 We want to look at how do we control Which users can access which resources on a computer system? We'll look at the general concepts first, and then we'll go through rather quickly three different approaches to access control Discretionary role-based and mandatory. This is not a long topic. We'll have a few examples As we go a definition of access control the prevention of Unauthorized use of a resource Including the prevention of a use of a resource in an unauthorized manner. So Stopping someone from using a resource that they are not allowed to to use or to use a resource in a way that they're not allowed to use it What do we need mean by a resource? Can anyone give me an example of a resource a resource With respect to a computer system. What resources do we have? database Others What are the resources that our computer system offers our users? files Okay, a file is a resource the things that it provides files. We can think of Processing so the ability to run a piece of software. We can think that piece of software executing as a resource memory in some cases so the Parts of the hard disk the access to the CPU and the different operations that that computer system provides So we want to control who can do what on our computer Who can access which files who can run which software? Who can start different peripherals on the computer who can start and open the cd who can? Access any other Devices attached to the computer So by resource it can be Not just files. It can be physical resources as well in many of the examples. I'll refer to files because they are commonly The resource that we want to control but there are others as well any questions We're only on the definition, but there's still a lot of talking Suggest it's a bit confusing confusing Okay all right With respect to what we've seen in authentication access control goes Is another function involved in our computer system? So we can think in our computer system We have a set of resources files Databases memory portions of memory and so on So to control which users can access them and do different things with those resources Well first we need authentication of the user. That's what our previous topic was about saying. How can we check that this person? is An authentic person with respect to our computer system that they Have already been registered and that they are who they say they are so we've looked at means of authentication Once a user is authenticated for example, they log in Then we have an access control function to say what this user can do with respect to our resources so Once someone logs in the access control function may say that this logged in person this user with this user ID Can access these resources and we talk about what we mean by access shortly so For access control to work We of course need some authentication first We need to make sure the users are who they say they are because most access control functions depend upon the user ID That is we say this user can do these things so we need to make sure that we've got the right user and The access control function will do things like say this user can access these resources and They it will control and make sure that it the appropriate user can do that Can access the appropriate resources to do so there needs to be some database that say that says Who is authorized to do what? So some authorization database that says these users are authorized to access these files for example Who sets that up whoever is Managing the computer system here in the pitch of some security administrator. So someone sets up the authorizations saying Which users can do which things? the access control function is a software that checks based upon the user that's authenticated and logged in and Controls and makes sure that the authorizations are implemented correctly. That is the user can access the right resources So we've got different components all coming together now a Last thing We want to make sure that all of this works So let's say we have an authentication system and an access control function that controls Say that the students can only access a subset of the files on our server So the administrator of the server has set up a database saying that these are the students in our computer system These are the files that they cannot they can and cannot access Auditing is the process of checking that all of that is working as intended to confirm that the access control is working that the database is Correct so auditing is is checking that Once we've set things up, but it's working as intended So overall we need We're going to focus on access control, but for that to work We need authentication and also to check that it's working correctly. We also have auditing So the other functions in addition to access control we need is authentication Check the credentials of the user that's trying to access the system That's the previous topic Authorization so someone needs to determine who can do what so we grant permissions or rights to users and When I talk about users in terms of the computer system, which says he is granting a right to a system entity It may be a piece of software. I Say that this software can access this file and that software may be running on behalf of a human user and Auditing is some review of the system to make sure that it's working as intended so checking that That the controls are working correctly that if we have some policy say in our organization that says Students cannot access the financial records of SIT that may be an organizational policy Then we'd not need to check that our access control implements that policy correctly and Detect breaches if something goes wrong Then be able to detect that and fix things when things go wrong. That's the role of auditing We're focusing on access control the fourth one in that list there are three main Approaches to access control listed here discretionary mandatory and role-based We'll talk about each of them but as a summary discretionary discretionary access control is the one that we will Be most familiar with already It involves we identify who's requesting to access a resource and We have some rules to say what they can do with that resource So we need to specify those rules and it will allow entities for example users to modify those rules For example to change who can access particular resources an example maybe I Can access one file on the computer system. It's it's my file. I've created it I may be able to change the the access control so that I will allow other users to access my file I have the discretion to change the controls mandatory access control is slightly different in that we cannot change the permissions or that the access controls once they've been set up and We'll go through that and that's similar to what we'll see is security clearances like things in the the military are a top secret secret and confidential and we'll talk about the relationship between different security levels and How they can be implemented in a computer system? We'll see role-based access control is similar to discretionary access control except instead of Controlling which users can access resources we do it based upon user roles for example, we say The all faculty members the faculty member is a role I'm a user But I may take a role of faculty member and We specify the controls per role. So I say all faculty members can do these things All heads of school in SIT. There are multiple people who are faculty members and heads of school They have different access permissions So a user may take one or more roles and in role-based access control we control Based on the role that they have We can mix them So a computer system may combine these three different approaches. You don't have to use just one or the other So let's go through them. But first I think Some basic things which are common across all of them Actually requirements will return to after we go through some specifics. I'll return to this list later Let's go through the basic elements of access control. So all of these systems We distinguish between a subject an object and an access right The subject is the entity trying to access a resource think of it a person or a piece of software Acting on behalf of that person. So a subject wants to access some resource and That resource we refer to as an object So the thing that we want to be able to access and control access to is we refer to as objects and those resources or objects may be Some record in a database Some blocks that is on on the hard disk hard disk is split into blocks So a particular range of blocks that they can access in memory. We we can divide memory into pages for example files So the object may be an entire file or even part of a file So we may control very fine-grained and say that this user has Access to these parts of this file, not just the entire file directories email boxes for example as the inboxes for different users software so programs and communication ports or Means of communication on the computer system. So there are many different types of resources or What we'll call objects when we talk about access control What we want to do is specify which subject can access which objects and we do so by specifying access rights or Sometimes called permissions. We say subjects have rights to access different objects It describes the way in which the subject can access the object. So when we say access It may be different ways. So common ways are read access Read for example on a file means you can see the contents If I can read a file, I can see the contents of that file write access Means I can modify the contents of that file Execute access the access right of execute means I can run that file execute it and There may be others like delete. I may be able to have the specific right to be able to delete the file or not be able to delete the file Create files search for files and there are even others So there are different things that we may want to allow the users to do They are called access rights In summary we want to Specify which subjects have which access rights on which objects For example user Steve has the read and write Commissions on file X questions on these three concepts easy so far and Some of you may have seen these concepts in in Linux file systems So if you've sat through our lab, you've seen that we've been able to give permissions to users And that's what we're talking about here, but in the general concept. So The most common form that will will be familiar with is discretionary access control an Entity may be granted access rights that allow that entity to Enable others to access the resource for example I I May be able to read and write to a file and I may also have the permission to give someone else permissions to read and write that file So we can modify the permissions or the access rights. We have the discretion to do so We'll do that will distinguish from another type where we're not allowed to modify the months are set up That is just going back to our picture Someone in initially so the there's some initial authorization database that says that these Subjects have these access rights on these objects But with discretionary access control the users the subjects may change that So they might may modify those access rights as we go Not the security administrator, but the actual users may change the authorizations It's very common in Operating systems and in database management systems, which it was what we're mostly familiar with we use operating systems all the time We need to set them up for different purposes And I think some of you have have implemented different databases or database management systems to control What users can do and as a result the concepts are also applied in many Applications you may develop like websites where you have multiple users and you want to control which users can do which things What we do with discretionary access control we specify the access rights we map for each subject to Each object on the system. We say what access rights they have and we can think of that as a matrix an access matrix let's go to an example a simple example that says We have a set of three three subjects three users on our computer system for example a B and C and We have four objects This is of course a trivial example in a computer system. We have many we may have many more Objects and may have many more subjects But the access control can be implemented by specifying in a matrix form that Of those objects, what can the subjects do and? And the objects in this example are files so in The element on the matrix that specifies the access right so subjects objects access rights in this example It says user a owns the file file one So that's some access right to say that they are the owner of that file In addition, they have the right to read that file the access right or permission to read the file and also the permission to write the file user a Has no permissions on file to being empty means that those access rights are not available and they have own read and write on file 3 and no permissions on file 4 and Similar for user B and C. We see that access rights for this system So this information is what Initially stored really in that authorization database So think of the authorization database specifies which subjects can do which things with which objects and Here we're doing it as a matrix This is just an example on files. It doesn't have to be on files It can be again on memory parts of files different resources inside our computer Files is the easiest example than the most common one we see in this example read Implies that we can see the contents of the file Right implies that we can modify the contents which often also means we can delete the file Let's say it's a text file if I'm allowed to modify the contents and save it One thing I could do is just delete all the characters in the file and save it as an empty file Which is almost equivalent to deleting the file So right Sometimes implies that it also means the ability to delete an object. What do you think ownership means? If I own a file as opposed to not own what what extra thing can I do? What can user a do to file one that user C cannot? Well, if we say that right permission means that we can Think if right means you can modify So I open up the file as user C I'm allowed to write the file. It says user C can write the file Then I open the file in my editor and I remove all the characters and save it That's effectively deleting the file. There's nothing that's left So no not necessarily delete. It depends upon the the exact implementation Maybe there's another thing that user a can do but user C cannot In discretionary access control What do you think the own helps for? Delete and remove are about the same Right, but the contents of the file are gone Maybe the file name is still there, but there's nothing in it. So it's effectively deleted What else? Ownership what can that provide me Ownership generally implies that I can write I own that file and in discretionary access control means that I Have the I'm allowed to change the access rights on this file That is I May change it for myself and more importantly, I may change the Access rights for other users since I own file one user a owns file one User a can allow user B to also write it so they can modify this this set of permissions Or they could modify the permissions for user C. That's that user C can no longer write file one So in discretionary access control the users have some discretion in modifying these permissions and Usually that belongs to ownership the owner has the discretion to modify the permissions for that object Think of your your computer or a computer system that you use that may be multiple Subjects multiple users how many files on a computer system for or more? More many more okay, so there may be many files on a computer system and So our matrix gets quite large in this direction There are there are thousands maybe millions of objects that we want to specify So think of it as a matrix becomes a bit complex because you may find that many of those files or objects Users have no permissions So it becomes a lot of these empty elements in here, so there may be many files that One user may have permissions other users can do nothing with which is common in practice So that instead of thinking of it as a matrix and even implementing it as a matrix Usually we condense this information into a list So there is what's called access control lists This is the exact same set of permissions, but represented in a different data structure Instead of as a matrix we Have a set of lists and in this case there's one list for each file each object File one in some list or some linked lists We say that user a has the permissions of own read and write so r and w just a Short for read and write User B has the read permission and user C has the read and write permission and you check that's for file one That corresponds to the first column the information in the first column is stored in that list So it's exactly the same information. It's just a Different way to store it because this information needs to be stored on our computer system So that Think of it as this authorization database it needs to be stored here So that when a user tries to access a file our access control function will check that and Determine if they can access it or not So the way that we store that is actually important There are different approaches So access control lists For each object in our system they specify What different users can do with that object? So for file two user B and C can have different permissions User A is not in this list So we only list the users that have some Access rights those that have no access rights are not listed and that saves on on the storage really or the Managing that system. So if we have a thousand users in our system and Only two users can access file two then we just have these two entries We don't need to have entries for all the other users because it implies that If the user is not in this list, it means they have no access rights So it's just a more condensed way to store the information about the access rights access control lists for each object lists the permissions for each user and The alternative is a capability list For each user lists the permissions or the access rights for the different objects What capabilities they have and this is exactly the same as our original matrix and also the access control list It's just a different data structure for storing this information User A is allowed to or they own file one and they can read and write file one They also own file three and we can read and write all the other files on the system They don't have any permissions so by this is For example, we have a million files on the system Then we only need to deal with Entries for the files that that user can actually do something with we don't have to worry about others and user B, so just check that That the data in these three representations are the same and if you see that really Look at the column file one and That's the access control list if we look at it row wise so user A That's the capability list and in fact Different systems will use Either acts usually access control lists or capability list matrix the matrix is usually inefficient for storage and and for updating or a fourth option an authorization table Simply a table saying a row for each combination of subject object and Access right or in this case listed access mode So again same data is the previous three subject a user a has the access right of own on object file one and So on so a table that has a row for each access right of combinations of subjects and objects here is listed access mode It's just another name for access right the mode at which we can access that object authorization table capability lists Access control lists are commonly used in practice, but they are all just More efficient ways to store an access matrix So they are listed there Those three alternatives to the access matrix easy so far Let's go to an example, and I think some of you have seen the example before but will Will spend some more time on it just to be clear And the examples we'll use for access control on our Linux operating system We have a set of users on this system And we saw them yesterday, but just to remind you who's there Password is the file that stores the user information and there are many users on this system In fact, each of you are a user on this system So your user names are there and Then another file in the shadow file is the password information How is access control implemented on our Linux operating system? Where do I find out which users can access which files? How do I know I think How do I know which user can access which files can any user on my operating system access any file No, there is some permissions that control what a particular user can do and We've seen it before we do it again if I try to look at The file that stores the password information. It's called shadow. It's in the EDC directory Commission denied that's access control working the access control function is checking the object is the file Shadow is the file name That's the object The subject is the current logged-in user, which is network I'm currently logged in as user called network. So the subject called network is trying to access Read the file shadow the access control function is checking Before they allow them to do and it checks and it finds out. No, they don't have the access right to read that file So our operating system has this access control function built in How can we see the matrix or the the access control list? How do I know which files I can and cannot access? LS minus L we if we list a file There's different ways to do it LS minus L just list the file information in long format and it tells us Some information about the permission so this is the file And it tells us And we'll recap These nine characters tell us in short form that permissions on this file for this file The user that owns the file is called root That's the owner of the file That user has the permissions of read and write, but they do not have execute permissions That's how we interpret those three characters Rw dash means R for read W for write The third character should be X for execute if there's no character there just a dash. It means we don't have that permission So the root user has read write permissions on this file, but there's a separate Classification of users there's also a group of users The group is called shadow anyone inside that group Has these permissions Anyone inside that group has the permission to read the file, but not write or execute and Anyone outside of that group Has no permissions on that file the network user is In these groups They are not in the shadow group So the network user is not the owner They are not in this group Therefore they're one of the other users the other set of users so that the permissions that the network user has on that file is defined by this Settings which means they have no permissions. They cannot read they cannot write and they cannot execute That's why when we try to look at the file It says permission denied so the access control function Uses this information So somewhere it's stored on the file system and it checks the permissions and when someone tries to open the file to read it The access control function of the operating system does the check and in this case determines they don't have access So that's an example of the access control in operation. Is this system discretionary? discretionary access control What's discretionary access control mean? I know we haven't looked at the other two, but what's the discretionary part? Why do we call it discretionary? What's it mean? What's think of the word discretionary discretionary or the users have some discretion to do something It means discretionary means that we the users Can choose to change the permissions they have the discretion to to make changes really so in other systems we'll see later that The users cannot change them once the permissions are set So once the initial permissions are set the users cannot change that but in a discretionary access control User has the ability to change these permissions, especially of the files that they own and we can do this in this system Let's switch to a different user Any volunteers? Who's going to volunteer? Okay. Thank you Can you tell me your password? I want to switch to this user, but I need his password Want to guess? brute force Fail our authentication is not working is working in that if you type the wrong password So this is back to our previous topic note when I typed in the password and I'll do it again I think we've seen this, but we'll do it again All right, it prompts me for the password. I type in a password. I know it's the wrong password. I press enter now it takes several seconds before it returns me to Ayat says there's a failure. He doesn't say wrong password or even wrong username, but in this case it's just saying it didn't work and Importantly there was a delay So when I pressed enter and still when it returned me to try again There was a delay of several seconds. It doesn't take my computer long to check. It takes microseconds to check So the delay is some arbitrary or some some introduced delay to make it slow for brute force attempts. I mean someone cannot try many passwords. I need to remember Or try and guess the password Try again If I keep trying, do you think it will lock me out? No on this system it I think I've done it again. If you keep trying It will just allow you to make multiple attempts by default. Maybe I don't know the password Okay, we're there So we're logged in as a new user now Okay, let's create a file. I made a mistake didn't know so in this case our user has Permissions on this file which are read write The user that owns it has read write permissions the group anyone in that group Has also read write permissions anyone else has read permissions. That's how we interpret anyone else It turns out by default no one else is in this group other than user so the default permissions say that for this file The user is allowed to read and write Everyone else is allowed to read the file only they cannot modify so that the default permissions We can change permissions How do we change permissions? question CH mod Again All right, let's let's change the permissions and see some things that we can do okay Well, we may We'll see the role of ownership. So let's change the permissions and we'll make some different changes and see what can happen We can change permissions with this command change the mode at which people can access so in an access write or an access mode and We can say for example others cannot read the file Subtract the right or revoke the right the read permissions of that file and it will bring up another user and Our other user Unlogged in as another user now. Can they read the file? Let's try Permission denied. So this my alternative user cannot read the file and if we change the permissions back Others can read the file We now can read the file So that's just changing the mode of the file Which is this discretionary part of discretionary access control the users have some ability to modify the permissions What do you want to do remove the permissions for everything? Let's let's see what we can and cannot do can this user Change the permissions. Let's try No Okay, so normally the user that owns the file has the ability to change the permissions a user in this case our user Has the ability to read the file, but they don't have the ability or the discretion to change the permissions on that file So that's the the usually the role of the owner while we often specify the owner The owner can change permissions, but other users even if they can read the file cannot change the permissions on that file Everyone cannot do anything a for all users Subtract or revoke the permissions of read write and execute permission denied and My other user of course cannot do anything What happens now so the person who owns the file cannot even read the file That's a problem, but they the owner can still change the permissions So there's this fourth access right we have here ownership so now Previously the owner could not do anything with the file, but they're still allowed to change the permissions So we change the permissions back so that we can now read the file. So that's the normal the normal case in that a User can change permissions if they own the file So think of four access rights so far ownership read write and execute and That's what's default on a on a Linux system on other systems. They may have other access rights and different meanings So what we're going to do Your next homework task will involve just looking at permissions and that's where you need to use One of these virtual network nodes so that you all have the same setup and what you can do is create some users some fake users on your system and I'll give you some tasks to Change permissions and just explore what you can can and cannot do With discretionary access control