 Let's jump right in so the homework submission server is up, you can go, you can create an account, choose a hacker alias, so choose something obviously appropriate but come up with a cool hacker name for yourself. If you want to, not every homework, but there will be some homeworks that will be more challenge based, so the leaderboards if you want your hacker alias obfuscated so nobody can tie that to you, it will just be a random hash based on your name, then click that and so that way it won't ever appear, click a password. I'm going to say this again, it's a bad security advice, but write your password, email your password to yourself or something because I don't have a password reset mechanism, so yes. So if you say you need your password reset, I have to do that manually or very soon FISA will be able to do it as well, so don't do that, let's see if I can log in. Super simple, it's not a very fancy website, it's not supposed to be fancy. Right now part two and three submission is up, part four will be up soon, so it took way longer than I thought. Actually this server is running Bluetooth 14.04 because I tried to use 16 and everything broke and I had no time to fix it, so I reverted it back but this is just a website server, there's other servers that will actually download, run and run all of your applications. So those will be 16.10 but it will take me probably a few more days to actually set that up and make it work. Questions? Yes? Where can we get the link for it? I believe it's on the bottom of the homework page, can somebody confirm? It is. It is, yes, so you already have the link. I know Mike just went out. Okay. Oh, the question, yeah. What do you mean the input? Wait, just a second, I can't listen and also put this battery in correctly. Surprisingly complicated. Sure, what does the description say? So part of the purpose of this assignment is to struggle with the difficulty of translating a written policy description in English to an actual program. I think there's enough there. I think what I'll say is that you need to follow the homework description and take that kind of as the policy. But when we test it, we'll be able to follow the policy. Yeah, when we test cases, that's it, absolutely. But yeah, I'm purposely not giving you examples like that so you have to come up and create those examples and test them, right? So that's part of it. Cool, good question. Alright, so we left Access Control and the permission system that's primarily in Unix. So we talked about, so I did look at this. So we actually had a demo where I struggled to actually show this, but... So I did look it up based on what we talked about yesterday. It does store it like these bits and 12 bits. But when you use LS, it shows it to you in a different format. So it does the... So like we talked about yesterday, when you're on LS, the first output there is a dash, it's a file or a D if it's a directory. There may be special things for links. I don't know. The next three are the owner, user, the owner read write execute, the owner read write execute, the group read write execute and the other read write execute. Except for that lowercase s on the x bit means that the secuid bit is set. So on the owner and s where the x would be means that it's secuid. Lowercase s where the group execute is means group secuid. They also do lowercase s would be that the x execute bit is actually set where it's uppercase bit means just the secuid bit is set and not the lowercase. This is not important, but this is something that came up. So I figured we might as well talk about it, but they do have ways to do all this. So what is the secuid bit for and what does it do? It's the owner. If that bit is safe, the secuid bit is set. So it owns the file rather than the person running the file. Yes. Or executing the file. Exactly. The same with the group id. So this is actually fairly complicated. There's I believe in a entire research paper called Linux permissions demystified or something like that. So it's like 15 pages of actually describing in detail how this system actually works and what all these bits actually do. It's actually much more complicated than it seems. So secuid bit. So secuid bit is an interesting bit that has a super old name. So the idea is applied. Oh, sorry. Did we talk about re-write execute on program? I mean on directories. So we talked about files. Right? Very clear. You can read the file, you can write to the file, and you can execute the file. But what about directories? So you can read a directory, what does that mean? Just to read the files within that directory? No. Close. Because those files have their own access. You can see what files are in the directory. So read on a directory allows you to kind of think LS on the directory. So it'll show you all these sub-directories and files within that directory. What about write? Create new files in the directory. Exactly. And I believe to leak files that you have access to, there's something about producing them there with write. What about execute? Does that make sense for a directory? You can execute a directory. You just type in slash LS, or slash, sorry, bin. So is it meaningless on directories? Yeah. Taking a stab at what the execute permission gave you permission to change the permissions of everything inside that folder? No, but close. So you have to be the owner. When you're the owner, so there is a concept. So there's the owner concept. The owner has full permissions to change. So there's not a specific bit that says you have permission to change the permissions here. It's pretty good. Anybody use a shared Unix system to set up a personal web server? Like a personal HTML page? How do you do that? So let's set back a little bit. So like on a shared server, you have your own personal web page. That was maybe, usually it's under HDB, then address, and then tilde, your username. How do you set that up? So you have to create, so there's a standard file name here, to create a directory inside your home directory called usually public underscore HTML. And then if you put an index on HTML page in there, the web server will pick that up. But how does that actually work? Let's go draw this, because it's a good example of why we can get it in the show home. So we have our user, we're going to use me. So we have home, so Adam B. And inside that directory there is a public underscore HTML. And then there may be other files within there. So home, should home be, should home have very restricted file permissions? Which the file permissions of home, you're administering this survey of multiple users on here. So we definitely want, so there's the owner, so we probably want to own it by root. So root is this user concept. So it's owned by root, I believe group root. And so you want what? Read, write on root. Do you want any on, so this would be owner. Should the owner have execute privileges on this? Well, we haven't talked about that yet, so let's think about that. So group, should people in the, so root, you can think of the same group as kind of usually the same as owner. So what about for everyone else? And what would it mean, the different permissions? So let's say we gave everyone read access to this directory, what would that mean? Click and see what directory this profile is within it. Yeah, so everybody can look and see the other files in this directory. So in this directory, what's inside the home directory? All of the user's home, not your user's files, right, just slash home. Right, so we're just here talking about slash home. Right, so inside there is just all of, every user on the system will like to have a home folder inside of there. Right, so what should the permissions that we want to have on there? What do we want? Anyone on the system to be able to see the user, the folders that are in slash home? So you're taking your head blank. So that's a bad idea to give. What do you mean, access though? It's read access. But still, if you can read files, that gives you opportunity to read files. You can't necessarily read the files, right? Well, but you know the files are available. You do. But inside home is just a list of directories of the users. Where else is the list of users that we've talked about? EDC password, yeah. Right, we looked at that file that has a list of every single user on the system. In fact, that is the list of users. If you're not on that list, you're not a user on the system. So, and we know the permissions of EDC password are read write, not executable, read write by group, and then readable by everyone else. So the permissions of EDC password which contain the list of all users is readable. Do we need to restrict the access to people's ability to list what's in slash home? Probably not. We don't have to. We could if we wanted to, maybe if assuming everything still works. But yeah, it's important to think about where are these pieces of information, right? So what are we trying to hide? If we're trying to create a shared server where nobody knows who else is on the server, that's a much more difficult problem than just having a shared server where people can actually use it. So usually it's readable. Do we want it to be writable? Do we want anyone else to be able to create files in this directory? These are people shaking their heads. Why are we not? Depending on what the server is for, we'll come up with a case. Let's say it's such a, sorry, I'll come up with a case. Wait, maybe you have a better one. There's something like a school server where everybody can make an account. If they want to do a project on the server, then you'd want to have read access so they can make good accounts on there. But if there's something like private business server, you don't want people just hitting on your business server and making accounts for themselves. Interesting. So there's a couple concepts here, right? So there's the concept. So we may want people, well, we need a mechanism to get new users into the system. So maybe it's the fact that they can write a new directory here, because actually basically the admin has to use a tool. I think it's add user or something to add a user to the system, which will actually create the line in the ETC password and create the directory structure. So if we have a mechanism to do that, then we don't necessarily want to use this. So we basically usually want to say, hey, we don't want anyone else to be able to just create arbitrary files. Because let's say I have a, I'm going to pick on Eric. So let's say I'm a malicious user. I know Eric's going to create an account on the system. I can create a directory in slash home slash Eric. And then assuming I had right permission to the home directory, then when Eric enrolled, maybe the system would actually think that that was his home folder, even though it's owned by me, so it wouldn't actually create his home folder. So I could be a potential attacker. Okay, cool. So this is actually a really good exercise because we're thinking through the threats and the permissions and actually putting a place here. So what should I, as a user on this shared system, because I want to restrict everyone access to my files, what would my permission, what permissions would I want on this folder? Let's break it down. What permissions would I want for myself? Thank you. Yeah, so I guess the first question, we didn't skip. So usually this folder is, I think I don't know if the group is that empty. I think it is. I think you have complete control over your directory, so you own it and your group owns it. So we want read write, and we haven't talked about what execute means, so we don't know if we need that or not. What about for my group? Do I want my personal group to have access to it? Yeah, sure, why not, right? Basically the same thing as us. What about other? All, that's right. All of this. I kept thinking I knew this was wrong. It's my home directory. It's like the home of my digital castle, right? I don't want anyone to be able to bust in my room and just start reading everything in there and start dropping garbage and whatever crap they want, right? I don't want that. This is the point about a shared server, right? Because I have my own space where clearly only people who can write into that directory, correct? Me and the system administrator, right? Perfect. But now we have the situation. We just said we don't want anybody to read or write that folder. Okay, you can see that's where you're going away. So inside public HTML, who do I want to have access to this? Yeah, well I either need every, yeah, so I want in general, I want everyone to look at it because it's my public website for this server, literally a website, can't be viewed by anyone, right? Specifically in the context of this system, I need the web server to be able to read that HTML file so it knows what to serve up when somebody requests my web page. So, but I've already, so, but we've already gotten to the case, like how do I actually allow them to read files inside this directory? Because what does this mean? Completely no access. They can't read me files in this directory. If they can't read me files in this directory, we're also going to talk about what happens with some directories. But it also means that they can't access any subdirectories of here. So by doing this, we've completely locked them out of our, of our server, so the easy way to change that would be maybe to change it like this. What was the problem here? So Ken, so let's say I just made this one change to make my home directory readable to every user on the system. Does this mean that they can now read the contents of the files in my home directory? Just gave them access to look at the names. Just to look at the names. Assuming, of course, that the file permissions of everything in my directory is not world readable. Okay, somebody's going to have to correct me because I feel like I keep going back forth on this. Did they use W? Somebody look this up. This is bothering me. It's A. Okay, oh, that's what I thought. But then I got sort of thinking of what world. So I knew O on this and wrong. Okay, cool. Right, so we do this. So, should that be a big deal? Maybe they can see the names of our files, but not the contents. Is that a big deal? Could be, in one case. Or in the context of an academic setting, maybe it's something you mean about your teacher. Or another student or something horrible. Or maybe you're working on a new startup and so you name some file with your startup name and the new idea and somebody goes, hey, that looks like a really good domain name. I'm going to go buy that before you can. So we definitely don't want to give it right access, but what do we actually want to allow them to do in this case? Access the next sub directory. Yeah, we want them to be able to access sub directories if they have access, of course, to that sub directory, but we want to be able to allow people to access any sub folders within that folder. So this is where the... This is now where the execute bit comes in on a directory. The execute bit on the directory says you can traverse through this directory, but you still cannot list any files in this directory. So now we can just complete this. So the public HTML folder, what should be the... Oh, but if we just leave it like this and just change our home folder, we still won't be able to do this. We have to get down through home too, so home needs to be executable. This is a very important distinction because I've definitely been on a server before where you want to give somebody access to a sub folder, and so you just make your directory world readable, not really thinking about what you're actually doing, and now everyone can read all your files. Cool, so we need that executable to executeable, and just to complete this, we want... So we want this to be something, RWRWX, we rewrite execute, and then here, what would we want inside here for the other permission, for everyone else? Yeah, now what this means, again, is that anyone can read the files in public HTML, or sorry, can recursively go into... Wait, where do we go? We do read that, not redesh text, that's usually what one can want. So basically anybody can LX the files in our public HTML directory, and anyone can now. So, well, all right, we've been on this too long, but I think it's important. But this can still get into some problems because there are things, maybe you could, for instance, let's say you had a secret file in your web server that you wanted to easily share with somebody else, you name it in a very long, complicated name, you drop it in your public HTML, and then you can send somebody a link to that so they can go download this file, right? The problem is anybody on the server can look and inspect any of the contents of your public HTML folder, so it's an important thing to be aware of. So the sticky bit is a super interesting, so it used to be for files, it was a bit that literally meant this piece of... So it was a bit that you would set on executables that would say after this process is done executing, leave it in memory. Why would that be useful? It seems stupid because you could be cluttering up your memory, your precious memory. Exactly. And because the way it does this, you could have that be across users, so at least that program, that executable would already be loaded in memory. So if you had a fairly large program that you'd want to use over and over again, and you know the users on your system, if you could now, if memory being ridiculous, how much memory is in a tablet, but even that is an insane amount, and I think it's almost never used on executables, but on a directory, let's see, I'd write this down because... Yeah, so it means that you can create files in a directory, but you can't write or rename the files in that directory. So this is really good for, for instance, the temporary directory, so slash 10, where you want anybody to be able to make files but you don't want anybody to mess with anybody else's files and rewrite them and overwrite them, so kind of a cool point. Any questions on this? Like I said, very complicated, but also hopefully this is a good exercise to show you that actually implementing what should be a very simple access control policy in your head of, I want a webpage, so I want to give the web server access to my files, making sure you do that correctly is difficult. Cool. So some other, so part of the purpose of this course is to kind of point you to other cool directions in security where you can go learn different types of things about this. So some interesting ideas here are content-dependent controls, so rather than something that depends on you, the subject, maybe there's some facet of the object itself that would give you greed access to this. So for instance, maybe you can only see salaries of employees that are less than 50K, or a more relevant example in business would be you can only see the employees of salaries who directly report to you. So this would mean that you can't see the salaries of everyone in the company, but you can see salaries of all the employees that report to you, and hopefully this would probably be a recursive thing where you would also have a transitive relationship, so you can also see those employees who report to the employees that report to you. So it's kind of interesting to figure out how you actually do this and how that would go about. Context-dependent controls are super interesting and we actually have, well, some things like you, maybe you don't want to allow employees access to sensitive information from a remote login. So it's a system that we talked about earlier that the risks and the threats may be on a mobile phone and a laptop are different from a desktop in a secure work environment. So maybe you actually want to add that into your access control policy to say, hey, sorry, there's some information that we just cannot access remotely or through the corporate VPN or something. Maybe you want to update salary information just once a year, or in this summary we talked about where the corporate earnings results are super critical, confident, private, up until they're released to every person on the planet who wants to read them, at which point they're no longer critical pieces of information. So just some other kind of things to be thinking about different types of access control that you can work with. And it can get pretty complicated, so this is kind of what we're trying to hint at in the homework and about the firefighter and the policemen that we talked about. So there are instances where maybe a nurse or a doctor maybe needs access to your medical records and maybe they're not strictly authorized at that moment to access it, but it's a matter of kind of life or death, so they need access to that data. So that would be an incredibly context-dependent circumstance. Cool. Okay. So we've talked mainly about one type of access control so far. So that's called DAC, discretionary access control. So what does this mean? Who is controlling the access in the system we just looked at? The owners of the files exactly, right? So the owner of the file had complete control to change the permissions and access to that object as much as they wanted, right? So that's where discretionary comes from. The idea is the owner who created the file is in complete control of the access control there. Is that always a good idea? It's the best access control policy? Well, it's the owner changes. What happens if the owner changes so maybe the owner leaves the company? Well, I'll suppose there's other types of circumstances. Yeah. So to take an example from ASU of when we were talking about general, I was curious. I went on and I checked, you know, just looking around at the base directory of general and all the files are listed as rewrite and execute across the board. But when I try and go into, like I try to go into Austin and it's just what it might mean. So you don't actually have control over who gets into your fold around the check. That could be something else to put before because I'm not sure exactly how general is done but if you go to check, I believe those are all symbolic links. So a symbolic link on Unix is a file that basically points to another file and says this is where they get your actual information. So on Unix, the symbolic link itself is technically Alt-7777 because anyone can read that link to go somewhere. They can't actually write it. I don't know why it shows up like that. So it's actually but then when you redirect to the file that you're originally trying to go to, then the access control check of that file happens. So that could be what's going on. Let's say they wanted to similarly call the user directories to some kind of mount like a some kind of network file server which is usually what happens in those things so that would be one way to do that. Yeah, that's interesting. You should show me a hundred points. Okay, so one other instance is, so leaving, who has the response? Responsibility in this case for enforcing the access control policy than following the our security policy of the file. As an organization, the organization doesn't necessarily control they create a policy but now the employees essentially have to enforce that policy by being careful with their permission. So like we talked about, if the computer abuse problem with a shared server what is, you know let's say part of our policy was you cannot make your home directory readable to anyone. Right, it has to be zero, zero, zero. Now that's just a policy but there's no, we don't have a mechanism in place in this completely discretionary system I could always choose to just break that and to and to change the directories of my folder assuming that I actually control it. Any other situations? So you can guess, so like access control is fine like whoever has that piece of information can decide the permissions of that. Do people agree? If you get handed a secret document that's officially marked secret, can you just decide to actually just give it to anyone? No, you definitely can, right? So that's actually something we're getting into. So it's all the different ways about thinking about who actually can control it. So it's kind of the model of yes, if everyone is 100% trustworthy and follows the policy then you can discretionary find because they'll always make the correct decisions. In the next thing we're going to talk about mandatory access control, the system. So rather than the owner of the object the system actually controls access to the object. So this way they can actually so this would be going back to the computer example, the shared system, you could put in the kernel, like the user's not allowed to change their home directory's permissions even if they tried to do so. So you can actually enforce it from the system. So no matter what the user does they can't do that. They can't change it. There's actually a third type of access control which is kind of weird. So you think like, okay, discretionary the owner gets to choose mandatory the system basically gets to choose but it's the owner of the file, somebody who actually created that file and the information inside of it. Think about a movie. So you have some movie files that you downloaded legally from Warner Brothers on your computer. It's just bits on a disk. You own that file. Or you have the license to use that file whatever. For our purposes you literally own that file. That file is owned by your user. But who actually created that data? Did you create it? Somebody else did, right? Who made the movie, I don't know. I didn't make it a movie. I didn't make a movie yet, did I? So what does the person who made the movie want to control? Who do they want to access that movie file? Well they want to control you giving that movie to other people or selling it to other people and them not selling it to other people. Exactly. So the person who is creating the data, creating the information, actually wants to control where that data can go in the future. So it's called originator controlled access control which basically I think a lot of DRM digital rights management fall under this umbrella where the actual originator of the data tries to control who can have access to it. It's actually kind of a really interesting and different idea than the one of just discretionary access control where I have this data, I can choose who accesses it or maybe there are cases where it says no, no, I created this data so I get to say who has access to it. Questions on these three? So we're going to dive into mandatory access control or MAC. You'll hear DAC and MAC a lot. Locan would be the acronym here. I think it's mostly spoken of in terms of DRM, digital rights management which actually is how the companies try to make it so that you can buy a Blu-ray but you can actually if you try to read that Blu-ray you technically can't you have to put it in a Blu-ray compatible player which knows how to decode that disk which will transmit the information to your TV so you have all the beautiful pixels that you want in the right order. But if you try to do it, you're technically not. And I get to know whole kinds of weird law ownership issues that you actually put in your own and all these types of things. Yeah, it definitely comes up a lot. Alright, I'm going to skip this. So, mandatory access control remember, we're talking about the systems. The system itself decides who can do what. And so we're going to talk about three things levels, labels, and categories but we're just going to get into them. You're securing organization so even, let's take the academic example. So what security levels do we have of files inside of our computer or shared homework server? Are all files equally sensitive according to our policy? What was our policy? What does our policy care about in that sense? The academic server. So the server where students do homework, it's a shared server. The policy stated that students only want to copy homework files from other users. Alright, yeah. So are all files created equal there? So let's think about it this way. So let's say we're on our shared server two people in the class, let's use this class because it's fine because it actually exists. Everyone in this class are shared on this server and you decide you want to share your notes from class for some reason. And so you create a one of you creates a file writing down what I'm saying, taking notes, maybe taking notes about this which is going to be a weird self-referential loop which will never stop. And then when you're done you then either you guys create a group on the server or something, you basically share that file to somebody else on the server. So have you broken the policy at that point? It's not a homework, right? It's notes. And we encourage you guys to share notes that help each other, right? The homework part is just an unfortunate part of what we have to do to make sure you guys have the skills properly so you graduate this class, you don't embarrass me. But the point there is every file is not necessarily sensitive, right? These files are sensitive in this scenario. But over here I haven't heard from over here a lot. Anything homework related is sensitive or not sensitive? Sensitive. Sensitive because we don't want to share. Yeah, so then we'll get into assignments and projects, anything else. So the idea is so you actually you probably thought a long time you could come up with a hierarchical series of security levels that would demonstrate more severe sharing of academic information. So at the very top I probably put homework source code, right? Sharing and copying source code. Below that would maybe be design and kind of sharing design documents where maybe it would be slightly less severe and then at the bottom would be something completely not sensitive. So notes that we talked about are just a random joke or a link or something, right? That would be really well. So the idea is we can try to maybe create a hierarchy to think about and so if we can tag all the data on our system and know which one is at what security level that may help the system control the propagation of information. So for instance in like an office environment we may have so how sensitive do you think memos are? So it's a memo to employees from usually the boss or somebody higher up, right? How does that vary? In what situation will it be very sensitive? Well, I can think of two guys that just got fired from Google because of the opinion about the workforce. And then the one that I got trained on as a deviation contractor is the attorney, client, privilege something to do if the company gets sued and the lawyers start attacking the email server depending upon who you forward the emails to whether or not you have that client privilege or whether or not the information present in the email is open prosecution and it's very specifically on the access control how far it propagated. Yeah, so definitely so a memo maybe so it kind of depends on what the target audience is of the memo if it's company-wide I mean I'm sure you guys have seen memos from CEO and Google CEO I mean it happens all the time, right? These leak constantly and it's kind of basically assumed that they're public because they're sending it to 90,000 employees or something. But it was just a memo from the CEO to his leadership team about the future direction of the company that may be much more sensitive, right? Similarly, privilege, attorney, client communication that has a whole bundle of other aspects there. Reports could be different levels of sensitivity. What about customer lists? Are customer lists important to a business? Yeah. Yeah? Why? Huh? I go back to other customer lists. I go back and I wasn't going to touch on them yet because I want to figure out exactly all more details to emerge but well they're sensitive in that sense but from a competitive business sense, right? If you're selling things to people and your competitors have a list of people you're selling to the price you're selling it at that gives them a very nice targeted list to go say, hey, you're paying way too much money to these people. We'll be able to do it for much less. And backup data. So employee, all of the backup data is maybe the most sensitive, right? Because it includes all of this information. So what you need from security levels is you need some sort of defined sensitivity and importance. So what are the military levels? What was it? Yes. Yes, but what are the names? What are they? So the confidential secret top secret and what's below confidential? And true, but I think that's on my list so we're going to leave it off. It kind of gets into another topic later. There are a lot of different makers. There's like official use only. You can throw on some. But unclassified is kind of what's going on, right? So there's uncompleted and classified. What we say classified secret, top secret those are kind of broadly speaking the four or five different levels. You can find out. So what is the difference between them? Like why would something need to classify let's say it's top secret and not secret or something else, yeah. Based on the damage caused by the revelation of whatever that information is. Yeah, so it's an idea similarly like we just talked about with leaking memos, right? It depends on what's the harm to the organization if this information were to get out there. I guess nation state philosophy aside, it makes sense that a government and a military would have things they wanted to keep secret, right? So we need so this is kind of the idea of security levels and this idea of MAC and as we'll see this model where we get into a second. This really does come from the military perspective. Okay, so once we define our levels and we'll look at some predefined levels we need to be able to essentially know about all the information on the system. So this actually gets into something tricky with the homework example of how do you actually do this on a shared server? How would the system know to differentiate between a homework file and not? What are some ways we could do that? You could make it that all homework has to go to a specific folder so you know that. So you could maybe force the students to build their homework in one spot. That would stop you from copying or creating the same file in a different folder. You can then maybe share it with somebody else. Yeah, we'll look at that in a second. Yeah. Now a lot of them say the file isn't protected and not a lot of them say the other. Yeah, so maybe you could only create files that are tagged as homework and that's the only file you can submit so you can actually submit a file that's not. It's always easy to think of the technology way. A super unsophisticated way would be any time you tried to create a file or any markings that you made, the TARI would review it to tag it as what is this homework, is this nodes. It's actually possible. I think you, not look at this class we need more people but that's something that could be possible, yeah. Could you do a literal tag with like file type? I know some instructors like A on this. Yeah, you could make a tag like dot homework or dot hdfhw or something. And so, yeah, we need some way to do this and so you need to associate a security level with every entity on the system. So this includes both objects. So the objects in the system, the files in our system will have also the subjects we need. So this doesn't, I guess it does fit in if we tie it in to our academic example. So all of you would essentially be at the bottom most layer, the completely untrusted layer and then the TA and I would be at the higher level, homework level so we could read those homework files or something. I'm going to erase that a little bit there. But it's very clear when you think about the military context. So if you have your security clearance, if we get into you have access, you have a certain level of access. So not only are objects and assets tagged and entities, but also people, yeah. So with that system of being, you can literally create a file that you can never read again. Yes, that's an interesting point. We'll get into it in a second. And so what type of, well, let's actually can this for a second So in our commercial thinking right, even the kind of the genesis of this and these ideas are from the military context. There's actually a lot of overlap here with the commercial sector. So we talked about Coca-Cola wanting to keep their their recipe secret. So they're, you know, and companies obviously need to want to keep things secret. They have kind of a hierarchy of data restricted, proprietary sensitive and public. So that would be thinking about the data in there. It's actually important when you're part of a company to know not to release accidentally proprietary or restricted information to the general public. So the military levels as we talked about top secret, secret, confidential and unclassified. So what policy do we want our MAC to enforce in this case? Think about how we can look at the rules we want. So we can think about the mechanism. We can think about the system. What rules do we want that system to enforce? But what's actually the policy here? Right? Because we kind of have this intuitive notion of these levels. What does that actually mean? And why? So we talked about this harm, right? So we're trying to restrict access information because people believe that if this information works me out there, it could cause harm. So you can kind of think about these security levels as the various levels of harm. Severe harm to I don't know, long-class I would be no harm in confidentiality but moderate harm or something like that. It all depends on how they define that. So I mean for instance, you have a top secret document that could be unclassified by basically blocking out the internet's classification. Possibly. We'll get to declassification later. We'll do that in a second. But let's assume a static system where things just are already packed. The level of harm is variable too. So if top secret documents release to somebody that's in the confidential, you know, as confidential access without authorization, then the harm's maybe less than if top secret gets released to the public. So the harm varies depending on the thresholds. Okay. So our policy could be context-dependent. What do we want for our policy? You want to know exactly who has access to each level of classification. Make sure that they're all aware of the policy that they can't provide that information to people who aren't in those classifications. Okay, so that's the policy, right? Level your app. So top secret clearance and access to top secret data cannot give them to anybody lower than that. Right? So it can't give it to unclassified people, confidential or secret people. So the idea is that data stays within its lab. That data should never leave and cross one of these boundaries. Otherwise you have a serious problem. So this is the core policy they also call these max kind of confidentiality policies because the idea here is we don't actually care about the integrity of the data. We don't care if this data is completely made up or whatever. We just care that if something is tagged as top secret, then it most certainly is never released to everyone and that only people who have top secret clearance have access to this data. So we're going to use some notation to talk about this. So we're going to say that L the security level of a subject S so that I know it's a little annoying in this font but that's a lower case L. So L S is the security clearance of some subject S. LO is the security classification of an object O. And so we, it's kind of tricky because you are describing kind of a theoretical system in formal terms but at the same time there's this actual system that existed. So that's why you have this notion of security clearance for subjects and security classification for objects even though they're really essentially the same thing. And so the idea here is just very simply we say okay for every security so we have let's say I zero through harmony levels we have there's a total ordering which means we can put them in a most secure, most sensitive to least sensitive order. That's all this says. It's very simple. So our high level policy is we want to make sure that things at a certain classification level only stay within that classification level. So what rules do we actually want to our Mac to enforce that? What rules should the system enforce? So think about your thing kind of abstractly thinking about everybody on a shared system right? All pieces of data in the system are tagged at one of these four levels or in this case and you can send this however far you want but four different levels all of the principles on the subjects in this system each have a standard clearance and so they try to do something with something. What should the rule be to allow them access? Remember before it depended on what did the owner of the file put as the access control policy for that file. But in this case whatever the owner chooses doesn't matter because we have an overwriting mandatory access control policy. So based on the user's account it has something to do with based on our terminology here something with the security clearance of the subject so it's definitely going to have something to do with that. So yeah let's see so we have the subject and the object right so we have their security levels greater or equal than what? What kind of access? So let's start with the read access so let's think about this for a second. Okay so the security level is greater than or equal to the object just read. Okay so this would mean that so let's say I have a subject with top secret security clearance trying to access an object unclassified should we allow that? Somebody's secret access something top secret correct so it correctly does not allow access because secret is not greater than top secret. So I'm so excited for writing a question so is this an appropriate policy for our Mac for being able to write to files? If you if your clearance is greater than or equal to that object then you can write out that file. So just thinking about the floor level so nothing nothing else I should have mentioned we're building up. Let's go through what this would mean so let's say let's think about it assume okay let's say we want this to be our policy for writing so we have Adam who has let's say top secret clearance so L of A is top secret and so let's say there's an object that is unclassified right? So now we think about our hierarchy so we have TS SU so I'm up here I have foo, I have a file foo so I start writing the foo is this safe and secure according to our policy? Why does that matter? Because that depends on whether where it belongs to the hierarchy right so so why does that matter though? So just because you have top secret clearance doesn't mean that everything you do is going to be top secret so you there's so many people who need to read stuff that you do that's not top secret that's going to be at the unclassified level correct we'll just think about this from a policy and a mechanism standpoint that's what you originally said right so it really depends on what I'm writing out to this file so if we wanted to create a system that was actually secure we'd have to have some way to distinguish is this data that this person who has top secret clearance writing out to this unclassified file is it top secret secret classified? If it is then disallow it, if it's not then it should be then it's fine Is that a trivial thing to do? That was an incredibly difficult thing to do especially in a circumstance when we're incredibly concerned with confidentiality we would actually want to completely disallow this because we have no way of knowing what is this person writing even for a human it may be difficult to determine sometimes where did I get this information like okay it's very clearly unclassified versus top secret but if you're at the top then you have some secret information it's a confidential information and you're creating a memo for confidential how are you going to ensure that all that data that's included there not only is only confidential but doesn't actually depend on any others or possibly leak any other type of information right so the safe assumption is to assume that anything that you write could potentially be the highest security classification you actually have Even if it's on your private email server? Even if it's well no but even if it's yeah anything that you do and write in this system is assuming to be your highest security classification which makes sense because let's say A is unscrupulous right and is trying to leak sensitive information well if you allow me to create any unclassified file then it's incredibly easy to just copy a top secret background into an unclassified file but the entire point of a mandatory access control policy is to make this impossible to make it so that you cannot do that modulo of course your system working in your mechanisms working all those things being correct so actually this right model is completely wrong and allows us a problem so we only want to be able to write yes we can only write to a file that is at the same security classification as us or higher so this does bring up a point earlier you actually could get into a situation here where you're writing to a file that you can never read from it actually makes sense maybe you know it kind of gets into the meme of no basis a little bit but you may be an unclassified or classified person some work and it turns out the work that you're doing is incredibly sensitive so all of your documents are a report for some general who has top secret clearance and shouldn't be maybe read by anyone else so it's definitely an unintuitive notion but it kind of it makes sense so the idea is so basically we already were like deriving these so they call this the simple security condition and it's a preliminary version because we're going to make this a little more complicated so the idea is we can read an object if the object security clearance is if our security clearance is higher than the objects and there's a star property and I still need to figure out why it's called the star property but the idea is you can only write the objects that are at your level or higher and when you actually well even with the thing that we're bringing next if you do these and assume that you start in a secure state and that the only operations you have are these things, reading and writing files you can prove that you cannot transition the system to an insecure state and so the way to think about this and the way I always remember this and everybody thinks about this is you basically read down so the security levels can read down so top secret can read everything secret can read everything except for top secret because I would be reading up confidential can read and unclassified you read down and your writing happens at your level or higher and your confidentiality happens at your level or higher and this way you never leak confidential information so back to the earlier question so I'm going to resume this question so what's the problem with this model what's the importance of that to our security policy compartmentalization prevents leaks and also intersecting strengthen security essentially so like say you know like one piece of component that person knows that piece doesn't even know for example like a flight module or some system say you know everything about that flight module but you don't know anything about the aircraft itself you all even know it's about the flight module you can only leak some part of the module or if you're broken it can only find stuff about the flight module but the aircraft remains safe and intact now so definitely the key problem here right is this top secret these levels are incredibly broad there may be different reasons why information is classified at a top secret level and just because you have access to let's say I don't know what level that would be let's say you have access to the aircraft's engine system because you work for Boeing and you're designing that component let's say that's a top secret project it's incredibly important your component is top secret that really doesn't mean you should get access to the nuclear codes or any of the other things that would be in the top secret level and walk it around being like I got top secret on the engineer on that engine it doesn't make sense and so this is kind of the even within companies too so you may have restricted to be the level because that's sensitive information but you may be to think about becoming like Apple they want to keep the information about the next iPhone which is leaking now restricted maybe not even to the people that have restricted access to that company but just that team thinking about even everybody in that team has access to all the information that might be restricted for your department but it might be top secret yes as you're saying nuclear codes if you're in that someone's working on the nuclear missile they need to know everything's on there that put that restricted access for everyone in the department versus let's say the officer in the Navy that's top secret to them right exactly so yes the idea is this model is a good model because as long as we breathe down right up we can guarantee that there won't be leaks the problem is we bring people into it and thinking about reducing risk right now anybody at the top secret level that gets popped or compromised they can potentially leak all the information at the top secret level yeah then do we also balance that with a usability aspect no yes so that gets into how do you actually declassify things because the entire nature of here is information it's just blowing up it's hard for information to escape but that is the point so no in these models you do not usability is not considered at all right because the importance of the confidentiality of the data trumps essentially everything else so it looks like on Thursday wait what time is it are you just tricking me there's still two minutes alright so the idea is we want to create some kind of system so there's one type of way to think about this is the need to know idea so you can compartmentalize split up these categories into different components and so you will get access to the things that only you need to know to get to where you are they can also be context and time independent so it could be as soon as you're done working with that aircraft you don't just have access to all that information forever as soon as you're done that your access is revoked and you no longer have the rights to that so we can like think about maybe three I made up well I made up all of these I don't know I took some of them from something so we can think about like different categories at the top secret level you can have your nuclear not codes necessarily but the nuclear system you can have a native categorization some other categorization this one I did make up I looked up I was trying to find like a good military acronym generator online but I couldn't find one so I just used ace so now how do we define our security policy with these so the question is how does that change our policy and then how do we change the rules that we came up with that governing, reading, writing access using these categories so do I want that and we will run back and dive into it on Thursday