you at a business disadvantage compared to other countries, right? Your customers may go to and buy products from another country that doesn't have these restrictions. Yeah, so this is, these are kind of all the arguments and there's more four arguments and there's more cases where, you know, you could take it to whatever terrorism or whatever bad thing that you want that law enforcement would really want access to these things. Interesting question to consider. So you're an administrator of, let's say, a student cluster or a student whatever system and because there's some, does general still exist ASU system? Yes. Okay, cool. So let's say you're an admin of general and some students says, yeah, I have a problem, whatever, logging into my home directory or there's weird problems. But so that's on one hand. On the other hand, there are privacy laws that protect student information and student data. So what if they go in and they see whatever your homework or your grades or something? Could that restrict them from doing their job? Like, is there a trade-off between privacy and the company that they're needing to do or the organization needing to do what it needs to do? Doesn't that fall into purpose and they just have to remain in whatever they see? Yeah, so maybe there's purpose stuff, maybe we're in a different country, so different laws apply that require different things. Yeah, that could be one thing. What else? Yeah, so the response was, well maybe then you could have a policy where you have training strategies in your administrators so that they're aware of this, they're aware of these laws so that they can work around it. Yeah, these are all great things. What's the difference between a law and a custom? Yeah, yeah, still you, sorry. Okay, I think that's something that's possible, I guess, to enforce customs like goodwill or just like previous practices. Okay, so like codified law versus let's say, I don't know, standards of behavior or maybe you have, yeah. I just want to say kind of like a custom, like a social norm of the country, wherever you're at just an expectation. Right, so like it may be leak, I don't know if this is, but it could be legal for me to say I'm going to search through all of your computers because I'm worried about plagiarism in the class so I'm going to check all of your computers every time you enter this room, let's say. Right, that could be something that's legal, I actually don't know, so don't quote me on that. I, it's probably not but let's say it is for now. Is that something I'm probably likely to do? What prevents me from doing that? What was that? Time? Yeah, definitely, but what else? Let's say I really wasn't saying about plagiarism. Yeah. Do you want to feel like a little weird? Yeah, it feels really weird, right? It violates like social norms and customs, like I don't want to see everything that's on your computer, trust me. And you shouldn't want me to see it either so it's good, we should have this separation. Right, but these are, so anyways, these are kind of related topics to think about in terms of security is yes, there may not be legal reasons of why you can't do something but there are society norms and they may vary from place to place which I think is interesting. Okay, let's talk about microchip implants for one more second because I think this kind of ties into these things. And if you want to implant a microchip in your finger, sort of the present comes to this, so we talk about this at the end on Tuesday. So the company did this to their employees they're in Sweden so you could say our laws don't apply or I'm sure some laws apply but so that they can get access to buildings they don't have to lose a key card, all that kind of stuff. Yeah. Fascinating, faster. Yeah, so a pro would be that it's easier, right? It makes your life easy. You just don't ever need to forget your key. Yeah. Yeah, so it could be more secure, right? It kind of depends on again what the actual what the mechanism is how that works but yeah, you could think of it's, we can say definitely this it's a lot more difficult to lose your finger than it is lose your key card you can still lose your finger. I guess one with the key card is more discrete because people can't see when you work in terms of tattoos. Interesting, so another thing yeah, do you ever, I don't know if this is a problem here, it definitely isn't San Francisco if you go out, you can see people like wearing their company key badges and so you can see exactly where everyone works. It's kind of weird. Bad from a security perspective, yeah. I guess a bad side of it would be that it's the company forcing its rules onto your personal body. Yeah, like where does it end, right? I mean, would you do it, so keep like whatever microchip what about like a tattoo what about I don't know, I guess we get sci-fi like cybernetic implants or something what about into your phone, what if they then implant and force you to run some stuff on their phone? Yeah, well like another con argument would be the company's putting it in there, so like I don't know what the company, like I don't know if they have like a tracker in there. Yeah, exactly, you don't know what else is going on in this thing, and maybe it's actually tracking your location, so you're offering and you're like, hmm, I see that you're only spending six hours a day at work but you're logging in eight hours into the system, why is that, and you would know that because of the geolocation, right? I mean, but aside from like losing your badge or anything, it still has the same issue that RFID has, right, because you can still be able to copy what's going on in the person's microchip effectively. I would say it's super secure, whatever it's got a burned in credit key in there that you can't get out of having to try it but you could assume that but yes, there could be problems, right, and that's one issue. Let's go in the back. Yes, you made the person a target instead of someone Yeah, so that's, I think somebody mentioned that about the risk of getting your finger cut off to get access to the company, like it's a car you can just say take the car, right? More difficult to say, just take the finger cut. So how do we use loses to take it out after you get fired? Yeah, do you have to like get surgery and then get hired back six months later to hand by the shop and then like you can put it back in at a certain point they start running out of fingers to put it on and yeah, that's kind of weird. Does the finger cut off to replace things? Yeah, let's say it's uniquely identified so it's like a badge identifies you as a person so if you stole my key card I don't have to get repeat, but that would be definitely working, yeah. Definitely on this security system it's a lot easier to change up key cards like this. Yeah, if you upgrade the system, right? So if you upgrade to some next gen key cards that have better encryption, you just give out some versus issuing new microchips that go into people's prank or finger although maybe on the flip side it's actually easier maybe to update the software on a microchip that's running in your finger. Just run everyone through and update if you get something that you'll get spins. Anyways, this is a cool topic, sorry, I'm going to have tons of time to spend on this we've already spent more time than I thought. The other thing I want us to think about is that security doesn't happen in a vacuum this is something that we try to talk about a bit with kind of the trade-offs of security, but also the human issues. So let's say think about an organization so you're in charge of securing some organization why do you care about humans? Shouldn't you just be caring about like operating systems and updates and patches and all that and stuff? Yeah, so you can worry about from a threat standpoint humans are the ones that make the mistakes what else? Software doesn't really have motivational issues humans do so you can motivate somebody to do something that they probably shouldn't be doing. Interesting, that's a very good way of putting it. So you don't have to worry about the motivations of your employees that you're thinking about if you're talking motivation in terms of getting arrived to do something that could be one thing to worry about. What else? Let's say it's not about your work you're not worried necessarily about the employees themselves becoming targets or something. Is it really complicated system-building to conquer the humans? If the system is so cumbersome they'll try to find ways around it. Right, so human behavior holding doors open what about how much money do you have to secure your organization? Things you're talking about in the last possible are actually tangible risks in increased security. So it's really hard for you to allocate sufficient funds because we're going to make extra more money. We can't save the extra 7% of the security. And it's got ties in a little bit to budget so where's your money coming from to run the security organization? Is it not coming from the sky? Going from a person in the company that's deciding to give you a budget who is that person? What's their relationship? What's the organizational structure like? So thinking about who's responsible for security in an organization or is it some let's say it's the head of IT who reports is in charge of security and they have a whole security group under them they report to some VP of IT who reports to some president of whatever who reports to the CEO. How's that different from somebody who like the chief information security officer who reports directly to the CEO? Yeah, so to see so if you're regularly meeting with your boss, the CEO who's supposed to be the one that makes all the decisions and you say you know we really need to increase the security budget for these problems like we don't want to become another Equifax or whatever that person has the authority to say okay I will whatever give you another 5 million or double your budget or whatever you need versus if you're way down the food chain and you have to convince your boss who has to convince their boss who has to convince their boss who has to convince somebody it's a lot more difficult. Also, yeah, please. And then there's another issue with that chain would be I mean the lower down the more technical the person the higher up the more abstracted from it so the message will be watered down by the time it reaches whoever to make the actual decision. Yeah, you're going to play the game of telephone? Right? Could be a problem. What about thinking about a different way so let's say you're developing some software and you have a security group and part of your security group does essentially red teaming of drug finding on your application and they find a remote code execution really bad vulnerability in your application and what happens? Does that bug get fixed? Does that convince the development team to prioritize that bug? Yeah, you have to actually write you can't just go in and change it you're a security group you're probably separate from the development team who's trying to crank on features to make their deadline and now you come in with this insane new bug or crash that's probably very complicated and so often times they'll tell you to go away, right? Or they'll be like we'll fix it maybe next cycle especially if you don't have a proof of concept that shows exactly why it's so bad right? So that's again another organizational structure what's the organization of the company look like and how does security relate to development and all these other places, right? And these are insanely important things to think about otherwise you'll just be spinning your wheels finding stuff that you guys fixed these are not hypothetical concerns these are concerns I've heard from people who work at companies budget, organizational power who enforce security, great, cool I think we covered all these issues yeah humans are tricky but they are very important alright that was twice as long as that was two access controls alright so what is this I think earlier so somebody kind of refresh us a little bit what do we mean by access control who's allowed to access what and what was that last part you said and maybe from where yeah so who's supposed to access things who's not supposed to access things the from where is very interesting and how does this tie in with policies and mechanisms and all that stuff we've been talking about right so that's actually great the tool argument can you say it again so people in certain positions can have access to some tools but if they don't have access to those they can have access to other tools yeah so ok so yeah or data I think is another way to think about it so this happens in law firms so law firms have pretty strict conflict of interest that can come up so you defend you maybe if you've defended a client and you've had access to their information you can't now be on the other side of that client right so they don't want you to have access to both of those information so that's unfair so they actually have access control policies and stuff in place to handle this so let's talk about an example so we have a university's academic technology policy disallowed cheating that's probably true right most universities have this I think so this includes so the policy says it includes common homework with or without permission some random whatever computer science class has students do homework on a shared server we'll say it's similar to general.asu.edu so it's a server everyone has access to so student A forgets to their homework file and student B copies the file so it's actually who did something wrong both so student A for not protecting their file student B for copying it the administrator for allowing creating a system such that student A can make their files readable by other people it's probably fair everyone's liable down the professor for making do the homework the professor for making you do the homework just assume that there's somebody in charge all of us off so I think all of these are interesting things so we have this high level policy and inherent in this policy there's some access control rules about who should be able to access what students should not be able to copy their homework assignments and here we have a case of a student who maybe forgot to re-protect and this could be of course what they say or maybe they deliberately change the permissions on their file such that it's world readable maybe that changes it for you maybe it does it so why does the system allow this state to happen because it's a shared server could you create could you envision a system that does not allow this we don't allow that at all yeah so then you have other questions of how do you create the homework right how is the so you have somebody needs to be able to read homework but maybe then we just talked about maybe different roles maybe there's a greater account that has access to read files or something cool so kind of access control is thinking about all these different ways of what is this system so what kind of rules do we want how do we specify those rules how can we enforce those rules how can we think about does the system actually have the security property that we want because maybe when you get rid of this system it allows this part to happen before we do that we need to talk about some important concepts so we'll get into different things later but so what is authorization what does that mean permission that's a good way to phrase it yeah so it's kind of in a sense a system or what can a user do on the system who you are yeah but I need to somehow be able to answer the who are you question right so this is a concept of authentication the main way we've been thinking about this is using any passwords that you're very familiar with we'll talk about that in more depth but here this answers the question of who are you so it's important to remember and think in your mind that these are two distinct concepts the who are you how do I identify you is actually a very deep problem but that's the authentication now that I know who you are what are you allowed to do would be authorization so what would be and we keep going back to this example like badges in a company so what would be those two steps so yeah the fact that or even going it back a little bit further the fact that you got this badge that has your picture on it from the company they maybe your passport to verify your identity before they issued you this badge they gave you this badge and then when you badge in there's some authorization process that says you may not be allowed into every door inside the building there's probably areas you're not allowed to go and then maybe there's another layer of authentication that's trying to look at a guard trying to match that badge picture with your face so how do we think about what people should be able to do so we're defending a system so authorization is about deciding what people should be able to do how do we we just think of it we give them a minimum that they need to get their job done and as the requirements increase you can increase access yeah so we can actually think about it on kind of different abstraction levels right we can think about you as an individual we can think about what is your role in this system so rather than thinking about you each individually I just see you all as 216 students and I think what is a student allowed to do and then I can create rules on that so I say great you are a student you can do x, y and z yeah and then how does that fit in with trust so you said just enough to get your job done why don't I give you more authorization to do everything right so it may be more risk and you actually may not give even the CEO all the authorization access right you could have checks and balances such that the CFO is actually the one who can authorize wire transfers or money transfers which the CEO can't do they could ask the CFO to do that right so yeah so you have this concept of trust in the sense of what can this person this role do in the system and what should they be able to do right so let's say you had access to some shared system like general and there was just a command you could run to become the root user which is the administrator of the whole system that's probably not going to accomplish the security policy that I want of each of you having separate accounts and not being able to read each other's files so what about risk how does risk factor to this authorization can hand out the more risk there is like you said if you want to make a computer safe you can just throw it in a concrete lot underground and don't get to so every time you allow more authorization or reach from whoever that needs a potential risk right so yeah that's great so every time you allow somebody to even you know giving you all access to the grading server that carries some risk maybe one of you finds a vulnerability in there that allows you to access the system I haven't doubted it's been used for many years and it's definitely 100% secure but even and the other way to think about this is as so thinking about managing risk is trying to understand what are the possible failure states of the system as your system gets more and more complex and your authorization rules get more and more complex any reason about what is likely to happen I mean to put another way is I don't know is risk related to complexity maybe right so yeah so think about like a complex system so we can go back maybe to the privacy component right so you can say okay developers in our company they are great but they need to sometimes debug issues that happen in production so I give the developers access to the production database and maybe you don't realize that then actually they have full access to your system all their data not just to debug an issue but to maybe look at people's private information which you don't want and you restrict from actually all the other users so even at companies like Google if you want access to user data you have to go through several layers of approval to get it and then you get time limited things and they make sure that you're extracting any actual identifying information and all this these steps right because I what can be a very easy let's say authorization of saying like well I just need access to the database to do my job obviously and then you forget that this then means they have access to everything in your system even in I mean because risk is probability is chance so even in the scenario where the others can be underground it's still a risk of failure just showing up and confusing the place and taking it or somebody borrowing in and let's say a hundred years getting in or whatever right yeah can you reduce to a reasonable degree or can you even say to a reasonable degree we will eliminate all reasonable risk maybe by maybe exactly maybe but then you have those unknown unknowns that you don't quite maybe you haven't considered or thought about right then it will completely change the way you consider the security of that system another way to kind of think about this is you're using your access control rules in order to reduce risk right so you're restricting the capabilities of people hopefully to the minimum set that is required for them to do their jobs and nothing more and then that way they you have reduced risk in the system again we're going to be splitting hairs here a little bit so think about these concepts we have this broad notion of authorization which has its twin of authentication or maybe not twin but related to sibling I don't know if this is a bad analogy but then you have access control so I think of it as and this is very similar to what we've been talking about in the last section so authorization you can think of as the policy who should be able to access what and then access control is actually the mechanism that enforces that right so going back to the example the authorization policy should be that let's say users should not be able to read each other's homework assignments but the mechanism that's enforcing that presumably is some unix model where a user can actually change the permissions of files they own to make them world readable there's a mismatch there between our mechanism is not actually enforcing the policy that we want and we'll kind of see this over and over again drive this home a bit what we're going to do is we're going to think about we're going to try to model access control rules in terms of what do we want to have happen this has the nice benefit of we've talked about modeling and formalism is nice because maybe you can prove properties of a system and this is how a lot of this access control modeling is used you can create this nice model of your system you can prove that it's never the case that somebody can transition it into an insecure state the other interesting thing is thinking through so we're thinking about these beautiful abstract models but of course these don't just live in our minds they have to actually be implemented on computer systems or other types of systems that we need to use so we can see maybe the mismatches there of like I talked about alluded to with the unix systems so when we do this modeling there's not a lot of symbols I promise this is not don't get caught up in the symbology here so we have our subjects we're going to call them S and these are things in the system that can act or do something right this may depend on the exact system we're talking about so think about a computer system so your laptop that's sitting on your desk right now what would be some subjects involved the user what else the people around the user the apps and software actually and as we'll kind of dig in a little bit more you are not actually technically doing anything on your computer let's say the command line you're typing some stuff in you hit enter what actually happens you type ls and you hit enter yeah so process is spawn and who spawns that process do you spawn it almost who asked the operating system to spawn the new process the shell right your shell so you're running it so when you're on a terminal you're talking to a program which is your shell it's probably bin dash or bin bash or whatever we won't get into any arguments there so when you type in ls and hit enter the process bash needs to figure out what ls program you're talking about it looks through your path to try to find the program and then it asks the operating system please spawn up a new process called slash bin slash ls then the operating system does that spawns a new process that maybe you can ask the operating system to spawn other processes so technically you're not doing anything even though it feels like you are you're just asking another program to do stuff on your behalf right so in that case your subjects here are going to be actually processes so objects so the subject is a thing on the system that can act what would an object be yeah wow that's good things in the system or things that can be acted upon yeah I guess that is what I put here and this could be this could include subjects it could not I mean all this depends on the exact system right so this is the nice thing about a model we're thinking about this at a high level right and then we have some rights so this is again kind of thinking about permissions basically asking the question of what can this subject do to the object right so thinking about a unique system and thinking about a file right one right could be read so can a process read this file what are some other rights that you've seen to write to the file right why do you want to separate reading and writing to a file yeah okay so this is a good question what would be some scenario where your authorization policy would require that somebody can only write to something and not let's say only read to something and not write to something yeah okay company director and what can you explain a little more why do they not want everyone to be able to read and write to it perfect and this gets back to the concept of limiting risk right you don't want you don't want some rogue employee to deface or whatever change or alter the company directory so company directory would be let's just say the list of people who work there and phone numbers in the company right so you need to contact person X you can look up their name and you can call them on the phone right so yeah you want everybody in the company should be able to read this but if you allow everyone to write to it you're assuming more risk that a rogue employee will make changes or even accidental changes right so you probably want it to be one person's job to write and when you have a new employee or somebody's terminated to update that list that's a great example right so that's why it makes sense to think about these different rights in terms of kind of separation so we talked about reading writing what are some other things execute yeah so RWX so rewrite execute anything else deletion yeah so why would we want to separate deletion from the others exactly so yeah that's maybe so you or maybe another way to phrase that would be like append or something so you can add to the file but you can't delete what was already there so yeah like there's deleting the file itself there's deleting the contents of the file yeah like facebook doesn't lend you a fitting information but they don't want you to delete it necessarily from their servers yeah so that's an interesting one right so yeah has anyone deleted a facebook account before and then undeleted it by going back and logging in yeah it's amazing how your data is still magically on the back all of a sudden it was never deleted your place can't no I would never think about it you need to like like you need to go like 11 pages deep and then you can't do it you can contact like your customers over there and it needs to go up a chain and then they delete it for you whoa that's crazy actually so I would recommend that Amazon is very nice if you ever have to apply for something and you just put like the last whatever X places you've lived like for me Amazon has all of that going back I think more than a decade yeah Amazon has a much better memory than I do cool so is there anything that's missing from here is there any other things that we need to worry about besides like specific what's in these sets create actions so define create yes okay so great so but that would be a right right so that would be inside this set any other sets that are missing so thinking on more meta level can we actually model any type of authorization that policy that we want using just these three sets actions in what sense so like the first things that the system or in the system that can act but what are those things that they can do and so you have these rights that are permitted to do or do certain things what are those things you have yeah exactly so we're missing that's great right the system of what are these actions cool we'll actually we're going to cheat and we'll tie those into rights so the rights themselves will basically have semantics on what they need cool alright so so okay we have subjects objects rights so let's make things simple and of course because we're using some kind of math we want to we'll just use letters is that easy would these be anything we'll use letters for right now and I'm going to cheat and use the exact same letters that are in the slide okay so we have u and we have v and everybody distinguish between these two letters based on my travel handwriting in the back that you read this do I need to go bigger okay I got a thumbs up awesome so objects in our system let's say we have a file f some file g and now what about u and v can we act upon them so we said subjects for things that can act so we'll say we have let's say we have two users u and v and for objects we have some files we'll think of them as files whatever essentially they can be whatever we want f and g but would u and v necessarily be in our objects I don't know what do you want sure users let's go with users for now do we want them to be in our objects when would you want to act upon a user let's say you want to maybe change their rights right so you have the rights are the set so we talk about rights but we didn't talk about who has what rights and changing those rights over time right so think about in an organization getting promoted right you need additional rights you need to actually maybe act upon and act upon one of your objects which would be a user maybe you need to delete a user right I don't know what other things demote them remove rights like just add them so we'll add them to our objects set so we'll have u and v beautifully in here we're just super lame so we're just going to say we have whatever they want and again this is our this is a abstract model so it doesn't really matter what we put here so we'll have r1 r2 all the way up to I think let's say r6 because wow so the question becomes how do we represent who has what rights so let's say we'll give it a slightly more semantic name we'll say like r1 is green would we just say like u whatever the rights of u is the second thing r1 so the user the user u's rights are r1 like a user can read yeah yeah we don't know what their reading right we don't know what the user's reading we want to see what does u I don't know I'm trying to I don't know if a u person made this but right so it doesn't make sense to assign that say a subject or a user has specific rights because well what do they have rights to do to what or maybe it doesn't make sense so in our ideal case what would we want so what would we want to say here a job and say okay well just find some job at this set of set of rights so we're going to say this user is a this type of user has this set of rights but again with that new rights on every object how would you be able to differentiate reading file f versus file g maybe u has r1 rights on f yeah so then maybe we think about bringing it down a bit and we can think of okay we have u and this is going to get a little ugly don't worry I'm just doing the formalism here just to be a little bit more precise so we have u what rights does it have on let's say f so in this example we'll say u can r1 can read file f and we have to specify this for every object in our system right make sense so how would I represent that the user u has let's say no rights and I'm just making up this formalism by the way this is not this whatever syntax I'm using now is not very important right now just in case I'm stressing about but g so the user u has rights on file g what if I wanted to say they have no rights so to the empty set empty set and so can I do this for all subjects and objects can I just keep going can you make way more sense to just say what type of file or object it is so have not just have subject types but have object types for this object type being these types of permissions and these and then this user has this set of permissions based on role and then if they match up like key so you can actually so it really depends on what level of abstraction you're thinking of right you can actually think of u and v as individual users or you could think of them as roles and the same thing with the files right so if you had a mapping role u to a set of users you could do that the nice thing about this we're thinking about what's the like we'll say could you in some sense we're trying to answer the question of what model could you use to model any kind of access control policy because maybe I have a user u like u is in a specific role of programmer but they also are a security officer and so they need complex permissions and we can't express that in this model useless right so at least this way we can specify exactly what they need and write it all down and we can know exactly who has blood rights on what objects in our systems I understand the impulse to abstract because of course you're thinking well this is going to be insane right how are you going to write all this down for a system like a real system so you need some abstraction but this actually gives us those capabilities so if I just like kept going here right and I think maybe I can end with the user I'm on V now so if I kept going I'd say VRV has some set we'll call it whatever R6 right so by writing all these sets down I can specify exactly but if we look so I'm writing for every subject in my system right all the users and all the objects I'm specifying sets wouldn't that be much better and easier to represent in like a table or a matrix than just writing it down here so let's do that and we'll do that not by hand because we have computers and it's already been for us so if I told you this was some access control matrix and I said and you does you have writes R5 on V would you be able to answer that question yes why look at the matrix you say you has writes R5 on V great right so we can represent and this model can be as complex as we want right we can have whatever thousands of rows in our column for all of our subjects we can have millions of columns for all of our objects and every row we have the properties you wouldn't be able to represent here what's that yeah yeah so we definitely don't have what the writes means and we don't have the semantics let's ignore that for now we'll define those later in some sense which one is which yeah I mean I would go by convention you'll have the subjects as rows and the objects as columns but to make sure you just flip it this way it's exactly the same so subjects goes across objects go then you can think of it as it's always going to be wider if you always include subjects in your objects it will always be wider ok cool so now we can actually so this would be our ideal way and why does this have problems so you're going to secure an organization you say I need an access control or so I need some access control you're going to write down this matrix yeah pretty bulky is a good way of putting it but even just starting simple right think about how many files are on your computer right now hundreds of thousands probably upwards of 500,000 I actually don't know this would be an interesting question to do how many files are on a standard linux install right so how many columns would you have then you'd have over 500,000 plus all of the user accounts so so then so I kind of now we can actually think about in this model different types of access control systems so we can think about the unix model what are subjects in the unix model kind of a weird concept but in unix so on like a linux system so unix like the broad unix family systems was it so root would be a subject kind of this is where it gets slightly complicated the process right every process on your system is a subject those processes are associated with a user id and a group id that's why we're talking more simplified model so we're thinking about it as a process your subjects you have a process the process is p and q file we can actually have now we're simplifying it right so we're defining our objects as just the files so we're actually ignoring what a process can do with another process there's all kinds of writes and weird stuff there and the writes could be something like read, write, execute, append or mode and based on our understanding of systems what do these writes mean so these are just files so what does read mean you can read the file write execute execute the file append you can add to the file but not believe it and not believe anything before what about oh yeah so you can that user so semantically so if we think about and we talked about the access control model this is kind of a static snapshot of the current system do you agree? so what happens if a new user appears like we hire an employee for this company of two people yeah we need to have a new row we have to decide exactly what writes that new person has on each of those so we need to define those steps so all the subjects can act using these writes on the objects so our subject is a process so what happens if a subject calls execute on a file so let's think about that what about read so what are the semantics what happens to our matrix if a subject calls read on a file yes let's say it is so let's say it's reading a file that it has the rank to read that file what happens to our model think about it in terms of steps so the model is like this it's trying to read a file that has read access to it does that and what does the matrix look like after that yeah so we have this very simple model we just have a process p we have a file f p can read f p says I'm going to read f what does well it's whatever what does this matrix look like after the fact it should look the same because that's not actually changing any of our rules right what about if it can read the file should look the same should look the same unless maybe they can read also implies they can delete if they deleted the file then maybe that really goes away because that file no longer exists but let's say delete doesn't do that because you need to overwrite the file what about execute can add or delete what's that can that add or delete columns because it feels like it goes or removes another file just take it one step at a time so think about it as a discrete system a thing happens so process p executes file f how does that change this matrix so it's either execution yeah it's a so yeah wouldn't it depend on what execute would be like what does it normally do if f can like spawn or create or delete things then wouldn't you have to give it writes also yes and what is it so it's something that's acting now so now what is it it's a subject it's a subject we have a new subject so we have to add a new row to this matrix so let's say p vx means f I'm blaming on the okay so now we have p now we have a new process q so we have file f and depending on the semantics of the system maybe q has different properties whatever so whatever writes it's going to have it's going to happen here and now if q needs to do something like we said or create a file whatever that will then change this model cool so then what about o o what happens if p can p owns f do you want to name it owning a file say it again do you want to name it owning a file nope I'm not going to restrict it yeah oh sorry yeah I didn't know I did it it does not apply that but so what does it owning a file mean because you're going to want a file and you have actually zero permissions on yeah so ownership allows you to change the permissions right and maybe so maybe and then now again this is where we come to semantics we're defining what these actions mean so we can say p calls let's say owned on f and adds and writes again the syntax here is not important at all what's important is that by the semantics here read write so now by invoking this right p is able to change the permissions on there and maybe depending on our system it can change it for all the other syntax too cool so then we can look at a we can look at and we can represent the broad at a very simplified unix level system and we can look at we can say and so this is where so what part we'll go here a little bit what are some of the benefits and drawbacks of this access control with using a matrix to model this yeah oh sure think yes because you can I mean depends on exactly the system but I think in a general unix model you can let's say you can give ownership to somebody else so in some sense you can provoke it from you and give it to another subject I don't know if it's possible for a user that you can give ownership to sort of kind of the benefits of the drawbacks here yeah yeah benefit would be let's see I'd say straightforward to understand also straightforward to do an access control check right so let's say you're writing this operating system and you've given it this current access control matrix and you get a request from process P to execute file G what do you do to do a simple lookup and you'd say reject actually it's a very efficient easy operation yeah the drawback would be like something that wants to use this matrix may not understand what some of the symbols are may not understand what we need or what we need only yeah so we need to make sure that our semantics here are precisely defined and that everyone understands them yeah they could just get really large because you might not ever care if you can act on G but it's going to have a whole column yeah so I kind of like I said it's efficient to look up what P can do to G but if you have 10 million columns and every time you add a new user to the system you're adding 10 million more columns at some point you're going to run out of space right so think about using this on a system with 216 of you how big that matrix is going to get if you were to actually use the matrix as your way of allocating people like from or home that basically using your tax system yeah so you need to worry about the security of this model how does it live you can so much trust it in let's say the operating system kernel so I wanted to think about the drawback here the benefits and we'll look at other ways of modeling and how this is actually done in practice because it's very a great theoretical concept that's where it actually