 All right folks, let's rock and roll. So I think, well, as I think, I've seen on the submission website that many people have already got paid. I mean, I've said many, I haven't counted, so I know people have gotten a hundred percent. So for those of you who think it's not possible, it's possible. So does that include, do you think it's possible? Otherwise, we would have many more empty seats in this room right now. Yeah, I only got nine out of a hundred because I didn't have to turn the case. Nine or the same way? I can't turn that key. Nine key out of a hundred. You've got to turn a key correctly. You've got to turn that key. Yeah, that's the only one that actually tests that, so yes. So when you submit like a smoke test per rating, you get like a hundred of those submissions, right? Yes, yes, yes. A hundred smoke tests, so you're going to keep doing that well. Don't just keep doing it because then it gets stuck in the queue and then more people can actually do their stuff. So, but yes, the idea there is to just make sure it compiles first before it actually like, you submit it for real. Cool. All right, so let's get on to access control. So we talked about what's an ACL besides something that my football players keep tearing on my fantasy team and my real team, I guess. Access control list. So what is an access control list? It's more specific than who can access stuff. You can answer that to almost anything in this entire access control section. Users get specific permissions. Users get specific permissions to do what? Okay, so specific permissions, specific rights, but how does an access control list contrast with a capability list or with an access control matrix? Capability lists, capability lists are more like based on the rights in which users can use them, but it's the opposite for access control lists, right? They're all well, okay, yes. So they're all about who can do what. The difference is capability lists are stored with the users, right? Every user has what files and what rights they have on those files. So an access control list, every file or object in the system has what users or what subjects can do what on that system. Yeah, cool. Awesome. So UNIX, so we spent a while, actually it was really annoying. Now every time I SSH into that server, it's still running in SH instead of in Bash, and so I still haven't changed it back. Every time I do it, I realize, like, oh, this is why you shouldn't change systems you actually use because it's kind of annoying. But anyway, so we went over the UNIX access control list. So how, so we talked about that UNIX has, so someone kind of refresh our memory of what we talked about, about how UNIX does access control and access control lists, everything we're talking about, yeah. So it uses metadata? It uses metadata, so for every file there's some metadata. You can see here it's actually just 12 bits per file, which is a pretty low overhead. What do these bits mean? I mean one or zero, yeah. Read, write, execute for the owner, group, other. Right, so read, write, and execute for owner, group, other. How many bits does that get us? There's 12 bits. What are these last remaining bits? It's magic bits. S-U-I-D bit, which is what we saw was that S-U-I-D did do. So it runs the process as the owner of, so when you execute that file it runs the process as if it was that user. Set group ID, so that's another one we didn't talk about, that's the third one. Second one, and the third one is, you may know? Sticky bit, what's a sticky bit? Yeah, it's normally on directories, anyone who has right access to that directory can delete files. But in some directories, so what directories would you want? Do you want, so think about this, what directories do you want any user to be able to create a file in? Temp. Temp, why temp? Because it's temporary space. It's temporary space, it's made for anyone to be able to write a file. Do you want users to be able to delete other user's files out of the temp directory? No, definitely not. So that's why the sticky bit was born, so that way. And I think it has, the other thing is, these all mean something slightly different. So we talked about this, the owner, users, and all users on the system, so owners, users, all users read, write, execute. For files it's very straightforward for directories, it's slightly more complicated. But we won't go into all of that. Cool. Wait, SUID stands for super user ID or something? Set user ID, so it means set the user ID of the process that runs based on the owner of the file. Okay. Or the set group ID says set the group ID of the file based on the group of whoever the group is of the file. And this sticky bit is some kind of like, sticky bit is some sort of like flag bit or something? The sticky bit, so these are the bits basically. So you have three groups of three, the first three, save ID, set group ID, sticky bit, read, write, execute owner, read, write, execute group, and read, write, execute all. Actually if I remember correctly, the sticky bit started life out on a file. So if a file had a sticky bit, it meant that it would always be kept in memory and it could never be swapped out. Because for some applications, swapping it out would either break it I guess back in the day. I think that's not used pretty much anymore on files, but it's used on directories for that reason. I just remembered that. So look at the sticky bit Wikipedia page, which you can learn everything you've ever wanted to learn about the sticky bit. Cool. Yes. Is it possible under this scheme to like, have the root user unable to do something to a file? So it's a good question. So I guess a high level question is, why would you want the root user not to be able to do something on a file? So maybe as an example of kind of least privilege, so you're saying that restrict even the administrator's abilities to do stuff. What else? More than one user. Good idea. On most systems, no. You have multiple users, which is actually a huge problem. So you have a bunch of users on the system that can each become root, and so that actually is a problem, because you want to know which administrator did what. There was that web server example where root is the only one that can open up a port for the web server, so maybe you don't want people using that. Right. So yeah, so the high level idea. So with this, so what does this allow, like if you think about this in terms of like an access control model, what types of access control can you specify? I want us to explore the bounds of this model. So like what are some things you can say in this model? Who can give everyone access? Right. So part of it is the owner of the file can choose who to give access to in these concepts of owner, group, and all. Who else can change the permissions on a file? Root. So is there anyway in this model that you say that root can't read a file? How would you try to do that? Not give them read permissions. Right. So create a file that only you own and give it read-only privileges to you and no other privileges to anyone else. But does that mean that nobody else can read that file? Why? Because root can change the owner. Right. Because root can change, not only, so that's a good point, root can change the owner of the file to themselves and read it, root can change the permissions of the file to give themselves read access or they can even become your user and then read the file too. Would it be useful? Why would you... I mean, so we just talked about that actually. So it would be useful to do that. What are some of the things that you can't express in this system that we may want? Yeah. That's like a specific user. So to give just to share access, so you think about anyone use Dropbox? Yeah. You can do things like share anyone who has the link to this file can download it, which is pretty cool. You can't really do that on a... Could you, I guess? Okay. That's a good question for you rather than me. So how could you do that in the UNIX model? You could make like a public, like one public user or like a group and like give people access to the group that has access to the file. But they need... So in this model it's if you know... So if you think about the link is knowledge of the location of a file. So if you know about the location of the file, then you can access it, but you can't access it otherwise. Specifically with the link, do you have to go to the owner of that file to view the file? No. No, what do you do? You just get the link, you click on it and now you're viewing that file. So it's anyone with the link, which is exactly similar to what kind of access control model that you're implementing now in your homework. Like a key, right? So as long... That link is the key. You can access the house. You can access the file. It doesn't matter where you got it from or who gave it to you, you can still access it. So can you do the same thing here? What would you need to do that? What properties do you need to hold to do that? What keys can access this file? Yeah, so you need some way. So what's the core idea of a key in this case? Could be a lock. The lock is a little misleading because we don't have any lock in this case. Kind of similar to a password. So what do you want with a password? To authenticate the person? You want to authenticate the person? True. Let's think about Dropbox. How does Dropbox do it? When I have a... I want to share this file with somebody. I can just say share this link. Anyone not done that before? But you share a file, right click, share it, creates a link, you give them a link and they can now see that. How does that work? How come other people can't see that file? Because it's not public access. Because it's not public access, but how do they actually ensure that? It's just a link to the URL. Yes? The URL is probably randomized. Yes. So randomized, why is randomized important? Because randomized suggests that there's no way to probably code without a long time in a very advanced hardware. Right, so assuming it's random enough, which we'll get to when we talk about crypto, it should be impossible for somebody to guess it. If I just create links that the first link is one, the second link is two, the next link is three, is that a secure good mechanism? Yeah. No, because somebody could just enumerate all those numbers, get all the files. It should be, you have to have knowledge, you have to have this link in order to do the file. And in this case, the key would be that random string of letters that you need to guess. Can we do the same thing here? We can make a really complicated folder directory system and then just make it world readable. Okay, so we can make a really complicated file directory system so we can maybe make, in our home directory, have like a shared and then what would we need to actually do this? This is a fun exercise. Competent users, we are the competent user. We're creating it in this case. Are we the only ones that have access to it though? Say it's a shared system. We want to be able to create a link, in this case, a file that we can share with only people who know the location of this file. So why don't we just create a... Well, I don't know. What do we need to do? Can we password protect it? How do you password protect here? You can only use these things. So we're only working in this model of this Unix access control. I guess you have to make the file world readable? The file would need to be world readable? Why? Because if you want to share the link or in this case, like the directory, it has to be able to be read by everyone. Fundamentally, the file itself must be read by all. Does that make sense? Because otherwise people would have to ask us, the owner of the file to get access by adding them to a group or whatever, which we just said we don't want to do. But if I just create, let's say, a file there that's world readable called my super-secret file I want to share, that's world readable, what does that mean? Everyone can see it. How can everyone see it? How do they walk me through this step? So you're another user, how do you see this file? Go into the temp directory. You can do cd slash temp and then what? The ls. You ls, so you list all the files in the directory and then what do you do? Cat the file. So we need the file to be world readable, but what else do we need? Could we make it hidden? Make it hidden? How do you make it hidden? You can only do this. How do I change these? Part of the directory that's what hard to get to. Okay, so think about that. If we walk through those steps, so we put it in the temp directory, what was the problem? Someone could use this line. Say that again? Specifically what can somebody do to the temp directory? They can see what's in files. They can list all the files in the directory. Which of these permissions is this on a directory? Read. So read permission on a directory means that you can list all the files in the directory. What does a write permission on a directory mean? Create files. You can create and delete files, I believe. What about the third one? What does execute mean? You can... Actually, I don't know. That may be right, but... You can access subdirectories of that directory. So what would it mean for a directory to not be readable, not be writable, but be executable? You can access subdirectories if you know what they are. You can access subdirectories if you know what they are. So how does that help us get what we want to do? You can make a subdirector. What would you want that subdirectory to be? A weird name. Not just weird, how weird? Super random. Super weird that's unguessable. So you can create in your home directory. And I'm going to swap it out into here. Good. Is this big enough? Can you see my hello? Okay, so let's say we have the directory. So we have home, AdamD, that's us, we're the user. So now we want to create a directory called let's say shared. And we have our file we're just going to call it two-share. So we have our file two-share. So we have our shared directory. What do we need to do to be able to create a place this two-share file in a place where we can share it with people with this? We should make a random directory inside of shared. So I'll do cd, that's super random. So it's cd-shared. Rictor, I'm just going to call it random like this. So we'll assume that this is, we'll insert some super random thing here that can be as long as we want. So it'd be super unguessable. Now what do I need to do? Okay, do what? Yeah, what do you want to do? Executable. I want everything for me. And for my group, I guess that's fine too. So you want it to be one, so just execute on that, we'll do 7-1-1. Don't you want random to be readable but the parent directory to be executable? Because you want to be able to go into random and see what's in it. Because we don't want to see the random directory from the parent directory because that defeats the purpose of what we're trying to do. That we've just given out. So they should be able to see the files that are there. Okay, so you convinced me? So then what do I do? I don't know. I don't know which number that is. I think it's 5-5, isn't it? Read and execute. Read and execute? But we need them to be able to go into any sub-directors possibly. It's not going to change it too much. We can also do if you're so inclined actually I don't remember the syntax but get loaner read and execute actually I don't know how to do this so translate that's your own parallel. Okay, then what do I do? So, yeah, let's cp whatever from toshare into random slash toshare now what do I need to do? I need to set permissions on that. What do they need to be? Readable. World readable, right? So we can do 7-7. What do we say it was 4? I think that's right. Just read? Yeah. So do we want them to be able to delete the file? No. Probably not execute the file, it depends on what it is but normally not. So I need to make sure. So now we have slash home addmd shared random toshare. So what do we need to ensure about this directory structure? Well, we need to go to share to make sure that it only has execute permissions for everyone and nothing else so they can't read or write. So I need to make sure that my directory permissions on shared are so me I can do anything whatever, I can also do anything and what do I need these permissions? So do I want to do 7 as well on shared? What's this going to mean that people can do? Yeah, I can create directories or list, specifically list the shared directories, see all my random values and then go check out all my files. So what do I want here? Just execute, right? So that this way somebody can change into a subdirectory of shared but you can't list shared and you can't actually see the files there. So what else do I need to ensure about this entire path? What if my permissions on my home directory are 7.7.0? You're going to want to make your home directory also at least 7.7.1 so people can navigate to the shared folder if they know. Right, you want your home directory to also you need to actually every directory above you needs to be at least executable so that somebody can change directory into there Now we have a link that we can share with anybody on this system they can copy this file, anyone with that link can copy the file but we cannot copy that file. Okay, crazy, you just implemented an insane mechanism here. So you have to leave the ones could they use the entire path and just CD to that place if the previous directors like Holm and Adam were called zero in the CHMU? They cannot at all, so if they're zero it means that you can't even go to any of the sub-directories even if those sub-directories allow you to do so. And even if you know the exact name it'll say access denied. To LS they need read permissions I believe on a directory, yeah. And that's what this whole thing is based off of so the whole idea is the security there is basically insured by the here, here, share. So making sure that shared is not readable by everyone, because anyone who can read that directory means that they can list all the files which means they can see those random values and then see the files that we have which is the entire thing we're trying to prevent. So with this nobody knows what this random value is until we send them this link and say here copy this file, I mean it's a link quote quote right, but once they have this map they can copy that file to their own directory, but without that there's no way they can guess unless they can guess this random value. Cool, you're just going to do a really cool access control thing in a system that seems very restrictive. Who, although we said nobody can see this file without how link, but is that actually true? Who can see this file? Root and who else? The owner, me. And the group's owner too. We'll assume the group is just me, so it's all out of me here. Yeah, super cool example, so it's important to remember that because people often forget, and we've talked about that before, people forget that administrators on these systems have access to all your files, so do not store sensitive stuff. Cool, okay, so the idea here and the things that we were talking about was can we restrict root permission here? So, with this is there any way in this system to restrict root access? But we decided we wanted that, so you'd have to extend this system and add additional features to it, which is exactly what modern systems do, so yeah. Are we assuming that cryptography doesn't exist? No. Because this could have been achieved in a much less roundabout way with just GPG. That assumes that the users know GPG, because you could get that same thing with Dropbox by doing that, but Dropbox specifically doesn't because of the UX problems. You could give them a link, which is just a shell script that decodes the file of the key. You're going to give them a program to run? And they're going to trust you to run it? If they don't know how to GPG they're probably going to trust anything they say, so. That's probably true, but yeah, the idea was using this model and I'm actually well, I'll maybe describe it in a second. So I actually was in a case where I wanted to do something like this. I... Anyways, let's say I wanted to prove that somebody on my system ran specific code that I gave them, but I didn't know which user it was going to be. So what I did was I actually created exactly this same structure that we just talked about. So I created this structure, put a file there, had my code log to this file who did this and what the user was that ran it and that way I was able to see which user executed it because the only person who should write to that file because nobody would know what the actual location of this file is, you'd have to actually run the code in order to see that. So that was a fun story maybe I'll tell the full version some other time. But it does, I mean there are crypto parts here and assuming that we actually have a random value. So modern systems actually include the ability to do things like you could make a file immutable which means nobody can change it not even root except that they also have the ability to make it unimmutable. But they have to do that first before they delete it so it's a nice kind of extra step. What are some other things you can't express here that you would want? A time, so maybe saying something like I'm going to release a homework assignment at midnight tonight, I want you to have access to this right then and not at any other point. You can kind of do that by creating a cron script that's going to do the CH mod when you want but it's still a huge pain and you're not, this system itself doesn't guarantee you the ability to do that which could be something you want. What else? What does it mean when somebody so if you want to have files that what does it mean when somebody has right permissions to a file? They can delete or they can delete or append to that file. Would you want would you ever want a case where somebody can just append to a file? And what, why did you want that? Maybe a project where people are working on multiple things. Maybe if it's like a log file you just want to append it. Why are log files important? See who's accessing your system to see what every process on your system is doing, what your services are doing when you're submitting homeworks and for whatever reason some of you keep getting to weird corner cases but I have it somehow not hit in like the I don't know many times I've been doing this course I have to dig into the logs to figure out why what the error is and how to fix it because otherwise I don't know what's going on. If you're thinking from a security perspective if you're having logs of who's doing what on the system and what's going on you want to review those in case there's ever an incident or an event. So the integrity of those logs is pretty important right? So would you want the process that's writing to those logs to be able to wipe the logs? It defeats the purpose of having those logs because if a bad guy or an attacker infiltrates your system through one of that process what they're going to do is they're going to clean up their tracks by just deleting those log files. So you'd want the process that's creating the logs to only ever add entries to the log and never be able to delete them. So there's another way and I don't remember all the details you'll have to look it up. I want to say it's at the like EXT4 level that adds a lot of these features that makes itself. But yes, there is a way because is there any way to express in here that somebody can just append to a file? No, there's fundamentally no way. So this is something that this access control model cannot express and so we need other ways of doing that. So there's another method where you can actually do that. Any other things that would be useful from a security or system administration perspective that this model does not allow you to do? Time is a cool one. Maybe time in terms of letting you have access to a file only for a certain amount of time. What about would you like to know say only this user can access this file but they can't let anyone else access it? Being able to write to a file but maybe not copy it? Being able to, ooh, that's a good one. So being able to write to a file that's interesting. I don't know if you can express here writing without reading. I know you can open a file for reading but I think it truncates it. I wonder if you can open maybe if you set the file to append only without read you can have a file that you wrote to without reading. Cool, these are all fun things. And this actually gets to kind of other ideas in access control. So access control is are these models that we've been talking about. So content dependent controls. So think about like a salary system. You may want to give people access to some data depending on what that data is. So for instance yeah, okay, so this is good. So like you can see, so in your corporate system you can see salaries but the people that report to you is that important as a manager? Managing these people, you don't know how much they're being paid, you don't know if you should be fighting to get them more or get them raises, whatever. But should you be able to see everybody's salary in the company? It depends on your viewpoint but usually that information is kept a little bit more private unless you're a university. And so you can think of like how does that depend on what the actual content is. Another way of what we actually, what you got to when we were just talking about this is basically context dependent control. So what are some other interesting contexts besides like a temporal time context? Maybe like number, like for the submission or maybe if we only want people to access the thing that runs it only like 20 times. Okay, so that's interesting. So context in terms of past actions that you take on the system restrict your access. That's a great idea. Or like give you all unlimited submissions the week before but as you get closer and closer your number of submissions goes lower and lower or increasing a time delay between submissions. These are all things I've considered but have not yet implemented. What else? What are some other interesting number of current sessions? Maybe p-mini file? In terms of number of concurrency type issues there? Yeah. A certain location. So why would you need to know somebody's location? When would that be useful in terms of access control and granting access to the file? Yes. Or there's the case of a person I think they were working at Yahoo and completely outsourced their job to somebody else so they just like passed the job to them which is like completely circumventing the corporate firewall and the VPN system and all this stuff. Think about, so should your health records be publicly available? Oh, definitely. I mean there's HIPAA requirement. There are legal requirements that say your health records should not be public but who should have access to your health records? Doctors. Medical insurance people? Insurance people maybe depends on what the specific circumstances. So you think location should a doctor like I mean how so when you think about location I think like, well does the doctor need to see your medical records when they're at home? Maybe, maybe not. It depends on what they're doing when they're in their office or when they're in the operating room and you're lying there on the table. So their location can actually help you make a really informed decision and say we'll just give anyone who needs access to it in the surgery room whatever they need, just give it to them and deal with it later. Which is kind of how it works normally. So remote login context in terms of time. So time is the other big one where you only update things at certain times. And we talked about the corporate earnings report. So these are super confidential until they're publicly available by anyone on earth and so there it's not important anymore. So these are all kind of interesting aspects to access control when you think about that. And so, yeah these are very cool. Questions or other thoughts, ideas around this topic? Not all context depending on the closure of time. Correct. Context would be really broad in terms of it depends on whatever you want. So it could be time or location or I don't know, maybe of like corporate restructuring or something. Maybe you're just bought another company and you're merging so you have weird rules that are only in effect first while that process is going on. So, the model that we've been talking about a lot in the UNIX access control this model who decides on the access control policy for a specific file? The owner or root? The owner of the file or the administrator of the system. Is that always what you want? Excuse me, why not? It seems silly. I own this file. Why don't I get to control who gets to see it? Or you're getting blackmailed or something because you could let some bad people see the file. Yeah. So what, like, okay, so it's illegal in what context? Or it could be illegal in what context? Say it's a company's financial workforce and you let someone see it and they see that you're investing your money. And then when they see that you're investing your money they can be bounded to their bank accounts. Yeah, or you think about the example of the corporate earnings report. Who writes that report? Well, at least the CFO, right, or they're the ones who rubber stamp it, right, so people in their organization, you can think of it even goes down to, like, maybe a low-level accountant or whatever in the firm. But they're writing this report. Does the person just be able to publicly release that information? No. No. Right? They could actually have serious financial consequences on the company. Yet, they're the person who wrote that data and created that data. What about the military? Do they think that whoever created the data or the file or owns the file should be able to do whatever they want with it? No. Why not? Or some counter examples? I mean, like, it's the military. The military is shifting all the time. It only may be controlled like a certain portion of the files and they don't want the army to access it for some petty reason. Interesting. Yeah, so you may have inter-organizational conflicts. Someone does an analysis of some system and then, you know, it's a confidential report and maybe they're an outside contractor or something. They pass it off and then you know, they don't want that user to be able to go back in and just say, oh, I'm going to publish these on WikiLeaks. Right? Or spies, right? Spies write intelligence briefings or reports about what's going on. Does the government want that information public? No. I guess otherwise they would make it public. And so this is actually so when we think about access control models, we kind of start classifying them into different areas depending on essentially who can do what or who decides the access control policy. So if you think about a Unix system who decides the access control policy for a file? Right? The person that created well, the person that created that specific file. So in some sense, so this is a, what they call the discretionary access control model where essentially the owner of the file gets to choose kind of what happens to that file and what the permissions are. Contrast that with the what I think of as the military model and we're going to use that because it has a lot of really good analogies that we can kind of use and it also drove this whole field of mandatory access control and thinking about these things in more formal terms. So that's mandatory access control where basically rather than the owner deciding the system controls access to an object. So the system or the model itself decides who can set the access control on an object who can change the access control on an object which is very different than the way we're thinking of this Unix model the root doesn't set the permissions on every single file they can change them but fundamentally every user can change the permissions of the files that they own. Yeah? Question? How do you avoid like a Skynet type situation where like the system just says alright screw admin you don't get to access anything you can't change anything I'm going to delete all of your files for some random reason. Well do computers accidentally delete our files for random reasons all the time? Yes. But my point is is if system has the highest level control and there's controls that root can't do like how do you regulate who regulates the system then? Exactly so that's a good question who does regulate the system or who controls the system? I mean the manufacturer and the time that the system's made Exactly. Then going forward so it all depends on what you're relying on this system for so you may for instance demand access to the source code of that system so that you can verify that it's actually doing what it's doing or you can use something that's well tested so there's so basically discretionary access control is the Linux model but Linux actually has a mandatory access control system called SE Linux I believe it stands for security enhanced Linux this allows you to write policies that cannot be changed so you can say something like this user can only access this directory it doesn't matter what other things say so in that sense if you're using that you're trusting that that system is actually implemented correctly Do you run into resource concerns if you end up in a situation where you want to change the access control for sure exactly we just talked about the log problem so if you just have a process that appends to a log what happens if that log grows so big it uses up all the hard drive space the system locks up like it's super annoying right so you need to have something else that can like deal with that situation right so yes it becomes very complex both of these have in some notion this idea of owner so discretionary access control has the owner of the object controls what happens to the object but in the Unix system what happens when I give you let's say access to a file what can you do with that file like if I give you read access to that file what can you do you can copy it and then do what and now who owns that file the person who copied it which now in this model they can do whatever they want in terms of access control do you have any systems where the originator of data would like to control access to that data maybe if it's like a confidential report you want people to be able to like your editors or something to read it but that you don't want them to like publish it so for the confidential report yeah so you may have or I mean this happens literally all the time and most corporations would love to have something like this so that have you ever seen like news leaks of like the latest those are basically immediately public even though technically it's an email blast to the entire company and people shouldn't be releasing those emails but they do anyways so there's some way for the originator like the person who creates an email if there was a way to just limit the recipients to only those people that would be useful are there any other instances of that like someone trying to send out something where other people in general like being one of the fundamental properties of emails you can forward it to somebody else which in that case you may or may not want somebody to do that you can even think of this in terms of yeah and so the idea the key difference here is it's very similar to discretionary but the idea is if the originator of the object controls who can access the object and why is this difficult to do in practice because if someone can see the file they can copy it even if the system doesn't allow them to they can like hand copy it right or they take a picture of the screen anybody take a screenshot on their phone to send a text message to somebody yes right you're essentially turning a text into an sms into a jpeg or picture with png you might have done that and then sending that to somebody else right so you're fundamentally circumventing that yeah and also the fact that the originator could be fired from the company exactly yeah yeah so people I mean this is a big problem that they would like or you think about when you watch a Netflix show does Netflix give you the right to make your own copy of that show for your future viewing basically yes they allow you to download on your phone they do allow you to download on your phone or your tablet but can you download it on your laptop but like they can you're not technically allowed to download and distribute what was that say download and distribute right so as part of your agreement with Netflix I'm sure if you go to the privacy policy it says you're not allowed to download that steam does something similar for their games but that's more to like what Sid was talking about words encryption with steam where they're encrypted in such a way that you have to connect to steam to the game files to run it exactly it does stop you from or it is a step to stop you from unlinking the files from steam and just distributing them and exactly and so those are all kind of mechanisms of how you implement something like this but what you want but yeah in all these cases steam where you're downloading video games or anything where you're downloading or music with like a streaming music all of these the originator of that content well I guess in this case it would be whoever owns that and distributing it to you wants to restrict what you can do with this right for Netflix they want to restrict it so that you can only download it on an approved mobile device and only with their system and you can only view the file on their system and you can't just make a copy for yourself for backup purposes or whatever and and so they would love to be able to do this this is like every corporation would love to be able to restrict this access but we just talked about this is an incredibly difficult problem and actually there was a paper there's a research paper a while ago called movie stealer where the idea was they're basically their fundamental premise was it doesn't matter what DRM or whatever you're doing at some point the bits have to go to the graphics card to be able to display on the screen and so if you can automatically identify in the binary what buffer is doing that you can just grab the images from there and turn it into a separate file which is kind of cool so yeah the digital nature of these things make these things incredibly difficult particularly this original controlled access because it's very difficult on a system to enforce things so what are some of the ways to exiltrate data so we just talked about this like take a picture of it what are some of the ways yeah if this stuff isn't like encrypted on the hard drive you can just take the hard drive out and put it into a different right so it's unencrypted you can take it out and just plug it in somewhere else what else and get raw access to the raw bits that are stored on the hard drive yeah depending on what type of memory they have that as well yeah so you may be able to take some memory there's actually research done a while ago that show up did I talk about this already? about the frozen if you freeze memory or get it very cold it will stay powered while it's unplugged so you could take it out of that machine put it in another machine what else you could just talk to people you could give the information to people right I mean this is something that this is how you have leakers and basically any organization right is because they can people can verbally give you the information that's in their head which may or may not be the information that they saw on their screen you could retype the whole information from looking in one screen to into a completely other machine I'm trying to remember what book it was there was a book where they did Morris code on the computer they like I want to say I can't remember if it was just tapping or if they turned a light into like blinking Morris code to be able to leak some data from one machine to another there's people have developed systems to get around an air gap system so systems that aren't connected to the internet if you infiltrate that how do you get data back out so they'll use things like the speed of the fan to encode data and the fan you can hear basically what frequency that fan is spinning at so if you change that and modulate that from another machine you can detect that through the microphone there to extract information there was a heating system that they did that with too heating system so exfiltrating information through the heating system yeah it starts to get into like a sci-fi realm but this is actually all possible which is crazy cool so yeah that's why that is very difficult so I want to kind of dive in here a little bit more because we've looked a lot at discretionary access control because that's what unix uses that's for the most part what windows uses and so that's kind of what we're most familiar with in our day-to-day computer interactions so we're going to dive into mandatory access control and we will go through okay let's see now okay cool so in a mandatory access control system again this system itself is enforcing the access so here we can have basically you can think of the objects in our system are going to have essentially I think of them as metadata or tags on them that give information about how sensitive this this data is and you can think of kind of three different ways so one is at the security level so what are the like current US security levels so we have one public probably I don't know what the technical term is for that yeah do you know confidential secret top secret yeah that's right they're sensitive but unclassified so there's a slight level above unclassified and I believe things like salaries and personal information falls under that type of thing what else SRD secure restricted data restricted data what are those I actually have not heard of those so this might be DOE specific formally restricted data unclassified nuclear information that we still wouldn't want to kind of just make publicly available I think those we're going to get into in a second because I think those I think they're going to fall under the categories restricted data and SRD or just like secret top secret stuff I see cool okay so yeah so the basic kind of levels we'll start thinking about is basically unclassified we'll do kind of a more simplified model unclassified classified secret top secret so what do these mean I mean they're just names that we're giving to labels but what do they actually mean how much damage I'd say probably how much damage the in some sense the system or the person creating these labels thinks that you can do with this knowledge right and so this is why we think of them in terms of levels so you have this kind of hierarchy of levels and so basically means that if the information at top secret were to if some top secret information were to leak out that would be way worse than classified information so what are so basically let's say you have access to let's say classified information what does that kind of mean then so how would you be able to make this system actually work we talked before you have objects subjects what would you do well I don't think you would want just because information is like you don't you want to these aren't the same thing as like you don't want someone to just have access to all top secret data right but why not if I have top secret access should I get access to all the top secret information it it feels like there's there's like some information is some information can be top secret but it's some of it won't be relevant to what you're doing why is that important right so why why though I mean why do they have that minimize risk it's what we've been talking about essentially least privilege right so just because you are cleared for classified or top secret access does that mean you should also be able to access the milk like the nuclear launch codes all of the nuclear secrets as well as all of the I don't know information on crazy security vulnerabilities that the that the government has as well as like I don't know alien information or whatever I'm clearly out of my depth here because I don't have any of this but so I'm just making stuff up but it's very clear that that's silly right like you don't need access to that information so why actually give you access to that information which is why so but fundamentally we just think about it in terms of these levels we've talked about expressivity that's not enough to express this notion of well but you don't need access to all top secret information if you have access yeah maybe categorize it then yeah so then we have security categories exactly so and another way to think about that is in terms of labels they're very related here so the idea being that you could have some data that is top secret that maybe refers to a certain category and even though you have top secret access you don't need access to that or you could think of it even at the secret level just because you have top secret access doesn't mean you get access to all of the secret data just because you think that you need it okay perfect and this is everything we've talked about like basically for security levels we have this hierarchy and so somebody needs to and this is part of actually implementing something like this and why it's much more difficult than a discretionary access control system because somebody needs to decide for every piece of data that you have what is the security level here maybe not trivial right so somebody has to decide that on a system you need to tag data so we talked okay so cool so we talked about we want to tag data with security levels so the corresponding the commercial security levels if you kind of thought about it these are obviously every corporation can do whatever they want you can think about public sensitive proprietary or restricted information whereas the military has kind of another top secret secret confidential and unclassified so what's the policy so what policy do we want for our mandatory access control system to enforce so I'm going to draw some real terrible so let's use top secret secret confidential and unclassified I forgot to bring my tablet today but so let's go here I'm really good at this so top secret secret confidential unclassified okay so let's start policy so we'll ignore labels for now and we'll just think about in terms of just these levels what's our policy so the system's going to enforce it for us and of course so what's the military system of enforcing this right security clearance security clearances what are they yeah officer ranks ranks I actually don't know factor into this possibly but it's more about the level like what level of security but how do they actually enforce it they like I guess they look encrypt the data and they keep it somewhere in a place that most people can access and they need to do that I mean there's actually a lot of mechanisms they enforce this with they have as far as my understanding is when you're using a classified or up system it will have like a red we're looking for like bezel around the screen so that you know that it's a classified system they have special secure facilities that you can go into to access these systems that are crazy they also I mean what is the penalty for violating this the reason yeah treason and jail and death so they have a pretty hardcore system to actually enforce all of these mechanisms and of course they do a lot of things crypto all this kind of stuff to implement this but they have those nice fallbacks so how do we do this what's our policy so how do we kind of express that policy so so intuitively if we think about this so you're at the unclassified level what does that mean you should be able to do access unclassified information but specifically what type of access so what are the so let's focus on just reading and writing here it seems fair reading, writing cool so you're at the unclassified level what should you be able to read unclassified information should you be able to read top-secure information no secure information classified information just unclassified information yeah we'll right now just think of the whole level as one thing so okay perfect so what about the confidential level should you be able to read unclassified stuff what about classified stuff what about top-secure stuff no what about secret so you should be able to read everything at or below that level right so think of that as read down so you should be able to read information down so you should be able to read anything at your level or below makes sense because everything is is is classified there but now let's think about writing so what about writing so let's think of the unclassified level should you be able to write top-secure information what okay let's think about this way what's the security property we're trying to guarantee here what is the military the most afraid of information getting out the entire reason why we create this system is so that no top-secret or secret or classified data is released that's what they're terrified about so if you're an unclassified person can they write a document that's let's say top-secret yeah top-secret before cascading possibly we'll think about that in a second but I want to think of this general concept yeah let's go in the back here mm-hmm so yeah but okay so that is interesting the idea being you can write a top-secure document should you then be able to read that document well if you wrote it then like you know what's in it you definitely know what's in it yes maybe people with unclassified like parents shouldn't have or shouldn't be able to write top-secret documents interesting yeah in the back sorry well maybe they can write a top-secret document but they can't determine whether it is top-secret or not that has to be done by another individual interesting okay what else yeah I was going to say you might incidentally from across right so you may not have access to all the top-secret information but you may be working on a project where you don't need any of that information but the information you're generating is top-secret and maybe you don't even care I mean you can think of it's hard to simplify this down too much to this kind of model level but at a certain level you may not have access to all the top-secret information but you may be working on a but at a certain level if you're a classified you should be able to just write a top-secret document and that does not violate the security properties except that you have that information you technically could leak it but you are only leaking just that information that you actually created you can't go read another document I was going to say that it's like if you're an accountant and you write like a top-secret like stockholder thing that would be top-secret that's what you're reading I was thinking maybe if an unclassified user creates a document and then it becomes top-secret maybe then they should change their clearance level or get their request you think about the clearance level is only about what information you need to do your job so if you can do your job without access to top-secret information even though you're generating top-secret information that's probably best in terms of this model because you don't need that access to any of that top-secret information and anything you produce will just tag as top-secret and that's fine like you're doing your job without access to that information yeah if you're unclassified you don't have access to security like when I was in the Marine Corps we had different computers for different networks so you actually had to have authorization to get on the security level of the security computers to be able to write from an unclassified computer to a secure network without having that access there correct let's say you hand this to your superior who goes oh crap this is a top-secret document and throws top-secret on it right so if you think about this model in terms of what things you want and what they're worried about is this part right if you have access to a classified computer you're getting access to all these documents that you could possibly leak so they're making sure that if you have access to that system you have classified access right because you can access all those documents it's not like they're restricting that in any way but yeah this is where the model and the real world kind of deviate a little bit you may also want to control access to the metadata behind that document as well like maybe if that person is generating top-secret information you may not necessarily tell them which aspects of it they're generating is top-secret yeah that actually is an interesting point too you may want to yeah you may want to keep them in the dark about what is top-secret you can say hey don't share this information out about what you're doing that's probably more of a standard thing and we'll just keep filing away everything you produce as top-secret so the idea here is that's the bad arrow but the fundamental and this is kind of there's some things that are a little counterintuitive about this is in order to ensure that information can't flow down right so this is the key thing is you don't want top-secret information to be able to be leaked down so fundamentally like reading down makes sense right you can't read up you don't want to be able for somebody at the classified level to read a top-secret document but you can write up just fine so you can write at your level or higher and it's actually fine and it doesn't break the security of the system yeah shouldn't you be able to write down as well should you though I mean if you have secret like classification shouldn't you be able to write on top-secret documents yeah doesn't that present the risk that maybe you wouldn't access it if you put something in there yeah because you have knowledge right at everything at that level or theoretical right if you think about it at a theoretical level you at this classified level could have access to every classified document so if you're writing an unclassified document how do you actually know that you're not accidentally releasing classified information so if you want to be and this is part of the mandatory access control to give up usability in order to guarantee that no information is leaked out then those are the things that you have to do of course why does that work in the real world I mean I need to email somebody up I have some other organization but I have top-secret clearance you would fundamentally never be able to talk to anybody who has a lower clearance level than you which doesn't really work so there's two different things like one is we're looking at this as a model of access control and then we're not going to go into this but you can formalize this and you can prove things that if you ensure this property of write down read up you can ensure that no information will be leaked the problem there is that's useless like the person with top-secret clearance would never be able to communicate down to anyone else and nothing would ever get done so you need to have some way of essentially kind of lowering your clearance and being able to write information at that level but from a like information theory perspective because what you're interested in here is how does information flow through this system from top-secret to secret classified unclassified and back up with people doing that but it's all through the ways that basically we specified here so we can actually formalize all of this and this is just I'm going to go with this briefly you literally just derived this so if we have basically L is the security clearance of the subject so subjects are who? or what? things that can act normally users and now we're talking about people users the LO is the security classification of an object so some thing in the system and let's say we've enumerated our security classifications from 0 to K so we have a hierarchy again this is just formalizing that model that we showed and so we're saying a subject can read an object if the security level of the object is less than or equal to the security level of the subject this is read down exactly what we talked about and then this star property and I'm calling these preliminary versions because we don't have categories yet when we add categories and labels to things it's going to change and we'll talk about that but these are the two properties that we just derived just written more formally so that so that you can read up so you can read an object if it's at the same level or lower you can write to an object if it's at the same level or higher so you can read up read down, write up look at it you just did this you're teaching yourselves I don't even need to be here we need someone to click through the slide somebody's got to click I think you guys could probably figure out when to click the problem that we talked about is now security levels are actually two course grain that's incorrect they're two course so this means that anything tagged at top secret you have access now to this treasure trove of data of every top secret information that's ever been created I'm going to go fix that now so you can do things like and these are things I pulled from Wikipedia so interesting thing is usually the name of the security category is not in itself top secret or classified it's like unclassified information but I think some of them are it's very confusing I actually don't feel a little sorry for people who have to deal with this on the day to day so you have categories you think things like what to do with NATO maybe an ACE stands for it I can't remember and basically the idea is exactly this need and a basis idea which we will we will re-derive our new security policies that does what we want on what day is it Tuesday on Thursday