 Okay, so yeah, morning everyone. Today's Tuesday, January 26th. We're here with 140 of our closest friends. And first thing to note is assignment two is up. Please check the course Piazza. There's a post about this. I also posted the recording of where I went over this assignment on Monday. So we're not gonna be going over it here, but I just want to let you be aware of that. All right, cool. Back to access control. So we've been looking at the UNIX access control model. So we looked at, and on Thursday, we looked at how the UNIX model actually implements access control lists. So we saw that it only uses 12 bits per file, which is interesting when you think about it from the perspective of implementation, right? So this way, rather than in our access control, the matrix model that we talked about where the set of writes that a file could have could grow pretty large and the set of users that could have rights on that files that could go very large. Here we've actually limited it so that we're only using 12 bits per file. So we went over to the first three bits and then we went over the other three bits, our read, write, and execute. We talked about this on files. The interesting thing that we didn't mention for directories. So the read permission on a directory means that you can list the files that are in that directory. The write permission means that you have permission to create new files and rename existing files in that directory. And the execute permission is very interesting because what does it mean to actually execute a directory? It's one of these things that actually doesn't make sense at all. So they repurposed this and they said, okay, with execute permissions, you can CD into a directory and you can access other subdirectories in there. So this means that you can do things like I could give you access to one directory in my home directory, but not access to anything else. And if you don't have read permissions on the directory, you wouldn't even be able to list the files that are in there or know what files that are in there. But you could still access a file that's in a specific given directory. Okay, but moving on from this, so there's other types of access control ideas. So we looked at different ways of thinking about this, but one of the things we haven't talked about is let's say content dependent controls. So this would be an access control model that would depend on what is the type of data that you're accessing. So for instance, if you think about working in a company, you may be only able to see salaries that are less than $50,000. So this access control doesn't depend on you, the user, of what your permissions or rights you have, but it actually depends on the data itself. Another example of this that's probably more familiar if you think about a traditional organization, every person in this organization, there's kind of a tree structure. So there's like the CEO or whoever at the top, there's employees that report to them, and then each of those people has employees that reports to them all the way down. So you have this tree structure. So in terms of the salaries of the employees, you may only be able to see salaries of employees who report to you. So this is that, again, dependent on the content and the structure of the organization. Another thing with context dependent controls, so this depends on the context of a situation or a system rather than the specific content. So for instance, one thing that actually maybe has had to change a lot for a lot of companies is maybe you can't access sense of information from a remote login or from a VPN from your laptop. So why might this be an important, what's a security policy that we'd want to implement? Making sure like a student is in a specific location if they're like taking a test or something. Yeah, that's great. Thanks Emma. So yeah, that would be, yeah, so we can maybe guarantee something more about the, in terms of security, about the systems inside of a site. So if you think about the desktop systems or your workstations that somebody posted, if you think about those inside of an organization, those may actually be considered quote-quote more secure than a laptop that's frequently going from inside the building to outside the building. And so you may actually limit what kind of information they can get from a remote login. Other context, again, going with the salary definition, maybe salary information can be updated only at the year's end. So that would be a different type of access control. It's not like, so this is different than we talked about right access and most things we've thought about. You have right access to the salary information. That means you can change it at any time, but maybe the context is in our organization we only update salaries at the end of the year. So there's actually a time component there that even if you have right access to update salaries, you can only do it during that time of the year. And other things, this is actually something that I think I already brought up is that, so the company's quarterly earnings report are confidential until it's announced at the stockholders meeting. Other things you can think of context dependent controls gets really hairy and really tricky when you think about applying this to a hospital or a healthcare scenario. So there you do want a lot of different types of access. You want only the physician that your physician to have access to your healthcare data. You don't want anyone to just have access to it, but if there's an emergency and the nearest doctor has to rush into the room to help somebody, you don't want them stuck, let's say at the door and saying like, oh, you're not the attending physician here. You need an administrator to have you have access here. So that could be another context when there's an emergency occurring, you need people to be able to get access. Yeah, excellent. Any questions on this notion? Cool. Now we're gonna get into different types of access control. So we've looked at how to model access control. We looked at it, we have the matrix model. We have access control lists. We have capability lists. And now we can think about different types of access control and the way I think about this is like, what does the system allow you to do? So if you think about the UNIX model, right, so we talked about the UNIX model, who decides who has access to what file? The owner of the file. The owner of the file, yes. So there is an administrator, right? So some people mentioned root and chat. Root has total control and they can change permissions. But fundamentally in the UNIX model, the owner of the file gets to choose who has access. If you own a file, that means you can set the access control bits on the file. Fun fact I learned yesterday on Monday was actually surprisingly, Linux and UNIX style systems don't allow you to change ownership of a file to somebody else. And the kind of fun fact about that is on systems back in the days when there was like multiple people using it, you could have like a disk quota where like you could only use let's say 20 megabytes of files. And so you could then use this as a denial of service attack to somebody else, create a file that's like 19.9 megabytes and then change the ownership to somebody else. And now all of a sudden it's their fault and their quota gets messed up. So anyways, that's why you can't do that. But the owner of a file in Linux gets to control who has access to that file, right? We went through those steps last week. We looked at what happens if I CH mod this file? I can give everyone access by letting other have read, write and execute. I can restrict it to just the owner of the file me or I can constrict it to the group of the file. And so this is called, this type of model is called discretionary access control with the notion that the owner of the object controls who can access the object and who can change it. What would be a scenario where you wouldn't want a discretionary access control? Maybe somebody who ends up being working for a company and then later has to leave the company, like they're fired. Okay, yeah. So somebody is working for a company and has to fire, is fired later. Then why would discretionary access control be bad there? Because there would be no way to transfer that ownership to another person to a new administrator. Okay, yeah. So there would be, you can think of it as like orphaned files or something like that. Yeah, great. What other examples? You always set the grant and revoke permissions, I guess. Right, so the owner of the file gets to control it. So Kate mentioned in chat that lower level employees who shouldn't hide info from their higher ups, right? So if you think about a discretionary access control system, if I'm owning the file and I have a report that makes me look bad, but I own that report, could I just change the permission so that nobody else can read it? Therefore that information is essentially buried, think about the, I always like to take things to extremes when thinking about these scenarios. So then think about the military and think about the nuclear launch codes, right? Should the person that creates the nuclear launch code, right? They created that object, they own it. Should they be able to control who has access to that object? Yeah, we'd hope they wouldn't be able to just do it willy-nilly. And actually we think about from the beginning of this section, we talked about a homework server where students were disallowed from sharing assignments with each other. Well, in a discretionary access control system, if the owner of the file can choose who can access it that allows potential bad situations to occur. So this is contrasted. So the contrast to a discretionary access control system is a mandatory access control system. And this means that the system itself controls who has access to an object. So you a user don't get to, just because you own an object doesn't mean you can control who has access to it. And we'll see that this actually leads to some very nice security properties. Another thing that maybe comes up is if you're, let's say Sony or one of these companies that makes movies, do you want a discretionary access control? Do you want somebody who, so once you have ownership or read access to a file like let's say a movie file, you can kind of copy that and do whatever you wanted with it. But of course that interferes with their business models where they want to actually control who has access to it. So there's another type of model to think about is originator controlled access controls. Basically whoever originated the object. So not just the owner, but whoever originally created that data controls who can have access to it. And this also includes kind of sharing further down. So this is where you get DRM or digital rights management, which is kind of actually the technical ways that this is implemented nowadays. Cool. So we're gonna get into and study mandatory access control because it actually drove a lot of our understanding of access control systems. Okay. So before we get to that though question about this, so the difference between owner and originator, so ownership could change, right? So if you think about the a Blu-ray DVD or I guess it's not a DVD, but a Blu-ray disc, I could own that disc with that data on it, but I didn't originate that data, right? So this is why they want to implement schemes and this is why, you know, I actually don't know the current state of Blu-ray copying, but there's probably DRM on there such that you can't just copy and duplicate a Blu-ray disc because the originator, the person who created that data has mechanisms in place to try to restrict those copying. Cool. So when we think about mandatory access control, the example we're going to go with is we want to have the notion of different security levels and we'll actually start with this in the military context. So we're going to think about different things of levels, categories and labels, which we'll get into more. We first want to think about the notion of security levels. So there's often this hierarchical relationship between security sensitive are assets and how security sensitive they are. And this is actually something that has, so, you know, one file could have very high security sensitivity. So what would be examples of some files in either, you know, a company context or military context that would have the highest possible security sensitivity? Maybe quarterly financial reports. Say that again. Quarterly financial reports. Yeah, quarterly financial reports, social security numbers of your users, launch codes of the nuclear devices, anything else? Possibly passwords, because those would give us access to these things. Yeah, great. So these could be memos or reports or if it's a document that describes the next 10-year plan of your organization and you're going to say, oh, we're going to buy these companies and we're going to do these things. But we want actually a defined system for this. We don't just want to say, oh, this thing is really important, this security, you know, this file is really important. We don't, we want to have a well-defined hierarchy. And so we need a way to tag data and be able to, okay. Yeah, we want to be able to associate a security level with each entity on the system. So the basic idea of what we're going to do here for a mandatory access control system, we need to know for all the data in the system, what security level is it? And in this way then the system will enforce some policy to ensure that nothing bad happens. So we'll look at some examples. So on the commercial side, usually, you know, you can have, these are essentially arbitrary, but think of them as a, the way we'll describe them here is in a level from highest security to lowest security. So something at the top of a commercial security level would be restricted, then proprietary, then sensitive, and then public, right? So it is this kind of, so as we talked about, maybe for the company itself, maybe social security numbers are actually sensitive, right? They may not be restricted because maybe more people in the company need to know that information or use that information, but maybe the company's financial reports would be restricted until they're public and released at which point they would then drop to public. Anybody familiar with the military security levels? Actually, before we get into that, does anybody actually have some military clearance and could say that they do? Nobody, okay. It's no problem, or at least in this class. Yeah, because I've been in class before. Usually there's at least one or two people that at least were in the military now or have been in the military. So they're very familiar with this process. I also do not have security clearance. So at the very top is top secret. This is the highest and we're gonna be modeling this after the U.S. model of security. So it's top secret, then secret, then confidential and then unclassified. So unclassified is everything public. And so you could think of, you're the military. This means you have to tag every bit of data as either top secret, secret, confidential or unclassified. And there's no such thing as super secret. So yeah, this is the thing. You need to actually know each of these exact levels. But now the question becomes, so we have these four levels. How, what policy do we actually want our mandatory access control system to enforce? So all the data in the system is tagged at one of these four levels. We'll see that all the people in the system are also tagged at one of these four levels. And so let's use the military example. So we have top secret, secret, confidential and unclassified. So let's actually derive this. So we'll also use abbreviations because using these full names is kind of crazy. Can everybody see the Emacs terminal where I'm writing all this? Yes. Okay, cool. Thank you. Okay, so we have top secret, secret, confidential and classified. We have justice before, we have subjects, right? And objects. So we have a set of subjects, S. We'll just call lowercase S, the single subject, objects, O, you know, the capital O objects. And I'm gonna cheat to remember our notation. Yes, okay, cool. So, we have our different security levels. So the security level of O is going to be, we'll call it L underscore O. So this is the security classification of our objects. So our object in the system, every object in the system has a, oh yeah, fine, let's get rid of this. So O is an object and S is a subject. Okay. So this says that essentially you can get any object's security level by calling this L function passing at the object and it will tell you L of this, which we know is one of TS, S, C or U, something from this set, right? We can also ask for the security clearance of a subject. So that would be LS. And again, this would be either top secret, secret, confidential or unclassified. Cool. Okay, do we need any other notation? Yes, okay. So there's an ordering to our security classifications, right? So we have unclassified is less than confidential, is less than secret, is less than top secret. Everyone agree with this? Yes, no? Yep, okay, cool. So what's our policy gonna be? So what's our policy that we want to enforce? So let's first think about it at a high level. So we have these four levels. Informally, what do we want this policy to mean? What do we want our policy to have happen? Somebody with a specific classification can't access objects with a higher classification? Yeah, maybe let's think through, oh, there we go, that makes more sense. Examples, right? So, okay, so I have an object NLC, nuclear launch codes. So this is my object NLC. What access control level would you apply to that? So L of L NLC, what's that? Yeah, top secret, excellent. And I have subject Adam, who has a clearance level of unclassified. So can Adam read NLC? Yeah, why is that? Explain to me in English terms. It makes intuitive sense, but why is that? Because your clearance level is lower than the clearance level of the object you're trying to access. Yeah, thank you. So yeah, the object is classified a top secret, which means intuitively only somebody with top secret clearance should be able to access that data and read that data. Okay, cool, right? So now if we have subject, I'll just say gen for some kind of general. So then their clearance level is top secret. So should gen be able to read NLC? Yeah, yes, this is what we want to have happen for the model. So we're creating these examples so that we can build up an intuitive understanding of what this model should do, and then we can define it formally. Okay, great. Now, okay, so let's have a new object. Call it policy, and policy is going to be unclassified. Now again, I can ask other questions. Can Adam read policy? Yes. Can the general read policy? Right, and again, this makes intuitive sense. So Adam has no clearance is unclassified level. They can read documents at the unclassified level. The general has top secret clearance. They can read something at the nonclassified level. And if we think about it in terms of this, and we actually didn't get to, so we got whenever some of the examples. So what's our goal with this model? What do we want to prevent to have happen? Or what do we want to ensure? Think about it. Lower level cannot read top levels. Yeah, okay. So lower level cannot read anything from let's say higher levels, right? Another way to phrase this is, we want, and it's not just can't read, but maybe adding ever here makes it sound more finite. But we want it so that it should never be the case, no matter what actions are taken on the system, it should never be the case that Adam can read some object that contains the nuclear launch codes. So it's not just that the lower level can't read it because that's something we kind of derived in our examples, but we want it to be that it should never be the case that information flows from top secret to unclassified. And why is that important? What's the difference there? Because the second goal includes like not being able to access and write to higher levels as well as read. Yeah, exactly. So yeah, we need to think about all different types. We need to think about different ways that we access the system. How is this going to influence things? Okay, excellent. Cool. So we went over reading. So we'll call this examples, read examples. What about writing? Why do we care about writing in this example? Aren't we only talking about who can read what? Well, it wouldn't make a whole lot of sense for someone who's you, I forgot what that was. Anyway, for someone who's you to write a top secret file because now they know what's in said top secret file. Yeah, so that's okay. That's a little tricky. We'll have to get into that. But let's think about it in terms of this, right? We want lower levels can't read anything from higher levels. So let's go through an example. So let's take the general. So general writes, I already used policy. What's another publicly available document? Report. Okay, writes report. L of report is unclassified. Is this allowed? How do you know that report doesn't contain the nuclear launch codes? So let's walk through an example. Jen reads nuclear launch codes, which is six zeros. So okay, the general reads the nuclear launch codes. He writes a report that is unclassified and the report said the nuclear launch codes are three zeros. Should this be allowed? And if you're saying no, why not? The answer is no because the information is now flowing from a higher level to a lower level. And because, let's say report two. So the general writes creates a file called report two that they're gonna write and the level of report two is unclassified, should that be allowed? Yeah, no, exactly. Okay, so great. This is an example that demonstrates that we actually need to be thinking about writing differently. So especially in a mandatory access control model when your entire goal is to ensure that there's no possible way for information to flow from top secret down to any of the other levels or from secret down to confidential or unclassified, you actually can't allow anybody who has a high level of clearance to create a document at a lower level because they could potentially leak information out that way. Okay, cool. This is a great example. Okay, so this means, so we said they shouldn't be able to this can Jen write a report three where the level of report three is, you know, we could just keep doing this classified. No, report four, I did unclassified a secret and we'll do report five that is top secret. Cool. Okay, now let's think about me. So I'm Adam. Can I write, I'm using all these reports. What's something that's more spy like? What's a memo? There we go, thank you. That's a pretty good one. Not exactly what I was thinking of but it'll definitely work. I write a memo. Can the level of memo be top secret? If you're saying no, what policy, what am I policy does this, or my goals does this violate? Lower levels can't read anything from higher levels because if you were, if you have unclassified or to write something that would be top secret, a lower level would have access to information that is now top secret. Yeah, it's tricky, right? I can't read it but it is the case that I'm not reading anything else. I mean, I'm creating this information. So if you think about it, anything in that memo must be at what level? Unclassified. Yeah, everything because Adam only has access to unclassified that means content of memo only contains, only contains unclassified content, right? So has any information that is at the top secret level been leaked out? Yeah, fundamentally no, right? In this model, because we know, but it can't contain copies of any classified content because Adam doesn't have access to any classified content. Adam only has access to unclassified content, right? By all of these other reading rules that we went through, the only thing I can read is unclassified content. Well, if I match something that matches classified content, how would I know that, right? I have no way of knowing that. Sure, I can make fake information, but I actually don't even care about integrity, right? The only thing I care about now is confidentiality. This is the only thing. And it could be that somebody has determined that the information that I wrote from unclassified sources actually becomes top secret, right? That's totally possible, but the fact that at that moment, as I wrote it, it's only unclassified content. So I can fundamentally, so this is a weird part of the model, but it kind of makes sense when you really boil it down to the thing we wanna guarantee is these properties. And we don't care about integrity. We don't care about fake data. We only care about ensuring that information never leaks out. So we've gone through some examples. Okay, so now I want, yeah. Okay, so then what's my policy? So I have a subject, subject S and object O. So when can subject X read object O? When subject S's clearance is equal to or above the object's clearance. What do y'all think? Does that match our thing? Let's go to our right. So important thing to do is look at this. So we have a subject, Adam, who is security clearance unclassified, the nuclear launch codes, which are level top secret. Can I read that is the, so this would boil down to is unclassified greater than or equal to top secret? No. No, so it's blocked, awesome. We go through our other examples. The general is, has top secret, can the general, so top is top secret greater than or equal to top secret? Yep. And the policy. So here we have unclassified greater than or equal to unclassified. And then we have the general is top secret greater than or equal to unclassified, right? So these are both allowed. So this matches all of our examples. So we can think, hey, we're probably on the right track here. Awesome. What about writing? Subject is less or equal to objects. So I can write if the subject is less than or equal to the object. Let's go through here. Okay. Going through my cases again. So here's the example of report. So the subject is top secret is top secret less than or equal to unclassified for this first example. Oops. Just equal to is what people are saying. What about this case? So let's walk through our examples. So we have for less than equal. So why does it have to be less than equal? So a general, if they have top secret clearance fundamentally cannot create an unclassified document because they could leak out data that way. Now, what you're getting into is this is a model of a system, right? We know it would be insane to actually do this because then literally anybody with top secret clearance would not be able to do anything. So we need actual other mechanisms to make this workable. Like we need a declassification mechanism where a general first writes a document at the top secret level and then there's a procedure to see can that be declassified down to unclassified? But, and yeah. And so that's, you know, we're gonna we'll ignore that stuff for now because just to make our policy work we know that somebody with a top secret level can never write a document that is at a lower security level than them. So we could ask this. So they would block, let's see, it would block this, this, this and they'd be able to write it at the top secret level. Cool. And then I can write, so Adam is unclassified is unclassified less than or equal to top secret? The answer is yes. And so this doesn't violate my policy because even though, because the lower level user only has access to unclassified information. So it's never possible that information leaks out this way. Cool. And there's actually a super handy, easy way to remember this read down and write up. So you can read down information down and you can write information at your level or up and to do this, just ensure that you think about that from a flow level. It's not possible for information to flow out because you're only ever writing information up. What about the fact that you know what's in the file? Suppose one person has unclassified access and then they make a top security file, top secret file, I mean. But I know what's in the top secret file and I have unclassified access. Yeah, so you know what's in that file, but also the system knows that what's in that file is not what was considered top secret information before that file was created. So it's not like if we took data that's like the nuclear launch codes and we created that as a top secret file, it's not possible through that mechanism for those numbers to leak out, right? It doesn't matter how many files an unclassified user creates, that information can never flow out. But yes, you know, part of what like in the real world we'd need to worry about that and say like, okay, if this person is creating a lot of top secret data, should they have top secret clearance so that they don't leak anything out? Is the system kind of assuming that if someone is making a top secret file or if someone at a lower security level is at a lower security level, then they only know lower security information that they're not gonna go making top secret files? Let's see. So if you're at a certain security level, right? If you're at, let's say confidential, the only pieces of data that you can create will contain confidential or lower information. So even if you create a document that's tagged as top secret, from that point on, the only people that can access that data is people at the higher, at top secret level, but whatever was in top secret can never leak out because you at the confidential level didn't never knew that. Yes, and once you release at a top secret file, if I created a top secret file, at that point I could never see that data again. I don't know what they're using it for, I don't know where that data goes. So you can think about it like a spy, right? A spy may not have access to all the information at the top secret level. They may only have confidential information that they need to do their job, but their reports may be only for top secret level. It's kind of one way to think about it. So the way to think about it is if I, if I create a top secret file with top secret information, current top secret information, there's no possible way for that information to leak out in this model. Like we're also not, you know, the important thing we're thinking about here is that we're also not putting judgments on what should be top secret or should not, right? That's why there's a levels and there's ways to declassify things and move them at the correct levels. But in this simplified model, and it's pretty, I mean, the thing I really like about this is we can prove that like, you can actually prove that this is the case that the policy holds just with these two rules that we devised, this simple security condition and the star property. Ba-ba-ba, okay. So we won't go through, so these are the exact rules that we derived. We used our examples, a read down write up. So this is the other thing that makes a lot of sense which is really fun. But besides some of the problems that we talked about, a declassification and other types of problems, are there any, so think about what types of things are at the top secret level, let's say. Anybody? Yeah, so we talked about nuclear launch codes. Let's say we'll call it nuclear, so everything that's related to nuclear, aliens, what else, war plans, yeah, intelligence gathering. So this is all great. So the question you should ask yourself is if you're working on, I don't know, alien autopsies in area 51, should you have access to the nuclear launch codes? Why not? It fits our model, right? It's not pertinent to your job description. Yeah, it's not pertinent to your job description. That's excellent. And it's not, you don't need to know that information in order to do your job on whatever alien autopsies or in the reverse way, if you're working on nuclear launch facilities, you don't need to know about any of that other stuff. And the problem is with the model as we have it, we have no way to enforce that, right? All we have is these very broad levels that we can categorize something and say, okay, we know nothing will flow down from top secret or lower, but we have no way to categorize that information inside there, but we can actually do that. So we can add to this model. So here we have our levels and we can add categories. So we'll go with nuclear, NATO. I think ACE has to do with missile control stuff. Let's just call it space for now. Yeah, space, okay. Yeah, great. So we'll go with these three categories for now. So, okay. So the goals are, we still have the same goals. Should we change anything about the goals in regards to the levels? No, and why not? I think we can just put them into like a department and have their own distance. They will not interfere with each other. Yeah, so this is great. So we need to think about the levels we always want to maintain, right? We still want it to be the case that no information should ever flow from top secret down or that top secret information is leaked unclassified. We want to guarantee that, but we want to add something else. So what is it that we want in our goals of what we want to maintain? And maybe it'll help. Let's go through some examples first. So the first thing we have to change is, we have to change our security levels because now we don't just have a level. We have a level and a set of categories. Oh, I don't have good notation to this. Okay. So every object is also gonna have a category which could be nuke, something like this. So now every piece of information not only has a level but also a category, but what should our categories be? So this category function, what should it return? So this level function returned a single entity, right? Something from this set. If you think about these categories, right? So we have nuclear, NATO and space. What do we tag the information that's how our plan to destroy aliens with nuclear warheads? Yeah, so maybe it depends on, I guess NATO is if we're doing this with our allies or not, but at least we'd want that to be actually two categories, right? Nuclear and space, right? Let's say this is all on our own. We don't need NATO for that. We can have separate things for that. Or maybe we don't tell NATO that we have space, but so this actually is gonna be, I think somebody please correct me if this is the correct notation for a power set. Is that like the set starred? Oh, there's just P of that. Yeah, thank you. That's better, right? So the power set. So essentially what this means is this could be either the empty set, just the second tank nuke, bubble, blah, up to nuke and space. It's getting long. Anyway, what this is saying is that, hey, the categories is a set. It could be the empty set, which means no category or it could contain any combination of the elements from this set. Make sense? And that makes intuitive sense based on what we said. We may have documents that have different categories. Or if you think about it, if you're the general who is just working with NATO on our nukes, you would have the permission, the category, the set containing nuke and NATO, but you don't have anything to do with space or alien. So you would not have that category. Cool. So same thing here with the objects. Awesome. So now let's go through our examples again a little bit. So now I need to update this. So let's say I have the nuclear launch codes. The category for, oh, this is that. The category for the nuclear launch codes is just gonna be nuke. So Adam has and Adam has let's say no categories. Okay, so can Adam read the nuclear launch codes? No, why not? Yeah, I'm unclassified. It doesn't matter. What if I change this and I actually do have nuclear categorization? Still no, right? I still can't read anything. It doesn't matter that I have the same category. What matters is the levels, right? The levels are the really important things. Okay, let's say we have a general one and the level of a general one is top secret and the categories of general one is let's say nuke. So can general run general one read the nuclear launch codes? Yeah, yes, why? Because the general is in the category of nuke and is in top secret which corresponds to the information. Exactly, so we first need to make sure the level that we're enforcing right down read up and then we look at the categories and we say, okay, the general has the categories for this. What about, would it change if I added the general is actually our general in charge? Well, no, let's make a second general. So can general two read the nuclear launch codes? Yes, why? Yeah, they have the clearance and the general has the category. Let's add another object. So we'll call object, I don't know how to spell autopsy. So can general one read autopsy? Autospeed, oh, that is the wrong one, autocorrect failed me, whatever. No, why? Because even though the general one has top secret clearance, their capability set has nuclear access but this document has the category of space, right? So correct clearance but not category. Can general two read it? Is it a problem that general two has nuclear and is reading a document about space? Right, the question I always think of when we think about no or yes is is it possible for information to leak out, right? So he's in the space category, he has access to be able to read all space documents. Okay, cool. Okay, similar. Okay, we went over these things, I think this is good. Okay, so gen one, so our general one, let's, I'll keep it up here, there we go. This will be the generals and this will be the writing. Okay, so general one, okay, we already went through this. So general one we know can't write a report that is at the unclassified level. We know from this can only write a report at the top secret level. Okay, I'm gonna just include this in here. Can general one write a report? Well, let's say report six. I'm gonna change this to R six. I'm getting tired of writing out all this. Where the level of report six is top secret and the category of R six is, and let's look at gen one. Gen one has access to nuclear codes. So should general one who only has access to the category of nukes? So general one be able to write a document that has a category of space. Let's make it simpler. Should they be able to write a document with nuke? So definitely yes. So should they be able to write a document with space? I think so, yes they can. They just cannot access it after submitting it. It was the same logic that we use for me being an unclassified person, writing a top secret file, and then never using it again. So I can have info of nuclear arms that could just give to the space department and they'll use it to kill aliens. It's their thing, but I won't be able to use it. So think about report seven. What data could be in report seven? So the way we talked about it, it could be top secret information, right? Because it's at the top secret level. What else in terms of categories could that data contain? Yeah, it could contain nuclear information, but somebody else who doesn't have access to nuclear information and only has access to space would be able to read it, right? So let's think of gen three space person with, so the level is top secret, clearance category of space person is obviously space. So gen one, again, so this is, let's think of this. So can this space person read report seven? Yep. And let's say gen one, again, reads nuclear launch codes, writes report seven, report. So should we allow this? Yeah, so the important thing to remember is this is a different case than the writing up because again, we can allow writing up because the data that's being created does not contain any current top secret data or any secret data, right? In this case, this general has access to nuclear information like the nuclear codes and they can't be able to create a document that has a non-nuclear because that information that they write could contain nuclear information. Does that make sense? So are you saying that any document they write will at least have their tags, the ones that they are qualified for, but they might have others as well? Exactly, yep, that's exactly where we're going. So yeah, so the general one can't create a space doc, just a space doc, but gen one, let's say writes report eight, this general is just on a roll writing reports report, says that nuclear launch code is one, two, three, four, five, six, and the level of report eight is top secret. The capabilities of report eight is nuke and space. So should the general be able to do this? It's always better when we're in class and people can say yes and no and fight, but yeah. So by the policy, right, this doesn't violate any of the goals, it's because the only people that can read this report already have access to the nuclear information in which case they could read the nuclear codes themselves. Whether it can, now the question is, oh, this is gen one, can gen one read report eight? Yeah, no, why not? No access to space, exactly. So even though that report, just the same argument before, so this is kind of the example of write up in this example, I can write two categories that I don't have, but I can't read that document. And because I don't have those categories, there's not a risk of information at that category being leaked out. And similar with, okay, so yeah, we have the question of gen two writes. So again, gen two write report nine and the level of report nine is top secret and the category of report nine is nuke, space, NATO. So can general two create write this report nine? Yes, because even though, because general two doesn't have access to anything NATO, but that doesn't matter. Okay, so this is great. You guys are doing fantastic. Can't also cannot read that, yes. Now, and let's also think, could, since we're here, do report 10, top secret, report 10, could general two create a report that has the category of just nuke? Yeah, why not? Yeah, because they have space. They can put the thing in there like aliens exist, right? And that information could leak out would leak out from the space category to the nuclear category, right? Excellent. Cool. Then let's, so how do we update our policy? So we know this has to hold, right? We always want this to be the case, but how do we compare the categories? So we'll go to the reading example. So you can read if you're at a higher security level and what? What's the relationship between the category of S and the category of the object? And what are we comparing here? So think data types, what's the data type? What is C return? You'd need to have all of the categories of what the object has. Yeah, so you'd need, and because we're using sets, we can use, it's gonna be a better way to do this. I just don't know the shortcuts to do this right here, but subset or equal to, do I have you open? Subset or equal, just so it looks pretty. There we go, right? So this means that in order to, is this correct? So for us to read a document, our categories must be a subset of the objects? No, I think it's the other way around. Yeah, so let's easily flip that this way. Other way around. The object that we're reading has to be a subset of the categories that we have, right? So we have a certain number of categories that we can read. That means that the object has to have all of those categories or some subset of the categories that we have. Excellent. And then what about for writing? Should they be equal, right? If they were equal, then this case wouldn't occur. Oh, sorry, no, that's right. This I writing, there we go. So the reverse of ours, ours would be a subset of the objects. Yeah, S and O, we flip it around. Right, so we can see in this example, right? So here, general one can write a report that has categories of nuclear and space. They can write that report, but they can't read that report. It's the same logic as read down right up. And let's verify. And the cool thing is this actually makes a, this subset relationship actually makes a lattice of our categories now. So we have at the bottom of the lattice. So, and this concept of a lattice actually comes up over and over again, which is why I like to show this in different aspects of computer science. And here we have at the bottom of the lattice. So you can think of no categories as the empty set. And so this relationship means the empty set is a subset of the second thing, nuke, the second thing, NATO and the second thing, ACE. And then the second containing nuclear NATO, everything with the arrow is a subset, right? Nuclear and NATO are both subsets of the second containing nuclear and NATO. And also it's a transitive property. So this means the empty set is a subset of the second containing nuclear and NATO. And we can do this again with the second containing nuclear and ACE, the second containing NATO and ACE. And finally, at the top of this lattice is the second containing everything. So this lattice gives you the write down read up. So what does this mean if I have the general is a top secret, the object is a top secret and the general wants to, the general has a nuclear and NATO and wants to read a document that is NATO and ACE. Yeah, so no, nobody can do that. So that shouldn't do that because even though you have NATO, you don't have ACE and you can't get access to that ACE information. What about the reverse? Or so let's think about writing. Could a general with nuclear and NATO on the left, upper left here, can they write a file with NATO and ACE? I'm seeing some yeses and some noes. Does anybody wanna argue one way or the other over voice? Could they write a file that would be nuclear, NATO and ACE? So let's just like, let's go through this. So let's see the examples. So the general, so I'll just call them the subject, the nuke, NATO, the object, NATO, ACE. So let's look for reading. So they're at the exact same level. So this doesn't hold. So is the objects capability a subset of the subjects capabilities? No, right? This is not, these sets are not subsets of each other's. What about in the right example? So the right example, I have to flip them. What about this? Are nuclear and NATO a subset or equal to NATO and ACE? No, so they can't read or write that file. And why is that? So somebody explain it in the intuition behind that. Information in nuclear and NATO contains information in nuclear. And if someone in that category writes a report for NATO and ACE, that could have nuclear information that could be leaked. Exactly. Yeah, so this is why this lattice model is important because it actually shows us that and if you look in this model, there's no relationship between nuclear and NATO and ACE. Remember the relationships are all top to bottom. So you can't, there's no subset relationship between them in either direction. So this means that they can, they can't read a file with that and they also can't write a file with that. So if you do, in order to be able to read or write, you need to actually be right up or read down on this lattice. That kind of makes sense. And you've actually just derived the, actually the super famous mandatory access control model, a Bellopagella model. And it's, it uses this notion of dominates. So this says that the security level, so now we're doing it as a tuple of a L and C. So the level and the category L, L prime, C prime, and this is exactly what we derived as a group. So there's nothing to be, you know, scared of here. If and only if L prime is less than or equal to L, this satisfies our property that we already derived with the levels and C prime is a subset or equal to C. And so the reading permission is if S dominates O, meaning that the level is less and the, of the subject and the categories means that on the lattice that the subjects is a higher on the lattice than the object. And the star property is the reverse. So the subjects can write to O if the object, this is writing up. So they can actually write up on the lattice. It's just a different way of showing it. So to test yourself, you can definitely go through these examples. We already went through all of these. I'm not going to go over them here. So I can leave this as a fun aspect here. And actually we're at the end of our access control time, which is crazy. So some other types of things that we're not gonna get into, but people have actually even mentioned this in the chat because it has become kind of a common, common thing. So there's a lot of different types of thinking about access control. And one of the most common ways that you may have thought about it is role-based access control. And this is a very natural way of expressing access control rather than specifying every single person on your system exactly what access control they should have. You group people into the rules of what is their role on the system. So something like grade scope has this, you have a student role when you're on grade scope. I on that class have an instructor role, which means I get to see more people. Tiffany also has an instructor role. So your permissions are not determined by you exactly, but they're determined by your role. And this means you can change things easily. And rather than specifically your identity of discretionary access control or clearance, it's determined by your role. And it's a much more natural expression of business logic because if you're a software engineer, you probably need the same access control in a company. It doesn't matter specifically what user you are. Taking this model and making it more fine grained is the notion of attribute-based access control. So rather than, as a user, your role is one attribute, but you can actually abstract that out. You can have multiple attributes. You can have an age, an ID number, a group membership. So you can say, okay, if you have the attribute of software engineer and you're in the kernel group then you have access to the Windows source code. So this gets in ways that you can implement kind of that category model that we talked about. And you can even make a complex Boolean expression of your attributes and the kind of cool thing here. And yeah, anyways, it's an interesting way of thinking about access control and different types of models. And then so from here, there's actually a lot of current research that's happening in access control models. One of the things that we've kind of talked about and touched on a lot in this section is usability. So how usable actually is your access control model? How easy is it for administrators, just like we said with the matrix model, how easy is it for me to know what access a user has? How flexible is your access control model? And how expressive is your access control model? And one of the ways to think about this is can you express everything in the Unix access control model that we saw with 12 bits? Can you express everything that you can express in the access control system? And fundamentally by grouping users into the owner of the file, the group of the file and others, it becomes very difficult to express everything that you'd wanna express. Cool. And Federation is also another super interesting things. This is like if you, I'm trying to think of an example. If you use Gmail, I think it's a good example. If you use Gmail from ASU, when you go to check your Gmail, it actually has you login first with ASU and then gives your information to Gmail such that to see it so that that way. So Federation is how do these systems work together to implement access control? Can I trust at ASU the credentials that you're given from U of A to maybe give you access to the system? Yeah, so it's Federation is basically third parties talking to each other and how to make this all work in a way that we can all enforce maybe a complex access control policy. A way to think about Federation is if you have multiple universities that are all collaborating on a research project, they may each individually have their own access control rules and then together through the system, they may need to have work out how to give access to each other. So yeah, there's a lot of complex questions in access control. So with that, we've reached the end.