 Okay, folks, let's get started before we jump into the next homework assignment. Actually, I'm curious about your thoughts on Gradescope. Good? It's a bit annoying. It's a bit annoying why? Because it needs an exact, like, you know, like, capitalization difference or anything? Yeah, that's files, though. You need to call files again. That's me, not Gradescope, so. Anything else? Any other Gradescope-ish comments? This is the first semester using it. I think it's more usable than my custom system. Maybe the other Gradescope is going to test. Yeah. I think it'd be nice to sometimes be able to just submit specific files at a time instead of all of them. Yes. I understand. Yeah, I may be able to speak that. We'll see. I like your Sarah better. That's where I was coming from. Well, I like the slots because you get to specify which files are which. Compared to Gradescope, we'll just, like, submit it all and you're blind. How many people use it? Any other thoughts while I'm trying this pattern? Maybe you're raising your hand to say no. The first one was just a warm-up. This is the real first assignment. It should be much easier because of the assignments that you already did. So this, you have a little bit more time. It's a slightly more involved project. The first one is just continuing on with Bandit. You're just going to do the next five levels of Bandit. So level was 6 through 10. So that should be pretty familiar. It's exactly the same as what you did last time. Just new levels. So you're going to be continuing on with your Bandit education. Cool. And the next step is to, the goal of this assignment is to try to think about how to actually implement policies and maybe some of the difficult things that come up. Essentially you're going to be implementing a security mechanism based on a security policy that you're given here written in English. So the policy, and basically you're going to write in whatever language you want, a program that implements this security policy. And it's going to be based on the idea of the house and the idea of a smart box system for that house. So the policy is basically only users with an authorized key can enter the house. It's pretty simple. It seems like what you'd want in the house. To enter the house, a user must first put their key into the lock, then turn the lock, and then enter the house, which they can do only if the key is valid. Makes sense? Just like a normal lock. And then it has a nice feature where we can re-key the house. So re-key means we create a new authorized key. But of course, for most security things, we wouldn't want everyone to do that. So it can only be re-keyed with new keys only by the owner and only if the owner is currently in the house. Now we're going to give access to firefighters to our house in case they need to do something. So they can always access the house with this literal key, firefighter underscore secret key. So if they use this key no matter what the keys are, they get access into the house. How do you know that it's a firefighter? Hope that it's a firefighter? Yeah, you don't. That key gets in. It's a skeleton key. It gets you inside the building. So there's no other verification needs to happen. Other important clarifications. So the lock will always be accessed in the same way. We'll go through very briefly the overview in a second. But you insert the key, turn the lock, and then enter the house. We'll see the various commands. You'll have to respond if it's not the right user, but it will always be in this sequence. There can be other commands issued in between. Insert, turn, and enter, but they don't affect the lock state. So you can imagine as soon as somebody starts to do that, you're not going to have an insert, turn, and then an insert where you have to figure out what's going on. And testing the key as valid is done when the lock is turned. So insert, turn, turn checks, is that about a key? If it is, then you're good. Okay, let's look a little bit at the interface. The interface is using command line parameters, which is why you've had an assignment on that. The first command line argument is going to be the name of the owner. That's important because the owner can change the locks. And the rest of the arguments are all of the valid keys for that house. Do we need to specify the firefighter's secret key as a command line parameter? Some people are shaking their head, why not? Because it's supposed to be a secret. Because as well. It's supposed to be a secret and part of the policy. If it doesn't need to be specified, that key always works no matter what. So would that just be under owner's name, just firefighter? No. What? No. So the owner's name is about who can change the locks, but this key always works. This key is always on. No matter who's inverting that key, that key always works. You type in that one argument and it just opens? Yep. And we'll see exactly how to do that. So just to make it easier to... You don't have to worry about this too much. There's no invalid input to your program. So everything will always be well-formed. Lowercase A through Z, capital A through Z, 0 through 9, underscore, and a dash. Those are the characters that are accepted. Then essentially you're going to think you're building a smart lock simulator. There's going to be input to your program, one per line, and then you are... Then you're going to enforce the security policy. So there will be commands like insert key, username inserts a key, where the username inserts a key into the door, the response should be key, whatever is sent, inserted by username. Turn the key so the user can turn the key. This is where we're doing that check if this is valid, so it's either essentially success or failure. Your program will print out if it succeeded or failed. Then the user can enter the house, and possible responses are access denied or access allowed. We can ask who's inside the house. So we say who's inside, and it'll be a comma-separated list of user names ordered by access time. So no comma at the end, which is something you have to do for assignment one, the commands. And it will say, well, this is the users in the list, or if nobody's there, you say nobody's home. Change locks. So username wishes to re-key the house with new keys, key one, key two, key n. Possible responses, access denied or okay. And your response would be dictated by the policy. And then finally leave house. So we actually do let people leave our house. So if you can leave the house, and it either says okay or username not here. So high-level interface, any high-level questions? You can read all these details, it's not. Like at the bottom it says the submission site, so the submission site's so great. Yes. Bash automatically handles the spaces in parameters, but will we need to handle spaces in keys? No, every input, no spaces, a lot of names. Alphanumeric underscore and dash. Yeah. Are we supposed to have like a menu for the user to like choose between all these options? Nope, they type it in. So don't do any extra work because then it's not going to work. Okay. So the user essentially knows what commands to type in. They will type this in, and then you will provide the correct response. So you read in the line of text, figure out which of these commands it is, make sure it's properly formed, and then do whatever it's supposed to do. So can two users insert the key at the same time? It always has to be... What did I say? Insert, turn, enter. The three steps will always happen in sequence. There may be other commands in between, but none of those three. Yes, that should probably just be access to nine or whatever the response there is. So they're not granted, then you should default to not granted. Does the house get re-locked after every time someone enters a house? Yes, it's a very smart order. As soon as they enter it automatically locks. So you don't have to worry about the state of it being open or not. I think they have a question. Okay, cool. So here's some examples, you can walk through this. I'm not going to walk through this. Again, so this was an issue with the last assignment, which is something I did not expect. Apparently some environments, like Ubuntu on Windows, have very weird permissions that nobody really understands why it's different yet. Let's not use that. The same thing. If you were able to get the last assignment working, you'll be able to get this assignment working. I have high confidence. There'll be a test script to help you test your program locally before submitting. So it runs through this example test case and make sure that it can make all kinds of stuff. So you can test it there. There's a debug script and we'll use grade scope to submit. Again, you submit a make file. That allows you to write it in any language just as long as the output file is used. So submit a make file and read me. The make file will create the file secure underscore house so you can do this in C, C++, Java, Python, Perl, whatever you want. Ruby. It's now installed. You posted this after five? Yes. To get the benefit of thinking about it while you're here. And then there'll be, yeah. No. If you just go to assignment two, you can read all this. But I haven't linked to it yet, but I will do that right after class. And then there'll be virtual recitations this week that will cover this assignment in more depth. So attend, catch the reporting, whatever you can do. All right. Okay, on to access control lists. So somebody remind us again what's the difference between access control list is based off of the files. Who has access to each file, right? Yeah, so all of the, let's say, access is stored on the files. So metadata with the files. And so then we have capabilities. Oh, then the capabilities is on the user. Subjects, yes. So then all the capabilities are on the subjects, right? So you can think about it in terms of the matrix like we talked about. And access control lists is going to be all the rows with all the subjects. Cool. Okay, so now you're doing creating an operating system. We've talked about all of these issues that can come up with both access control lists and capability lists, right? We talked about the fact that on an access control list if you added a new user to this system, what would you then have to do? To go through and update all the permissions on all the files, right? So all of the access control lists that's stored with every file, you need to update all of those with the new information of this new user, whatever permissions they should have on this file. Also, as you add more and more users to your system, right, the amount of data metadata you have to store for each file significantly increases. So this is why in the UNIX model they have essentially a thing that has an approximation of access control lists. And this is really in the kind of base reasons for the performance. So rather than storing arbitrarily information about every user on the system, there is essentially only 12 bits used per file to store this information. And the nice thing is these are all the bits that you're used to seeing when you do LSTAT LA. So the first three bits are very weird bits which we'll get into later. But essentially there's a SetUID bit, a SetGroupID bit, and a Sticky bit. So these are things that maybe you didn't even know about, one of the main permissions that you're used to seeing. Read, write execute. Let's actually pull up a big enough document container. So I can see, I do LSTAT LA, I can see all of these files I have I can see right now we can think of what is this, 12 bits? Sorry. No, 9 bits. Read, write, execute, read, write, execute read, write, execute on each of these files. So we're going to go through several things here. First, what does it mean by default? So why do we have these three groupings of read, write, and executes? So the model is based around the idea of who owns the file. So there's additional metadata for every file and that's also what we can see here. Who owns this file is root and what's the group that owns this file also root. So the way to interpret and the way to read these three groupings of read, write, execute, the first three read, write, execute are the owner. So what permissions does the owner have on this file? Can they read, write, or execute the file? The next three are one of the three permissions for everyone in this group. So everyone that's in the group of the file. So this file is part of the root owned by the root user and is part of the root group. So only root can read, write, and execute. Everyone in the root group can read and execute. And the last three is everyone else. So everybody else on the system if you're not the owner of the file, you're not in the group the file has, then you are considered everyone else and those are your permissions. So what do you think about that model? It's simple and only takes up nine bits. It's simple and only takes up nine bits. It covers all the potential users. So we can maybe reason about it by just looking at this file. Although maybe, what do I need to know to know exactly about, let's say, the root? What would I also need to know? Reason pretty easily, I know what I can do to this file. I know what everyone else can do. What other users can edit this based on the group? I need to know what users are about groups. Luckily there's a nice easy way to look this up. I believe it's in ETC groups. And this list for all the groups in the system, there would be a list of users that are in that group. So here I think I'm just in my own group. There's no other users on this system. It's really complicated. So there's actually nothing interesting here. So I can easily check this and I can say, okay, I know these users there. So then let's think about what are some things that maybe we want to do with an access control system. So what about, let's say I want a system and I want to... So maybe let's go through the example of people sharing homework assignments. So let's say I want to prevent that. So I don't want anyone else to be able to read my homework. What permissions would I set on that? Think about it. How would I flip these bits to make sure that that's okay for them? Yeah, well, I mean, you can talk high level, doesn't it? So I give the owner read permissions and I remove read permissions from everyone else. This way I can guarantee that no other user on the system accepts for the administrator of the system, right? But for all the time purposes, no other student is going to be able to read that file. Now, what happens is I'm working on a project between me and another user on the system. Yeah, so I need a group. And this is where it gets you can maybe see some of the limitations of the system, right? I'm going to make a group where I have to have the administrator make a group and I have to manage it based on the group permissions, but what if, I don't know, we need to add people to our group. How do we add people to the group? How do we get it to be, you know, you have to just keep adding and creating groups and if you have a different subset of people it gets kind of crazy to think about that. Or if you have maybe a common file that you want to be read by a group, you can have a it's very difficult to create a scheme that actually can enforce that using these policies. And yet this is basically used by almost all servers and all kinds of other systems. Cool, so this is really the so when you're doing things like I don't really care about this. I can make, let's say this Dash program so I can do things like use the CH1 command in order to control these bits and I can specify and hopefully this will clarify a little bit what this command does. There's two ways to operate this. You can literally write the octal value of the bits that you want like 777 Dash this Dash. This changes, so 7 is all ones right, 111. So it sets all of the permissions and if I did that's wrong if I did 707 then I'd see that I gave no permission to the group and so you can do this in octal it's very easy to make mistakes here so the other thing you can do and this is what we were doing on the assignment, let's say so if you want to give just everyone else right access so it's I think it's owner owner group plus X is that right though? So I just gave the owner sorry the the group and other cool okay I can't look it up I know all plus X I had to experiment in real time okay that removes it from everything there we go only took 370 of us to figure it out okay so you can do things like I want to give everyone all so other group and user right or execute privileges and it will do that so when you're doing chmod plus X by default it's for all so chmod plus X adds execute fit for everyone so anyone can execute that file that's the command you've been using in your make files okay then we get to some of the weird stuff the weird stuff is essentially I'm going to get out of here okay so now I have an actual machine so we need to get into some of these other bits so we saw these first 3 bits SUID, setUserID, setGroupID and the sticky bit so the sticky bit is something weird you can just ignore for now for those that are interested it was useful it's used on directories so things like the temp directory slash temp you want anyone to be able to create a new file in that directory but you don't want them to be able to delete or mess with other people's files so the sticky bit means you can create files but not create other directories it's not relevant to files so what we need to look at a little bit is so the question is and we talked about this a little bit I'm trying to throw away some of the mystery here is so in terms of this Unix system me as a user is not really anything I'm not anything important I technically well the only reason I'm a user is because there's an account on the system in EDC password there's an Ubuntu user that was created and so what is actually happening so what am I actually typing into here so really what we're doing right now is when we SSH through these remote machines what we're doing is the system actually using this every user has a default shell so when we access the machine remotely it says okay what program should I spin up that's going to talk to this user and the program for us is binbash so the operating system creates a new process called bindat binbash and that's what we're talking to when we type in our input so when we're typing ls we're not the system that somehow magically knows it's this program bash that's parsing our input and figuring out what to execute and what to do so the question then becomes how does access control happen here I'm going to do cat so the important thing here so here I can see there's a cat process running so ps lists all the process that are running on the system I can find the cat process that is running on this system and I can see as the Ubuntu user so again this is where every process on the system so in terms of subjects every process has a corresponding user that is associated with and that is what the operating system is checking when it does things like can this user access this file what it really means is can this process access this file and when we do things like even things like ls-la right the first thing that has to happen is the operating system says well do we have permissions to list the directories of this list the files in this directory and to do that it checks well the process ls is the Ubuntu user and that has read write and execute so it can list all of the files inside this directory if I try to do this in another directory like I think that's the var log no if I try to print out all the files in the root directory it'll tell me permission denied the slash root is owned by root we can actually we can see that the permissions on this directory is only root the owner can read write and execute nobody else can so I can't list any of the files in that directory I can't change directories into there I can't do any of that stuff okay so what this means essentially is we're talking to bash and remember how we said subjects can create maybe new subjects or create have different actions so when we type in something like cat or ls-la bash needs to execute a new process and this process still has the same user as us right so it comes from us the system authenticated us that we are the Ubuntu user on this system it created a bash process with the user in Ubuntu and every command we type in has the same access as that user seems great right this is what we want this means that our users can just arbitrarily become the root user and get access to everything right everything they execute is going to operate as the root user okay now what happens if does anybody have a fancy shell that they use zsa and that's not that fancy it's standard on max now maybe use something weird like fish alright we'll go zsa so what if I want to change the shell that I log in as right so I already showed that in EDC password this file this file has the shell in it and if we look at this and this is where all the user accounts are stored so the permissions here root can read and write it and everyone else can read it nobody else should be able to write this file and then you can create users and cause arbitrary distraction it's not great so it's locked down so that only so if I try to edit this file the file for writing it's impossible for me to write out to that file but there's a command change sh to change the shell and unfortunately this is where my demo is going to fail a little bit I have no idea what the password is on this user this is an aws machine so they don't tell you the password I don't want to type in a password in front of all of you also but I do have pseudo privileges so I can run it and this is running that change shell as the root user but I promise you if you type in your password it works exactly the same so I can say well I want been zsh of my shell and of course I'll install it just to this demo I'm sure everything will be fine so so now if I do cat out that file from user so this is why you always check the health file so now I can see that I was able so if I know the password I can change that value in this file to be not whatever I want limited to some values but I can change the value in a file that should only be writeable by a root so how is that possible? yeah we need some other mechanism right because basically everything we've been talking about there's no way so if I needed to change my shell I'd have to bug the root user to change my shell the other important thing to think about is passwords so all your passwords are also stored in a file that is the ETC shadow file which nobody has read permission to you can't even read this file this is where a hash version of your password is stored so if I take my password of a user I can change my own password if I know the current password but how does all this happen we need some other mechanism so if I do if I look more closely into which SH so if that user been chsh I can see that there's an S a lowercase S on this exegu bit and what that means that's that setUID bit at the very start here this bit so the setUID bit and what this means is whenever anyone executes this program it executes with the permission of the owner so essentially when we execute this program it's as if root executed this program and that's why it needs that chat to see is our password correct so it can authenticate us and then it can do things like open files that only root can access and do all kinds of other stuff so what does this mean if I find a vulnerability in this program and I'm able to trick it to do whatever I want yeah you can change anything root can yeah I can change anything root can I can basically have root is basically a component to the administrator of the system I can literally do anything I want to the system I have total control over it I can override all the permissions I want I can see every single file so it's an important part of the Unix access control model and it's going to be something that you're going to be practicing doing in the later part of this course is exploiting binaries and actually doing this and it's all created using this mechanism similarly the setGroupID is would be an s on the group here and that means that when this process executes it executes with the group permission of that user so not with the actual user itself fun deep dive into how stuff actually works yeah where are those bits at are they in the file or into the system that is a good question I am not I believe they're stored in the file system I think this is probably EXT4 I'm sure there's some metadata portion there that is not part of the file but the content itself but it's metadata about the file that has these bits when you did lsla slash before the temp directory had a t was that the sticky bit exactly so this t here means the sticky bit I was just playing a sim link so a sim link and then if we look at what I was playing with earlier so if we look at lsbin it looks like this is a file that everyone has access to right all 777 across the board but the l at front tells us that this is actually a link so it's a symbolic link that says actually if you want to find bin sh you should look in the same directory like slash bin for the program dash and the idea is I believe sim links don't have any privileges anyone can access a sim link the access is detected on the file itself so that's why I chose 777 there's some permissions on it which is interesting I'd have to look into that to see how that works with sim links but I know at least for accessing the file itself it would yeah so it uses these permissions to see who can access the final result you can have sim links point to sim links point to sim links and then finally to a file all the directories would also check as well so you need to check if you don't have execute or write execute permissions to a director you can't go into that directory cool cool so other types of access control that we can think about are other types of things would be and for instance this comes up a lot when thinking about terms like privacy you can think of some access control that's dependent on the content itself so for instance a lot of let's say on some database systems like for a university and it's part of the privacy policy that even an administrator can't infer information by you they may have access to this set of all users and they may want to run a query that says what's the average age of an ASU student which doesn't necessarily reveal anything about you but you can carefully craft your the query you may be able to figure out the age of a particular person like you could say what's the age of any people at ASU that are in CSE 365 and live in this certain zip code and are also taking this other class this other class and then at a certain point the result is actually just one person right so it's not going to be average but it's a one person so you can really figure out what that is and I think there's privacy things that people can do that limit the amount of information that's released in this type of context you can also think in terms of a business you can only see salaries less than a certain amount or if you're a manager you can only see salaries of employees that report to you right so there's different types of access control decisions being made here you can also think about context dependent controls right so this would be similar to the maybe you can't access sensitive information remotely from the VPN because the computer that you're using may not be trusted by the organization that could be an example there maybe salary information is only updated when the year ends or I think we talked about this a little bit the companies public earnings are very sensitive right up until the shareholders meeting and then at that point they're no longer sensitive we don't care about it it's public information okay so now we need to focus a little bit more in depth so we will kind of a ways to model access control systems and now we're going to kind of go a little more finer grained and talk about different types of access control systems and the key thing we didn't just talk about in this UNIX example was who gets to control the permissions of the file so you saw me there changing permissions of the file why was I able to do that can anyone do that? because I'm the owner yeah so only the owner can change permissions of the file the owner can also actually give ownership of the file away to somebody else is that always what we want can you imagine what would be a scenario where we don't want the owner of the file to be able to decide who gets access to it? yeah so this is a good example I think on most modern Windows systems you're not running as the administrator so that you can't modify those files the Mac has a system integrity protection where a lot of the important system files are actually locked down so even the root user can't modify them yeah that's good what else what about the NSA example with Snowden why was Snowden able to access some of the information? he was given access, he was an administrator well I guess in that case maybe it's not the owner and this is kind of a key distinction that sweats access control systems and it's particularly the way we think about them so the kind that we're probably most familiar with is this notion of discretionary access control where basically so you think of discretion, discretionary because it's the owner's discretion who has access to what files and so the owner of the object controls who can access that object which as we talked about in the example of the homework assignment can be good but that can also open up the avenue of the owner of the file modifying those permissions in such a way that violates the security policy if it's not possible for a one student to make their homework file readable to other students then that maybe could help enforce our security policy so this is a starting contract to a different type of access control system that we call mandatory access control you can also call these DAC or MAC so discretionary access control mandatory access control where the system controls access to the object so users get absolutely no say or maybe very little say over what access people have to their objects that they create and there's another one that we'll touch on a little bit because it's kind of interesting to think about the differences here there's another notion of an originator controlled access control so meaning the originate so what's the difference between the originator of the data and the owner of the data yeah so if you let the job you could copy all those files that you had access to onto a thumb drive now if you technically in terms of the system you probably own those files but you didn't necessarily originate that data you all do too much streaming of videos to remember when you use it when you remember you actually purchased an entry file or a CD or something right so you may own that file that mp3 file you may legally own that file but you didn't originate necessarily that information right so all of the digital rights management things that happen are basically ways to the originator of that data to control who has access to it right and verify if you legally have access to it or whatever yeah I heard I don't know if it's one of the one of the user services he has like this huge library and he wanted to transfer ownership to his family when he died but he couldn't do it after he made like thousands of dollars that's funny yeah so that's an interesting thing that probably people don't think about what happens yeah it's really easy to give CDs or physical medium to somebody else right because you're buying that copy of that thing there's even cases where one of the early Windows DRMs was I think it was called plays for sure which is very ironic because they announced they dropped support for it the latest version of Windows because it was so old and whatever right here you spend money on a file that you find home but it had this essentially a originator controlled access control that they decided not to support which means you can't play your files even things like I don't know is anybody still use like Blu-rays or DVDs forehands yeah those have digital rights management where there's like a key all the DVD players Blu-ray players have that unlocks the content and there's all these restrictions so which makes it theoretically more difficult to rip off the video stream from the disc is that region control in this version? is it a lot? not necessarily region control there's I'm not a I don't remember all the details I think it's DCS or something like that encryption keys where the data is encrypted it can only be read from hardware devices that have a key on them but I believe they've been broken and some people have the key so they can read these files anyway the idea was to try to lock it down so you can only play on a certain device and maybe modern ones maybe so that the player has to have that feature that the TV does as well and it's all kinds of stuff to try to try to get this originator control access control games I think are probably another good example of this right so you can think of region locking things down by region but also one of my favorite examples of that there's some game where it was it detected that it was a pirated version it wouldn't throw a warning but it would slowly get harder and harder and then a certain level like a fourth level would just be impossible and the key you're supposed to find that you couldn't find that's pretty good yeah that's a pretty good idea so now that we've looked at so we've looked at discretionary access control I think that's something we're very familiar with we've looked at it in the context of the UNIX access control system so we're going to focus now on mandatory access control and one of the best examples of this is essentially the military and the different kind of security levels that they have there so why does something like a military need a mandatory access control versus a discretionary access control buys so in what sense like if there's people from other countries that are like acting in the interest of other countries then they could like classify information yes we want to maybe limit the access of information to only those people that we've maybe vetted in some way to be able to access it in terms of risk the stakes are a lot higher I mean think about news, news of the war all that kind of stuff right that is pretty much pretty high stakes if something does go wrong and you have like this discretionary system then it's the fault of whoever like you've spilled it so yeah you can simply limit the freedom of the right order choices of individuals so that aligns exactly with their security policy right so yeah this way you can fix the system and not have to rely on individual each individual making their own good judgments about what their access control right should be on their information plus they may not even know is the other if you may be generating some information that you don't actually know is supposed to be at a high classification level and so as soon as somebody does that and goes into the system and is taking care of it then if you just had to decide that would be a big problem cool okay so kind of the way to think about this is we can think about this first in terms of levels so we'll build up kind of this notion of how these mandatory access control systems work and this kind of intuitively makes sense so what are some maybe levels of secrecy or security that you may have heard of it could be military it could be confidential so what is that the hierarchy the lowest level hierarchy so the lowest level or maybe right above unclassified right so you have unclassified public or I think it's more complicated you may have unclassified but sensitive and then you have classified what else is that it so you're designing a system you just want it's either secret information or it's public and everyone knows it top secret and above that sensitive compartmentalized information so your secret I think I love classified classified as secret and then top secret and then we have yeah the categorization compartmentalization which we'll talk about in a second but we'll talk about just levels for a second so why do we want this notion of levels yeah so we can think about the notion in terms of risk to the organization of how how impactful is it if this information gets out right which correlates with how how much we should secure this information right plus there's hopefully a notion that fewer and fewer people have access to that information as it goes up to different levels right at the highest level it should be only the people who actually need access to this actually have it yeah what about in a non-military context yeah trade secrets yeah what else yeah you're like personal data that companies collect on you yeah so like personally identify one information or PII right so that data may be there yeah so and this could be anything right so think about it in terms of organization it could be things like customer data customer data could be very important very sensitive the backups that you're generating of that data is the same thing could also be that data that information and essentially what we need in order to start thinking about mandatory access controls we're going to create a system that can allow us to reason about data flowing so we can have a system enforced but just like we needed access control list was metadata on a file that we can access it we now need metadata on all the files of what security level is it at so we need a security level with each entity and so what type of relationship should this be so do you have a file that's both unclassified and top secret it doesn't make it almost uncensored we kind of already know that intuitively right but if it's really top secret that means it should not be accessible by anyone in an unclassified setting and all these other things right so we can have you can think of it as every object should have one level associated with it and a level can have multiple files associated with it or multiple things so maybe other levels that you've heard of in a commercial setting could be public sensitive proprietary or restricted right which kind of are trade secret even going higher up whereas the military levels you we already talked about these you have top secret secret confidential and unclassified so I want you to help me we have these levels what policy do we want to enforce to in a mandatory access control way so the system is going to enforce this what policies do we want to enforce to ensure what actually I'll be trying to ensure it goes to goal so we're going to think of in terms of modeling let's forget for a little bit that things can be unclassified but we'll forget that for now we just want to make a simple system that is the most to make it that enforces that data at the top secret level cannot be leaked out to people who do not have access to that everyone agree with maybe that statement maybe want to amend it change it yeah what about those that have access to top secret also have the access below it yeah so so what what type of access I guess so if you have top secret access you also have secret access okay so we'll think about these in terms of a hierarchy where it encompasses essentially all of it so if you have access to top secret you can also access secret, confidential and unclassified right okay cool so let's introduce a bit of notation and then we'll derive these kind of rules together you know what I'm going to draw feeling yep hold on I'm going to keep my chi chi here okay so just like before nothing out of the ordinary here we have our subject s we have our objects o and now we're going to add more information to this so this is the set of all subjects and o is the set of all objects we need to add more metadata and information right so we're going to call the level of s we're going to say it's l lowercase s and this is the security clearance of the subject and then we'll say l o is lowercase o this is the security clearance of the object right so in case of a file the file is an object it may have security clearance classified the subject in this case may have security clearance of top secret and then let's draw our so we have t s s c I'll call it u c right so this is our hierarchy everyone agree with this hierarchy and just kind of formally we basically we have notions of let's say t s is let's say greater than s right so we have an ordered notion where we can say that yes one security level is greater than another now we need to create some kind of so we're talking about mandatory access control it means the system enforces the rules it means we get to create the rules what are kind of the two operations that we care about in this system reading is a super important one so we have reading what else should we be thinking about writing we need to think about the creation of that and the creation of information okay so how do you want to do this maybe inductively we can think about some examples and then think about what we think should happen in this scenario okay so should a subject we're going to go through some examples let's see what we think subject object and then we'll write the security clearance underneath it and then for the classification level so should a we'll go we'll stick with writing at first okay we're thinking about writing or sorry reading looking at it saying okay so a subject has top secret clearance should they be able to should they be should a person with top secret clearance be able to read an object of top secret clearance yes we agree we disagree should somebody with top secret clearance be able to read something that is secret what about top secret what about top secret and just all the way at the bottom unclassified yes what about let's say secret secret can somebody who has secret clearance read a secret file with top secret clearance and top secret no why not object security level is higher than the subject because the object security level is higher than the subject and does that hold for all of these levels so we looked at it maybe at one level so do we ever want a confidential file a subject at the confidential level to read a top secret file what about unclassified no that would be very very bad this is the main principle we're trying to create yes what if like there's a top secret some more top secret access but like there's a file this top secret is limited to like a few people it's not possible in this system so we're thinking just controlling this these information we'll talk about that more in a second or actually looking like on Thursday but we'll definitely get to that one so it seems like from this diagram maybe come up with the intuitive rule that we can read down yeah we can write that we can say something like I'm sure that's here on this next slide a subject can read an object if and only if the classification of the subject is greater than or equal to the classification of the object which makes sense this is the security property we want to enforce it should never be the case that some of you with unclassified access can read something at the top secret level right people at the unclassified level should only be able to read unclassified things so we you can only read down what about writing should somebody at the top secret level be able to create a top secret document yes right that makes sense you're at the top secret level you can create a file and write a document that's top secret yeah create does that mean turn a document into top secret no let's for now let's just think we're thinking very very simple model we're thinking that you could say sometimes you could say you know when you're when you're creating the file you say I'm going to create a file at the top secret level and then you're going to type stuff in so that should be allowed under this model right some of the top secret clearance should be able to write a top secret file what about a secret file should somebody at the top secret level be able to create a top secret file yes what if they're putting top secret information in that file should they be able to create a file at the top secret information they have access to all the top secret information right so if we wanted to be and again remember conservative here so we're trying to and we can the reason why we're doing this is to be able to prove a case where it is never the case that top secret data could leak out right that security properties that are actually proved of course we're going to operate on a model and it's going to be very difficult because you're going to say things like what about decausation and all this stuff which I understand but let's think about that for a second okay so let's keep going down should somebody with a top secret clearance be able to write and create a unclassified file what about secret secret yes a secret top secret no what security problem principle doesn't violate from the nose they wouldn't have top secret information they would have to have top secret information to be writing a document that's top secret so yeah no let's say I can yeah so as soon as they're typing in the words they're gone right like think about the case of the spy that we're talking about right they may actually not have a high clearance they may only have a classified clearance level but the intel that they're gathering may be important to top secret level importance so to create a top secret file and of course they could be able to create a classified file as well and then maybe somebody notices that I can pop it up to top secret but there's nothing that it's not against necessarily our security principles that they could create a top secret file there's also nothing that says that there's nothing really no notion of integrity here we don't actually care if the data is or is not top secret or secret or whatever we just care that once data is tagged as top secret and never leaks out to any lower levels so what do you think should this be allowed to happen so now what about what about this case so what about the top secret version creating a secret file how do we know they're not snowdaining us because why can't they create a unclassified file and just throw all of the top secret information they have access to into that file I don't trust anyone for trying to be super conservative and have it never ever be the case that top secret information could ever leak out then maybe we want to change these notions they can't send emails it's probably a great job so if we wanted to restrict information flow level it's never possible to top secret information flow out and if we go like this we'd probably draw something similar to an error going up and say that you could write up you could make any classification file up but you can't write it down so you can't write to a file that has lower classification than you because you may inadvertently spill out your knowledge about what's going on or you may deliberately do that and we're trying to not trust anyone we don't want the most conservative system possible we don't want people with a lower security of fake information sure, we don't care with the CIA confidentiality and integrity availability we only care about confidentiality this is the only thing we care about we have people to look at integrity don't worry we're going to double check and triple check their information but what we're definitely afraid of is that information being leaked so this is the start of a model that we're going to look at security properties that we just talked about what we're going to be thinking about though is, and I want to be thinking about it we'll talk about it on Thursday then how do we have this notion of what kinds of top secret information is out there nuclear codes well intelligence operation truth movements alien so you have this system we just talked about and anyone at the top secret information at your level would have access to all of that information right but what we want to be thinking about is how do we apply the principles of release privilege to this notion of security so we'll look at that on Thursday