 Hello? Testing? Testing? Alright, let's check it out. Good work, Henry. Break. So now we can come together and revisit our example. So we talked about this a little bit last Thursday. So let's kind of reiterate what we're talking about here. So some universities are going to continue to policy disallow cheating, as I would assume they all do. This includes copying homework with or without permission. A class has students perform their homework, submit things on a shared system, similar to general.asu.edu. Student A forgets to re-protect their homework file, and student B copies the file. So who did something wrong? Why is student B even able to see student A's work? So I'm going to tell you something. I know it's a shared server, but shouldn't it also have, like, windows going to see their own stuff? So how can you do this? Do you have any play with on a shared server before? Pretty sure you can see everything stuff on general. Does that just have a folder on general? You can actually just CD up into the home directory and CD back down to somebody else if you want. So you can, depending on how the server is configured, the users probably have a home directory and slash users, slash home and then the username. And then within there, it's you as a user, you own your home directory, so you can actually modify the permissions to be whatever you want. So which would be a case where maybe you would want the students to be able to share things? Again, you may have students working together, right? So they made this side okay. Let's all work out of one person's group folder, and in that case, you want them to actually be able to. So if you didn't allow them ways to work together and to share things, then you kind of just use the purpose there. So who's in the wrong? So let's start at the beginning. What's the... So the policy means what? So the policy here is trying to say what? The policy that they need to be protected. Okay, so two different things. So the policy kind of separates. So if you think about all possible states that this system could be in, the policy is what defines those states that are secure versus insecure. Secure means no students are copying from each other. So those are the secure states. So here we have a circumstance. The first question we want to ask is, has the system transitioned to an insecure state? I see some nodding. Why? Because student B has copied the thought. Which directly contradicts our policy, right? So then going back to the original point, the question is okay, so clearly, and here we're using wrong kind of vaguely, but we know that student B transitioned the state of the system into an insecure state. Did student A do the same thing as well? So what do you think? Yeah. You think student A is in the wrong here? Well, that's how you define it to be wrong if they transition to security and security. Student A, what do you think? Well, if student A needs to re-protect it, then it was insecure from the start, but student A didn't do anything to transition it to an insecure state. What do you think? Well, I think student A put their homework on the server, right? They're called permissions for a reason. You either grant or take away permission to do something. So by allowing other people to read your homework, giving them permission, like, literally. Interesting. Yeah. The policy isn't specific to the person that has the homework that's being copied. So it only affects just the person copying it. Yeah. I can't. I mean, my mind can prove back that I think you've been going over this in the past two lectures now is the policy is essentially theft. So, like, if I leave my wallet on the table and someone takes it and you're going to plant your child up the wall, like, the policy is saying, don't be a thief. I mean, was I stupidly leaving my wallet and leaving the classroom? Yes. But what's the policy about it? It's about theft and someone stole it. So it's not my fault someone chose to be a thief. And that's the imagery that comes to mind. Interesting. Yeah. And you can still have a secure state with an unprotected file. So you can have no one copies it, but with unprotected, so it's still in a secure state as soon as someone copies the protection of transit in the system. So what do we think? Do you guys agree with each other? Yes, no? I'll agree that the original policy itself needs to be readdressed. Like, after finding this flaw in it, perhaps the university would say, okay, there's been a lot of ambiguity in our system, so not only can you not copy, but students are also responsible to make sure that their files are unprotected. Yeah. So we're definitely struggling with a lot of issues here, right? And this is what kind of, it's difficult to reason about. I've been looking at it very strictly based on what it said, so the last person who spoke talked about it basically, so a student making their file be readable by everyone, that does not violate the security policy, right? The system is in a secure state at that point. It's student B who chooses to copy that file that transitions the system now to an insecure state because the student has copied another student's work. I think that would be the way I would look at this problem. Then the question goes to what do we do after this, right? If we are in charge of academic integrity violations, and we see this, maybe we think, hey, we should modify the policy to say that you also shouldn't leave your wallet out, right? That it's up to the students to make sure they're safe starting their files. The question is though, what happens if somebody sends, if student B sends student A a phishing attack where they pretend to be Professor P and say, hey, I want to check your homework before it's submitted, send me your homework? In that case, is student A in the wrong because they felt victim to that? Because by our new policy that says if you share, right, then you are in the wrong. I assume that you look like this, that's not you. It should be if you knowing we share or use well established things like GitHub or something to openly share. You have to sort of think of it. Right, so that gets into other weird issues where let's say we bring a third party that you say, hey, I didn't share my, I didn't make my code readable by everyone. I just posted it on GitHub and I didn't know that it's public by default that anyone could see it and pull down the copy of the code, right? So does that let student A off the hook now say that they didn't violate the policy? I think it's difficult to make the policy black and white. There's definitely shades of gray here, shades of reasonableness that the user that should or should not do to protect that information to pick out every situation that's necessarily their voice going to have any changes. Right. Yeah, I think the goal is just to make the policy specific and possible to actually some places that the student A will never ask for like your password or something like that. Yeah, definitely. So I think that that's a great point. So talking about the policy and maybe we know that we can't write a policy that can state unambiguously where the things are secure or insecure but there's also kind of points to that we should try to be creating and enforcing mechanisms that closely enforce our policy. Right. So in this case if we wanted to allow that we could put mechanisms in place to say that users cannot change their home directory to be let's say world readable. Right. That could be a mechanism that we put in place to ensure that the student can't inadvertently but as we just said that causes problems with now when we want to actually collaborate on a project. That's a legal issue. So I don't think we don't have to take it. So people like him from other countries they just say let's go ahead and do that. It's still fat but they didn't know that that was actually meant there for the person with the wager or the wagers to activate it. So it's simply their money now. If some foreigner said they didn't know what tipping was they were probably lying to you. So then it kind of goes into well as part of the policy how do you make your users aware of the policy? By making them sign an agreement exactly or so in every single syllabus there should be something about academic integrity violations and a pointer to the ASU code of conduct that specifies everything there. So that's part of the university trying to enforce and say that hey this is not a defense that you didn't know, right? So everyone has to play by those same rules. Cool. Any thoughts on this example? That's good. So what about that? So going back to the wallet example so is this the same situation here where student A has just left their wallet out on the table and the person actually takes that is in the wrong. I'm going to say help is you could with the file you could just copy it and put it back with the wallet and copy the money. That's a physical object. Okay. So then we get into kind of intellectual property versus theft arguments but if we leave that aside and just say that, you know, let's say you left your house your front door unlocked and wide open, right? So does that mean that somebody can then if they rob you it's on you and it's your fault because you left your front door unlocked? Yes. No. Procedures to make it harder for that to occur so you have like blocks on the door you have, you know, you leave your wallet in your pocket whatever it may be to make it to prevent like that cheating or theft happening. But yeah. But I mean if it happens I mean it's not, I mean that gets more to like a security sense but someone's still whether it was easy to copy it or it's hard to copy it it's just a hard to steal because you wrote the security policy. Right. In that case I guess technically you don't have a duty to protect your wallet whereas in this case by creating the policy we created this duty to kind of protect your home. We didn't say that in the policy. If the policy had something I mean we went on and described it more succinct to policy but no in this case I still think there would be I think two is the process of coming usually the way it works you're the first to get a zero on the assignment and you get reported to the dean's office and the dean's office that deals with you have to get caught again and you can actually import so there's a process of coming a process of things that occur there. So we had someone ask an architect whether it was actually occurring there. And we have places things in place and there's an appeals process that you can go to where your case will be heard by independent folks who can kind of make a decision whether they believe you violated that security policy. So yeah you can't really definitely do this black and white thing. To go back to the house example so I would say that yeah you wouldn't be necessarily it's not your fault that somebody broke into your house because you left the front door in lock. However your let's say your homeowner's insurance they may want to increase your premiums after they find out that's why because you were lax about enforcing your own mechanisms to keep your housing right. So you could have other repercussions in the wall. So what this kind of brings us to is when we're talking about here in this module and module I can say that but in this topic is authorization. So what does authorization mean? We've actually been using it up until this point right? What does it actually mean or what are some ideas of what it encompasses? Yeah I think it has to do with like is a user able to do like a certain task but not necessarily like you kind of already assumed they are what they say they are so is this person who they say they are are they able to then do the thing? So what do you guys think? Does that agree, disagree? Yes That's authentication your authorization is going to be what you have access to. So what's the difference? So authentication is are you who you say you are and the authorization is what are you allowed to access to? Everybody agrees I mean disagree or want to add something I guess they just don't like the word able to access I think authorization is something that comes from an authority so somebody that can you know can say I allow or disallow this action. So similar to our previous example right? So just because a student B could access that file doesn't mean they should according to the policy though so you're still not authorized to read that file by the policy even as the mechanism a lot of them do so That's a great point Yeah so I'm going to think of it as well now I'm maybe going to change this to reflect this discussion So what authorization tries to answer the question of what can you do on the system or what should you do on the system based on what the policy says you should be able to do right? So I see it as coming directly from the policy states what you should be allowed to do and this is the authorization is what we used to talk about of what should you be allowed to do on the system and so there's two interesting points here that brought out that we were just talking about with authentication is how do we define you and how do we tie you to an actual individual or person right in different contexts we may have different ways of doing this but so that so authentication we're going to cover that in a later module later section and so authentication kind of has to do tries to answer the question of who are you right so at this point let's assume that we solved the authentication problem we know who this person is so we're only going to think about what can that person do on the system so what types of attacks and threats because we're not considering authentication do we not have to worry about worried about somebody pretending to be somebody else are we not worried about authentication as a whole so do we not care about phishing or do we care about that other people are who they say they are tricky I'd say let's not consider that so authentication actually goes both ways right because we need to know who we are and what's the other thing we want to authenticate who they are who this is the system actually the system I'm supposed to be talking to right and that actually gets into the phishing problem where we're the correct person where we're trying to authenticate to a system that is not the original system exactly that's good so we'll bucket that under authentication problems that become more interesting, less interesting edit, scooting pretending to be somebody else so it all kind of ties back into what we were talking about we want to define precisely the authorization scheme that we have so that we can understand who in the system we have to trust so this way we can explicitly state the authorization of the as we'll see the users on our systems against all of the let's say assets or we'll use objects in a second and this allows us to analyze the system and say okay who do we trust do we have super users on the system or super administrators who can access everything then we know we need to trust them or we need to make sure that we can audit and keep track of everything they're doing on the system in case we ever need to in case they ever do anything wrong and the whole idea is about managing risk so we talked about we talked about risk and risk analysis a lot so how is defining what people can do on our system how does that help us manage risk if you know what they can do you can know what kind of damage they can cause if you can measure how much risk will be integrated with what they can do so if I know that let's say I have a website and I have rules for administrators on the system regular users and guest users and if I can define the authorization so that I know that guest users can't have a very limited impact on the system and I can start to reason about okay yes guest users can only do these things on the system therefore I've mitigated the risk of some guest user causing havoc but now I want to ask the question are my regular users do they are my regular users potentially at risk so what could a regular user do that I need to think through actually limited and restricted them as much as possible what about just saying they can't do anything revoke all everything they can do on the system make it secure pretty secure what does it do they can't do anything so you don't have a system right so you need essentially the idea is and we'll kind of touch on this in a lot of points is that there's this give essentially when it goes back to what can they do we want to let them be able to do everything they need to do in order to function properly in the system but no more so this is called the least regulated principle so we want to restrict what they can do to just what is essential to actually function in the system why is that a good idea I don't know how to prevent that so this helps so if we have a strong authorization mechanism that we know that the users can't bypass now this greatly restricts what they can do so if another problem occurs we know that the damage that maybe if let's say a guest user somehow is able to convince the system that they're a regular user we've actually limited and restricted what that regular user can do so we've limited the impact of any attacks and this goes back again to the idea of risks and minimizing risks part of this is so what how many people use android phones almost as much how many people are there here windows phones one person good for you so when you download let's say a flashlight app what permissions would a flashlight app need to do its job now what do they usually ask for what does it actually need it would need maybe access to the camera but it depends if we think about ourselves unconstrained in the current operating system maybe just access to the light to the light on the camera so what happens if we give let's say this flashlight app access to our camera yeah yeah if you give any kind of pictures they can see what you're pointing at while it's running it can maybe use the front facing camera there's no way to distinguish between that it can record you, record what you're doing to maybe try to build up a profile of you to sell you better ads or something right so ideally we should just say that hey this app should only be using the flashlight so what permissions do a lot of apps want so it's like I said contacts what else current location what else they got super important to do a flashlight app absolutely absolutely so we're going to adjust the brightness of the light depending on where you are at the time of the day or something files or file history is that files or file history what do you think hang in information and may want to credit card information notifications and may want to pop up notifications to remind you to use the flashlight right what version do you have yes we may ask for information about your android version and what version you're running so all of these kind of go to show and this is what I'm trying to do is get you to think about we're talking about authorization at kind of a high level on a system basis comes into play in your everyday usage of your devices and your phones you are making that decision whatever you install an app in is what I'm giving this app actually what it needs in order for it to do its job and oftentimes I completely understand because I'll just install it because it's easier to use it than to not use it whatever it has access to your contact list and everything else and you just kind of don't really think about that why are you giving that app more authorization than it needs to actually do its job does anybody run any of the crazy mods that allow you to control those fine grained privacy settings on a per app basis and feed them false information I can't remember which android versions those are but yeah there's some work that people did research works that basically lie to the apps and say yes they can have my location data but it's going to be a fake location data and they can have my contact list but it's going to be a fake contact list because you as the user know that they're not actually going to use that for any good purposes or functionality for the app there's a lot of that business that goes on in ULas like when we sign up for a service and I don't necessarily read any of that crap so it's a ULas and use a license agreement yeah so that gives authorization of permission for a service provider what are some of the things whatever the services we're using correct so they may claim in their end user license agreement that you have consented to give them this information and that maybe they need that and maybe they will claim most how they're going to restrict the usage of that data but you as a consumer don't have any alternative to either accept it or reject it so good so all these things come back with authorization the idea is managing risk because do we ever completely eliminate risk no why not knows the easy part of that answer exactly so I think about it this way so let's imagine we have a perfect policy that perfectly defines the secure states and the insecure states we have a fantastic mechanism that precisely enforces the policy have we still eliminated risk any risk in my house yeah I would be careful about making equivocal statements that you can even completely eliminate A risk it can be true for a very small limited section of A risk for instance like a classic example would be let's say buffer overflow vulnerabilities we'll see are very prevalent in low level like C and C++ style languages so you can actually completely eliminate this entire class of vulnerabilities like moving to something like Java or Python but you're still at risk because there still could be buffer overflows in the JVM itself which the code which an attacker could exploit and even more likely is the attacker will move to other things like SQL injection that are still prevalent in Java applications too so you can definitely but yeah that's the problem so the problem is saying you completely eliminate something that's a very strong statement and you don't have it true yes exactly availability problems right so and managing what the system's supposed to do you risk not being able to get back to the computer yes that's actually yeah risk of using a very very strong password that you don't write down anywhere or store anywhere right it's like you risk that you forget it and so you just have to reset your password anyways and so what's the point so why else why can we not so we maybe talk about we can maybe eliminate a tiny risk or a very well defined risk why can't we eliminate it even if we have a perfect policy with a precise mechanisms you don't know about there are risks we don't know about we want to elaborate like there could be some kind of an exploit that nobody is aware of except for the attacker and so they'll use that so you can't really protect against something you don't know about so these mechanisms are created devices right they're not they are not infallible and so there could be there could be vulnerabilities inside that the code of your mechanism itself that somebody has accountability in and can actually bypass your policy and your mechanism exactly so you could make an insanely precise and greatly secure policy in let's say the 1980s which now if you continue that way up until now and that policy didn't consider the fact that people have internet and that everyone has a device that has access to the internet right if you're not considering these kinds of things then the circumstances surrounding the policy can shift over time and so your policy may actually not be secure for the new friends that's a great point yeah it might be a very important your hardware is being shunned they just sent out a little transmission every 30 seconds about what you're doing yeah so I'm super interesting so there's a paper I don't remember the year but basically they showed that into a wifi chip you could inject a back door that would so wifi signals and whatever all physical mediums right there's a wave that's traveling through the air and I'm not a physicist or an auction engineer so that's about my knowledge of it but there's defined thresholds into what counts for what there's variations in there what can physically happen versus what the device will read it as so what they did is they inserted a back door into this wifi chipset so the actual chipset on your device such that when you connected to a private and password encrypted wifi it would actually be encoding the password into those little noise into the noise distribution such that it didn't change the signal but if somebody knew let's say the secret key they could decode that to read and figure out what the wifi password is so yeah if your threat model includes nation states who tamper with your or who could tamper with your hardware you have to really be worried about you buying it used to be that the military would make their own chips and fad so they could actually secure that what's the problem with that it's expensive, it's really expensive especially when you talk about hardware because you don't get the economy of scale that somebody like Intel or AMD or Motorola are getting by making hundreds, thousands, millions of these chips so the government switched to buying what they call common off the shelf devices but now then they have a problem of how can they actually be certain if let's say the company who designed the chip gave them the design file they're able to verify that there's no hidden backdoors which in itself is a difficult problem how can they actually be sure that that's what gets synthesized and actually made into the chip that somebody at the manufacturing plant didn't insert some backdoor logic into that it's hard it's a very hard problem this is kind of the state of the art of at least hardware based issues that people are worried about and there's even there's a there's all kinds of not even necessarily backdoors but undocumented features of hardware chips that could maybe allow debug access all this kind of stuff so yeah so even if and this is kind of what it goes back to is even if you can control everything right I mean all the way to silicone all the way up humans implementing these things and so they can still introduce bugs and problems into the system so to me this is all a great discussion on why you can't eliminate risk 100% but that doesn't mean we shouldn't try it so authorization versus access control so we're we'll try to be precise when we use these terms in this class but they're often used a little bit interchangeably so we kind of define what authorization is so what is access control and how does it relate so this kind of relates to what we've been talking about for a long time right so essentially I think of it as authorization as the policy right so it states who should be able to do what on the system to what objects whereas access control is the actual mechanism that enforces this authorization policy so that's where we get into issues of permissions on files as we're going to get kind of all into that all the different ways to think about this stuff so it's important like I wanted to make sure we define this so we're able to keep in our heads authorization versus access control so what we're going to do now is we're going to look at different ways of how we can think about authorization and model well let's see how I'm going to use them both modeling our authorization policy and modeling our access control mechanisms so that we can kind of reason about the system and what can happen on the system so we're going to use three main classes of objects in our system that we're going to think about our subjects which we're going to use as the set S so subjects would be what administrators could be subjects the host maybe I shouldn't have had the things here okay so we're going to subjects we're going to have we're going to have rights so we're going to have the rights that subjects can have and those rights may depend on the system itself so on a file system we might be concerned with read write execute and maybe ownership and possibly append so we have subjects rights and we have objects so subjects we think about these are things what I think about in the system that can act right so this would be the users it could be let's see this is why hosts doesn't really fit unless we change what we're thinking about our systems whereas objects so objects are assets all the assets and objects in the system that can be essentially acted upon so the difference here is a file doesn't really act by itself is that true it's an executable file doesn't do something what's the difference the idea of a program or a string in a file it doesn't do anything it's just a storage location for information and then you have a program or a compiler that will take in that string and begin executing it it depends on the thread or the process so you have this other dynamic runtime entity making changes to the system correct yeah so that's definitely the way I think about it is files are objects on the system even an executable file is just bytes on the hard disk it's when a user wants to execute a file that the operating system will look at that file, analyze it turn it into a running process and when it's in a process now it has its own rights and capability so it actually becomes a subject at that point where it can now act upon the system by trying to read files and write files and do everything that a user can do great cool and then we have our rights so we have what can the subjects do to the objects so why is it important to model this because everyone has to makes it easier to understand understand what, like who's trying to accomplish right so people are writing authorization policies so this helps us to reason about the system right if we can look at this if we can define this formally and we can define a model of an access control system then that can help us think about and analyze a system to answer the question hey is it possible for the subjects in the system to transition the system to an insecure state so the classic model of the access control model this is going to model all of the access for all of the subjects on all of the objects in our system so we're going to have subjects on the rows and the columns will be the objects in our system and in each cell of this column each cell in the matrix will have the rights that that subject has to those objects so here we have subjects u and v and remember this is very general right so subjects u and v it doesn't matter what they are at this point we have subjects f and g and so that subject u has rights r1 and r2 on object f so we have subjects for each of the rows and each of the columns are what? objects what is u? u is a subject so why is it a column? why is it a row? it's a row but it's also a column it's an executable maybe so the idea is subjects can have rights to other subjects and the key is what these things mean depending on the system whatever r4 is is what you can have rights for itself similarly v does not have any rights to itself so I don't know whatever that means depends on the system you can actually have that in some systems you can have let's say a process not be able to read its own memory or you can have interesting access control policies they may not make sense depending on the system itself so these are the only objects and subjects in our system what can we say about it? complicated, why? usually several applications running and then like a billion threads running and you have cells under pc you have millions of subjects like the matrix exactly, so what makes this simple? it's very small it's very small, what's really small? the cardinality of the sets u and s yes, exactly so the number of subjects and the number of objects are very small here so it's easy to look at it's easy to reason about if we ask any questions about who has what access rights to what objects you could very easily answer right? and so this is kind of, so the so if we look and then we can instantiate this model in different types of scenarios so for instance in unix usually we think about the subjects being processes so why don't we think about the subjects as users like users walk out of the system processes are essentially the means which a user interacts with the system right? you can't really model and you couldn't throw me in there specifically right? when I'm interacting when I'm interacting with the computer I'm invoking I'm telling you some process to do something that process takes out so we think technically, so what when you log on so remotely ssh into a server what happens? starts a batch session, how does the system batch and not zsh or some other shell? configuration what configuration? the one that's stored on the server yes, which one? specifically know that you want to use batch so it loads the profile that will do so it's that, I don't have a Linux machine but it's the ETC password, p-a-s-s-w-d file has all the user accounts in the system all of their user IDs and one of the files, so it is essentially a configuration file one of the fields there is the shell that you want to be executed when you ssh into the machine so it's your default shell, you can use the command c-h-s-h to change your shell to something else and so the system knows when you correctly so first you have to authenticate to the system right? so you have to prove that you are that user account on the system either we'll see passwords, private key that's why I want to do crypto first before we go into authorization so we can understand these concepts when we finally authorize ourselves and says okay yes you are user A on the system and here's which shell it's going to run so now all of the input that you're sending gets passed to batch and all of the output of batch gets sent back to you so it is just a process right? you are not a concept to that computer all you are is an authorization to batch starts executing as a process with your user and group permission so you can batch and it can be essentially your user ID and your group ID on that process and then when you type in something like ls what does batch do? it takes against what it's allowed to take based on your user almost what is it? in that statement how does batch start executing ls how does it know what to execute? do you think about it? you type ls you hit enter so batch sees that you input ls and then a new line yeah I think I'm probably wrong when you hit ls you point to a file and it has to execute so it first has to look through your path to find out is there an executable called ls what's the dollar sign path environment variable it will look at all those folders when it finds the first one it finds with an executable program called ls which would probably be slash bin I don't know exactly where ls is so then it will call exec to the operating system exec slash bin slash ls and you do pass it any argument so it won't put any arguments into it's call to exact it's exactly e which will cause the operating system and then read in the bin ls create a new process with the rights inherited from the person who created it or the process that created it which is batch and so the ls starts running with the permissions inherited from batch so cool so this is all to say that everything's a process so users don't matter people don't matter all that matters is a process so the process is p and q and f and g and we have different rights read, write, execute, append and own so what are the obviously so read and write are pretty easy as to what they actually mean yes I guess we will cover it we can go over it so what about execute so what does execute allow us to do yeah so run the model allow us to execute and create a process from this file essentially what about append what's the difference between append and read and write you don't necessarily want the user to be able to read them or delete them but so they can add to them without deleting anything that's done before so can you have a append access to a file and not read access or write access yeah sure and that's what you may want you may want a program that can only log but can't read from that log file necessarily with one program it's kind of silly because you wrote all of that log output but let's say you want to consolidate a bunch of different programs into one log output in that case you want all of them to be able to append to that file but not to read from that file because then they'd be leaking the information from the other process what does it mean it means that you own the file it's your file it's essentially what the idea is actually what does that allow you to do so the owner of the file is the one who can change the permissions of this file to add new writes to new users on this system cool so we'll just use these RWXAO for right now we'll talk about this simplified model so now we can now we can actually have kind of an instantiation we can think about again for our sake simplicity we can use small numbers of subjects and objects so here we just have two subjects and two objects so then how can this matrix change and who changes it who enforces this access control this access control going back to the LS example I don't really understand it because you said that the LS process is both different from the command line and so as that is executing its binary and going through line by line and doing both the weird file system low level I know okay here's this file at that point in the LS application is the logic embedded in there to check okay this file is supposed to be visible to this user yes no compare with the credentials given or the IDs that are given so is it in the logic of each application is it a system architecture and design and code pattern what would be most well effective what would how would you design that so you're kind of asking a question of where do you put the access control check well if I was trying to use LS as a limited user and LS was the actual application restricting me from looking inside of a particular directory I would probably write my own version of LS that didn't care and that was just show me everything you could find so in my mind embedding it in LS doesn't really work so the check has to happen somewhere else correct so where were the places you would put that somebody else in the system libraries so in the kernel when LS makes a function call to execute something in the kernel then it checks whether there is authorization right so definitely so yes so you want to so a good idea and a good way to think about access control mechanisms and where to enforce and do the access control checks you want A to be in a central location so you don't have to replicate those access control checks in every single application right and you also want to make sure that it's some ways protected so that the users can't just change or modify or bypass those protections so being in the kernel allows us to do this because in order to open a file any process on any unique system if they want to open a file they have to call the open system call with the string of the file they want to open and any flags that they want to open the file with then the operating system will do its checks and we can think of it for right now as it will consult this access control matrix to see okay can this user does this user have this right or sorry user does this process have this right on this file and right with R have this right to this file and if they do then open it otherwise return to error messages that tells them what they will have what their instincts are right as we'll see this is not often the case that we go to other different types of systems like web applications there's actually a huge problem because there is no central place to store these access control checks they're literally littered throughout the application so if you make some new API that doesn't use the main path of the application you have to replicate all those access checks which is a major source of problems on web apps cool I have a question here how does it change ah yes so how does this change so how does this matrix change over time what are the different ways that it can change more users so we can add more more process more processes to the system right so how could let's say ah so how could process P create a new process based on file F can process P just execute F you have to know what it is that you're running you can't just like process P can P read file F yes you can execute files that you can't read which is silly but yes it depends on the system so yes so process P can read file F okay execute it what do you think so I guess I have a question of what is what does ownership over process over a process what does that mean correct what does that mean I don't actually know so let's say that they can edit what would make sense to me they can edit any of the permissions that P has on itself that would be part of ownership here they could remove right access from themselves or execute access from themselves thought maybe he was talking about F since you own an F he could add execution permissions to F and then execute it exactly so process P owns file F right so they can and based on the concept so this is all to remember about the specific system that we're talking about now and we just defined that ownership over an object means that you can control the permissions that you have to that object and possibly depending on how you do it that may also control the permissions that other people have on that object so in this case I may be able to change P may be able to change Q's rights over F may be able to remove append access make it executable so P wanted to execute F they would issue to the system a CH a CH mod which would call a system call to try to change the to add the execute privilege to P to F so the column would read RWXO and then now P could execute F and this would create some new process U in the graph and going with our inheriting permissions would basically be a copy of all of P's permissions and I just want to say the guy over there that said if P is a compiler maybe it doesn't have ownership over F in that case but it can still read it so if P can read F append F to itself as it has permission to do and then re-execute itself with F included it's a roundabout way to execute F so there was an idea that was to do that first that's awesome so the idea would be you don't have to think about compiler F is an executable file if you can read it but you can't execute it then maybe you can read F copy it to a directory you control make it executable because you're not on that file and then execute it yes possibly as we'll see when we complicate this model but there are special ways you can get permissions to file F for instance that it executes as root for some other user and so in that case by copying that file you lose those special privileges so it would just execute as Q which may or may not be what you want but that's a good way around that cool so what are some of the benefits of using this access control matrix what is this good for easy to understand so it's pretty easy to understand if I ask you any question can process Q write to file arbitrary writes no but append write yes what else what are some other benefits I could definitely help you get a view and be able to see wow this process has a lot of read access to a lot of files on the system is that really what I want to have happen so then you get into understanding visualization challenges of how do you visualize it when there are now a million files on the system being able to try to answer some of those questions sort of like writing out for certain permissions that may not be explicitly stated yes so that's a great point so we're not the book goes into this much more we won't go into it in class but you can formally define each of these operations we said and changing you can change ownership on Unix you can change permissions if you have owner access to that file also you may be able to change all in this row if you own that file so you can change everybody else's access so then if we wanted to ask the question if part of our security policy is it should never be the case that Q we want it to never be the case that Q can write to file G if that was our security policy we would say does this access control matrix actually enforce that policy no because even though in this current state of this matrix Q cannot write to file G we can see that that file has ownership that Q has ownership of file G and so they can change the permissions to get that file so we can model it and we can talk about transitions and then we can make proofs that say given if we start in this state there's no way to transition this matrix to any state that violates this security policy what's some other benefits I think it's pretty fast to look at so if you're the operating system implementing this access control matrix and you say hey I have process Q it's trying to write to file G well it's very easy we just look up right it's an index look up say okay what about drawbacks where are some drawbacks to this assume that the matrix matrix itself is too big to be stored in memory which means it's going to have to store in a file and you're going to have to protect that file yes so lots of problems here so we do actually in general have the problem of how do we securely store the access control authorization policy here and so that would definitely be so size would definitely be a huge drawback here because we have now this massive and every time a new process executes we have to add an entire new row here yeah but what or if you're going to be upgrading you know if there's some old things you can actually figure out what it is right so we also a great theoretical model because we didn't have these ideas to rewrite and execute but what if I told you G was a directory and what is writing to a directory mean what about reading from a directory what about execute on a directory right so we want to have in order to evaluate our security policy against this formal model and this matrix model we need actually all of these rights formally defined as well which is going to be difficult especially our real system yeah so let's say so yeah let's see a point so let's say that so we said these are all process right these are all processes on this subject let's say I have five of these processes that are running for me now I changed one of the files to give my user access to this file read access to this file now the operating system to update this access control matrix we have to update every row with every process that had my permissions because essentially all the processes on the system have the same rights as the user account that is running them maybe modulo so there could be actually be performance issues or problems or things to consider and think about this how to actually update this matrix it may not be as simple as just change one cell we may have to change all cells such that some other thing is true what else about this matrix so the comics checking for correctness that is a difficult question yeah so that also would be difficult to reason about because every single file in the system could have its own unique kind of access here with all the different processes in the system so yeah so this is actually so the way I view it is these are a great way to think about access control in this form of this matrix because it's very precise it defines exactly everyone what they can do on the system all the objects the big drawback though is simply size right so every time the new file is added you have to add a new column in this matrix and it would just get huge over time with all the subjects and so you have a very sparse matrix and you have problems with how to store that and it gets to be a nightmare so so it may not be a surprise but almost nobody actually implements these access control matrix like this so the idea is to kind of split up the storage and to split up the way that we think about this so what would be some options big chunks of columns and rows together into classes and say that all of these files are in this particular class and anything in this class which do the same we just abstract it and kind of start plopping things together to press the matrix down so we could create some kind of hierarchy that said well so we maybe go back to our student homework example we may be able to classify let's say a bunch of files as homework files right so maybe we can try to give some policy of how those homework files give you better write by users and we may you know maybe we can do some kind of hierarchy to cluster and to collapse essentially some of these columns so that multiple objects are all underneath one category sure so you want to access your process so you're the operating system right you're the access control mechanism you're seeing that the user wants to access file F what do you actually need to know from this matrix in order to make that determination do they have read access but what in this matrix do you actually need do you care about the access to files G and the process P and the process Q no what do you care about cell P F you care about the cell P F exactly so all you care about is this cell so one way to think about it is maybe for every object in the system you just store the column here and so that's essentially access control list where you say okay for file F we're going to store file F and again this goes to how do you store it how do you make sure that a regular user can't tamper with it but essentially you store with file F okay process P has read own and a re-write of own will process Q has appended access and now in the operating system whenever you want to access this file F it will look up this metadata this access control list and say okay so I know this is this list and it writes on this object so I'm going to look up what writes that P have okay great P has read access then they can get access to this file so similar thing so I kind of visually try to say that these are distinct now pieces of data essentially so each column of the matrix is stored with the object so what's the benefit here and what's the drawbacks now so now you don't you never kind of store this whole matrix right so now you're just storing with each file so you think about the file not only has the data the file but now also has metadata that says who has what writes over this file some good things or some drawbacks yeah you don't have to store the metadata somewhere but you know we're the file system so we have I mean sorry we're the operating system so we have complete control and we mediate all access essentially to the file system so we can make sure those are secure so some benefits of that faster than the smaller the channel exactly so accessing maybe a specific file F right we don't really well A we don't have to store any of the other processes that have no writes on this file so we can deal with the sparseness there and we don't have to load this entire matrix to figure out exactly F and Q we actually know exactly which file we're interested in because that's the file and access so a drawback here would be changing essentially one processes writes to all the files would be changing every single file in the file system so it would mean because this matrix does not exist in one centralized location so you can't just say okay great I'm going to change this row so it's got to think about how you're storing things right you're storing things column based now this means doing a row operation means that you have to go access every single file on the system isn't that solved mostly by the fact that our processes are kind of structures of hierarchy and our files structures of hierarchy when you CH1 a file we can recursively make the changes to the files within that file you can so CH1 has a dash capital R option that will recursively make those changes but by default it does not do that so it only changes that file itself and this is part of the problem is this is how most systems are implemented so we've been thinking about access control in these terms for a long time you CH1 to the file right you don't say I want to take away process keys read access to all files right you don't think that way because it's hard to actually do with the system even then you can do that and maybe you just delete that user and that's how you get rid of that but it's a problem again that actually makes an operation more difficult which you may want to do great all right let's stop here on Thursday