 Folks, let's get started today to see you all Thursday at 7. All right, first news, the first homework assignment is released. Yay. I'm more excited than that. So the first assignment is released. The first part should be incredibly easy. Hopefully all of you have already done this. Sign up for the mailing list. Yay, it's super easy. Oh, because you can't see. You can't see anything. What am I doing? I see buttons. How do we cross them? OK, cool. So it's up on the website. Everybody can see this now? Cool, OK. So part one, incredibly easy. Sign up for the mailing list. You're going to have to elaborate any more on that. So there's four parts to this homework assignment. The first one is very simple. We'll sign up for the mailing list. You have five points. The next two, so I want to ask a question from the people of the audience. I know some of you have a professional work experience. Some of you may be doing this part time and working at a company. So does anybody who's working at a company in a software or computer science field, how much of your day or time do you spend coding or fixing plugs? You know a rough estimate. Tell us what you worked first. I worked. I worked here on the campus. Whole time. You don't have any meetings? 18 hours in the email you meet. What about... What kind of meetings do you have? Do you have meetings with your boss? Meetings with your coworkers? Meetings with our software developers. Meetings with the whole company in general. What about emails? Do you write any emails? Try not to. You try not to, okay. 18-2. What about anybody else? Whole time over the summer of the eight hours of the day, not counting lunch, I felt that if I was lucky I was fully productive for maybe five on average. You had your agile associate meetings. You had agile meetings. Script planning, background learning. Backlog forming. You meet up with your team to whiteboard and architect. Brain storming discussions. Components. And then in my case because I was an intern and I had no idea it was the first time I ever worked where in the company we had a team that did our dev ops operations and a team for release and team for database management. And I was actually going to comment on Tuesday that with all this authorization policy there is an enormous cost in time and money accumulating for me, having to go and bug somebody so that I can get a port open on a firewall so I can request to a database and then I have to go and talk to the database guy and bug him. He's got a backlog of his own, really everything he has to do. I have to go and talk to dev ops to make sure that my assault configuration, that all my assault secrets are accessible. And I have to go and talk to the release to make sure that the config file for my project after it's pushed out from the server is pulling in that information, correct? I really had a nightmare deploying code as an intern trying to, because I didn't know any of these things. So I spent a lot of time either reading emails or chatting with people on Slack or walking around my floor trying to get these problems resolved. So there was a lot of that in addition to time actually coding and designing and debugging code. Right, so actually a large portion of your time. So A, the funny thing that comes to mind is does an organization want it to be easy for an intern to push code out of the production? Right, that's kind of an interesting trade-off to think about. I don't think it was on purpose. The company was just out of lessons. Yeah, and different companies have different. But even, I mean, getting commit access and being able to push the production is a big deal, right? It's a lot of responsibility, so it makes sense. So other things you touched on, right? So you spend time communicating, right? And emails to people on your team, to other teams to try to coordinate and try to get the access that you need or to even figure out who to talk to for access. You have meetings with these people. You may have new types of like chat and Slack and these kind of things about who to ping. And this definitely echoes my experience at Microsoft as I, especially as you get more and more senior and take on more and more responsibility, right? A junior developer's job should be coding as much of the time as possible while the team lead and the management kind of handles all the coordination. But there's, often times especially, we got into a Microsoft in a crisis mode one time where we had to work with the office team and they had bugs in their code so we were writing long emails back and forth and I had to do that. And so that's how I kind of realized, now your technical ability is incredibly important when you're trying to code, solve problems, design everything you're learning in your CS degree. But a key aspect is your ability to write and communicate. So if you can't do that effectively, you're not going to be an effective team member even if you're super effective, technically. If you can't try to communicate or influence your team or try to maybe push back on a bug and say, hey, this isn't really a bug or maybe to say that, no, we really need to fix this bug because all of this comes back into writing. And so I bring that up is part of this assignment is actually writing things with words into coherent sentences and coherent paragraphs with a logical flow and structure. And I do, I mean, this isn't just me making you do busy work, I do think this type of stuff is incredibly important. So not only is it going to learn but this will reinforce the concepts we've been talking about in here but you're actually practicing skills that you don't often get to practice in a computer science course. So the second part is basically you're a CSIO of a startup you're in charge of writing their security policies but more than that you're in charge of securing the organization. I want a description of what are the threats that the organization will face what are the likelihoods about those threats, what's the policy that you want to put in place in order to combat those threats and what mechanisms are you going to put in place to enforce that policy and why and why those mechanisms why do you think that those will effectively implement your policy. And the key here is that you need to argue for the effectiveness of your policy not just from a technical perspective but also from a business perspective. So this is where maybe you can argue how are these controls going to affect business practice and onboarding new developers so these are the kind of things and the kind of issues especially at the CISO role where you may be either reporting directly to the CEO or reporting the Chief Information Officer at that level you're thinking about business as well as security so you need to be able to speak that language to talk to those people and try to argue and communicate in that way. Questions, I'll agree the description later this is like high level overview. Cool. And just text. So I don't want any PDF.x other file types just an ASCII text file Questions on that? Appreciate it. There needs to be a thorough description so that's why I don't want to put it on a limit because some of you will just skew garbage until you think you hit the limit and some of you will I don't know take it as a challenge and I feel like it's counterproductive and I feel like you comprehensively like the CEO of this company the founder of this company looks at this and says yes I agree with this we need to implement this plan. So thorough is the name of the game. Alright, part three I think it's kind of fun Part three is to critique the ASU's computer use policy so ASU has a computer use policy it's defined in the academic handbook as 123 or 125 the computer internet communications information management policy so the idea here is you're going to read this policy write an analysis of it what you think about this policy what threats you think that it effectively combat what threats you think it does not combat and the core here is to include one change that you would make to this policy and include both technical and a business justification for this change I can't promise this so maybe I should take this off this video but if there's something really really cool or interesting I do know Tina Thorston Thorston I just realized I don't know her last name but Tina is the CISO of ASU so you have a really good idea of like one of the fighters who she thinks so simple simple writing name ASUID part four do we get into coding because I do want this to not just be a writing course it should be a coding course as well so we'll kind of do a mix throughout the semester so every assignment will have components of each you're going to write a you're going to implement a you're going to write a program that implements a policy for securing a house so there's a description a text description of the policy the interface you will create an executable file you can write the program any programming language you want I don't really care there's instructions on there about how to configure this as long as you create a make file that when we run make on your program in your source code directory outputs an executable secure underscore house it doesn't matter what language you're writing this in so choose your favorite language choose a new language I don't really care so the input is the owner's name of the house and the different keys involved in the house and I'm going to go deliberately at a high level on this the part of this is you reading and trying to understand the policy from the language here and so the inputs will be a series of new line separated inputs of all the events that are happening to the house so these are all the possible events inserting a key entering the house asking who's inside changing the locks and leaving the house and each of these specifies what your response should be in these cases according to the policy so you can think of it and there's an example here where you can say that you're running a secure house here's the input and you'll be reading on standard input output and standard output has to work on a boot to 1604 1664 bit so that's going to be our platform for the rest of the course all of this stuff so if you need you may need a set of a virtual machine for this there's lots of instructions out there please use the course mailing list there's a lot of people who are good at this stuff I don't think and you'll also be able to so I'll put up so part of this is there's not quite a submission site yet to submit your things because I realized 1404 was entering its end of life phase so I should move everything over to 1604 and of course that doesn't just work so I have to upgrade my submission server to 1604 by Monday I will have a submission server I'll post it out on the mailing list also include the link here and it'll be very clear about how to create the site with your ACID it's pretty simple and so you can submit a packages file with the packages that you need if you're using something on standard so the example here is if you want to code in Haskell the Haskell compiler is not included by default so you can add a packages file with the packages you want to install and when we run and test your code it will tell you it will actually install these so you'll have those available to you are there apps packages or yes only ATT standard packages go on questions as if a submission server will run unit test against the code and tell us our completion yes you'll know right away your score it'll tell you exactly your score and then you'll also submit the other assignments on the submission server so they'll be informed to submit those so just please submit them there I don't know those all I'll probably limit it to something like 20 submissions or something and you'll know the limit just so that that way you don't just spam it trying to fix things yeah one test for one submission no 20 let's say 20 submissions for now we'll see how that goes maybe like we'll see how it goes somebody in 341's got up to like 80 or 90 and then crashing the server because there was like an N squared operation over the number of submissions and so it just ground to all yeah when standard input ends so when standard when you don't have any more standard input then you're done so it could be run just interactive it's kind of I was going for like a mud type interface it can also be a file typed into standard input all that stuff cool should be fun fun you want to explain what a mud is I actually don't remember to say it's more a multi-user dungeon yeah those people still don't know what that means so it's like the precursor to wow and like MMOs used to be completely text based like oh mud yes like deer in a forest what direction do you want to go go up or north south east west and I don't know it's completely text based interface look at muds interesting in a good part of the culture cool any more questions do we start off on do we leave on access control lists or do we leave capability lists I think we did that so we talked about on Tuesday how do we actually try to implement this access control matrix because it seems very unwieldy as we get more and more objects more and more subjects in our system we're not going to be able to actually say and deal with all of these this huge matrix this million by million row matrix so we actually talked about one way of how to store this matrix of how to actually implement this matrix would be to store metadata with each object that specified the rights that the subjects had to this object right so in this in our case so you can take it as column based in the terms of the matrix right so every column for file F would have um file F would have some metadata that says P process P has read write and ownership access and process Q has append access and whereas file G would have process P has read access and process Q has read and ownership access and so these are stored with the files so what are some of the benefits of this type of approach it's not one massive file or database in the operating system so you can think of it as kind of a distributed problem where now you've distributed the access of the matrix to each object one aspect what happens if something what happens if process X tries to read file F what should happen according to file or object F that subject that thing that process doesn't even exist so we can't have any writes correct so yeah so that's um part of I don't know if you could necessarily call it optimization but in the matrix in the matrix model you could have cells that are empty which means that subject has no writes over that object in this case it wouldn't make sense to store process X has no writes and process Z has no writes and I'll store all of this information that they don't have any writes so IV is kind of a deny by default so if they're not in the access control list you deny them access why would you not want the opposite why would you not want a accept by default or allow by default what was that? you have to be very careful about maintaining those lists and so this is a security principle that comes up over and over again if you want it to kind of be secure by default where the default you know if nothing's in there you have to explicitly grant permission rather than explicitly take away permission right so if you forget and you don't do anything you actually now are properly restricted you know at least you're in a secure state and they aren't accessible so you have to modify things from there alright so the other type of way of doing this so if we think about well previously we stored the columns with the objects what would be another way of thinking about this? store the rows to the objects how do you do that? very carefully which objects it actually has where do you store that? whatever your subject yes so with the subject so you could store rather than store the information on the files the problem of the matrix you could store in the process or associate it with the process the the row so what are the files and what are the writes over all of the objects and subjects in the system that this specific subject has? so in this case here we have process P would have so we call this capability list some type of capability so here process P has the capabilities over file F rewrite own and over file GR and same thing with Q so we can paint Q so what's the benefit here? so if we wanted to change let's say P and take away the subject's right to ever touch file F or even all the files let's say we wanted to change subject P and say okay subject P should never be able to read any file in our system anymore we can easily update get P's capabilities and remove and revoke those writes from P how would we implement this? where would this capability list live? before we said when we were talking access control lists we said the access control list would be metadata essentially stored with the file that the operating system would manage so what about in this case? how would we actually implement this? can we use that approach? can we store in the processes memory their capabilities? if they had processing or actually users you could say it's all on the side of the users subfolder so it would be all on the side of the users subfolder it's one way of going back saying these users have access to this stuff I didn't think outside of that it's not accessible is this kind of the progress of the windows and keys system registry? with all the pre-key registry keys is this where this happened? is this where this happened? I don't know actually that was my idea but then who edits those registry keys? the kernel the kernel so one way would we store it essentially in the kernel why would we not want to just store it in the process itself? because it doesn't sound like it made a process out of the way that it had all access yeah you may be able to so one thing would be some of the things we want from a capability list we want it to be the case that A, P or Q should not be able to alter their capability lists so this is we need some kind of protection mechanism there such that they can't just alter it so you just say hey I'll just store it it'll be always at address 1000 in the process memory space well the process owns and has great access to all of their memories so they can go and change that and tamper with it and try to do interesting things to that and then maybe a new process could just create memory that says yes they have access to all of the capabilities so who do we want to be able to control the storage of capabilities and the issuing of capabilities the user? the super user root obviously we want the user like we have with our homework stealing example certain users would have that capability on certain files and then other users would have super user would have that capability on their system so I guess okay let me rephrase so who should be able to create capabilities so at a fundamental level the capability is just something it could be an opaque law that could do with crypto which we'll see how you can do that later but then you can give the system and say look I have rights to access this file so should any user or any process really create those rights they could buy it, buy it by what? policy or the overarching governing body says they should be able to do it with the system exactly so our authorization policy right specifies what people should be allowed to do and if anybody can arbitrarily create any type of capabilities then what's the point of having the capabilities in the first place so this is kind of part of the quartet here is it does get a little bit technical on how you implement it so basically people should not just be able to arbitrarily create new capabilities the system itself you need to have some trusted entity that is trusted to manage these capabilities and issue capabilities so let's say these are encrypted opaque files so let's say the capability is some files so like the you request the system hey I want my capabilities they say great your process E here's your capability list if you access file F you call open to the operating system and you say here's my capability here's my file so the operating system will get that it will check the file and then give you access to F is that a good solution so let's think about this who's responsible for managing their capabilities and storing them this it's the subjects responsible for correct in this example so if the capability is like a file then the subject so he wouldn't be responsible for storing it which could be nice in the operating system it doesn't have to store it so you're kind of pushing that problem on to the users which is kind of nice the less that the kernel has to do the better what are some drawbacks of that approach it just seems that I mean that's like you wouldn't want that doesn't seem to be enforcing secure by default right like if you're demanding that the person trying to get into your house is responsible for the maintenance of their key like it just seems like easier for the subject to be able to manipulate because what do they do in that example so like the key example of the house so essentially you can think of the capabilities as some kind of key or token that describes your rights within the system so what is our key example what kind of threats apply here if the subject's in charge of its own access matrix like why can't it just give itself permissions like who's let's say it's completely opaque but the process can't modify the file at all so they can't change their capabilities OS will be able to detect that they can give that to somebody else just like a key right so process P may be able to give their capabilities to process Q and now Q has the union of both capabilities which according to our access control policy is not what we want it to have happen because we've set specific rights on these files so it's like capabilities can be a little tricky you don't necessarily there's usually a layer of indirection so you don't necessarily want users to be able to have these and store these because they come with all the same key problems we'll get into this a little bit more in a second but it's important to think about so the other way to think about this is relational lists which are which are not lists but essentially basically for every single right for every single subject right an object there's an entry in a table that specifies their access anybody do you any database work or databases how do you get what power permissions done in the database like let's say MySQL do all users in MySQL so does MySQL have users yes, what are they do they have access to everything why do they even have users access to everything that's the only way you're going to use it is giving the user access to everything kind of a classic but we don't have to do that and it may make more sense to try to artifact your application with different users who have different rights in the system so that way even if somebody let's say you have an admin user and a regular user that way if there's a SQL injection on a regular user they can't have access to your entire database and do everything they're restricted in what they do but that is a huge web application problem but in general so how do you do you know the query of how to grant permissions on MySQL yes, a SQL query I actually can't remember it that's why I asked so it's like grant whatever permissions on whatever database and tables the privileges so you can grant what is it, read, write the ability to grant other people privileges to that to those tables so this is pretty much how exactly how it was done it actually makes sense it itself uses a database table to implement to store their access control policy so at the first stage I believe that only the root user can access this table and add new entries by issuing these commands then you could have people say they can grant permissions but only on this specific table so you can change and alter their permissions but they're all stored in a database table like this so this would be kind of the other way to think about this in a relational style so we were kind of talking about this but I want to bring us home to some points here about access control list versus capabilities so do you agree with this statement access control list requires the authentication of the subjects so what was authentication are you saying that access control list like a prerequisite for using an access control list is that you have authenticated subjects correct thank you why well because an access control list is delineated by subject so if you have a subject that's not authenticated there could be any given subject so you can't properly define their access control list so when we say we're trying to access file Q we know exactly what object it is we're trying to access so the system the kernel knows the object F is being accessed so there better be a way for the kernel to authenticate that yes the person making this call is actually process P if you don't have this then your whole scheme falls apart is this thing true for for capability lists is it true all the time so what's the difference here is there any difference do you still need strong authentication the capability list like you said you could have somebody giving their key over like if P get Q with key then Q could just use it they did not authenticate that they were in fact P so they're just using it themselves correct so it actually kind of depends on how we want to go with it so in that case so for P if the capability is in the first place does it need to authenticate itself to the system but how does P get its capability list in the first place see all the lists usually no because it's kind of like a key if you can see the key then you can duplicate them so you can't necessarily see all the other lists so does P give me my capability list kernel correct so the kernel better know that you're actually you are process P right so in that sense there must be some kind of strong authentication there but when you then go to use your capabilities to access an object you don't necessarily have to regroup that you are process P kind of depends on the specifics there but in general you don't actually have to re-authenticate the subjects because you know just like a key right whoever owns this key gets access so the problem comes in as we talked about is what happens with propagation of keys right so in the physical world is a huge problem so how are key propagation regulated physical keys the key has stamped on it do not copy please please exactly so what's that for well not what's the purpose sorry of writing that it's supposed to keep key you know people make keys from copying that key but that doesn't really work because all you have to do is sign a little thing that says I'm authorized to copy this key anyway and they make the key for you I've done that quite a few times so it says restricted do not duplicate yeah they just take your other side though it's a state of Arizona so I don't know I'm sure it depends on what the level of security is but I think some of them but some I remember would have the phone number of a person so the idea was whoever's making a copy of that key would then call that number to verify that yes this person should be making a copy of this key but does it completely restrict the propagation of keys no why not 3D printers you can 3D print the key as we talked about from a picture you can make a old school mold you can push it into a bar of soap to get the shape of the key right so yeah there's other ways other avenues to make keys besides going to a store to do it so yeah I thought you said lost my mind at first what have I been talking about okay keep talking somebody it's reputable locksmiths it's reputable locksmiths use reputable wait it's reputable ah ah ah I see yes yes yeah so that would be kind of the way around that right would be to use a locksmith that is not unscrewed just get your own key making machine or you can buy your own key making machine there we go alright that one's charging hello okay cool so in the physical world controlling propagation is difficult and this even still applies with so even when we move in more digital physical things like our access ID cards I'm not going to show you guys anything I don't know it's on here that you could copy right but to get Isaac access right you use these and you can badge in so it's better than a key in some sense because you can have fine grain control over who can access what and during what times but at the same time you can always give somebody else your ASU ID and they could badge in this is why so at secure more secure facilities I actually had so I was working ATT government solutions I wasn't I was working there as an intern and I hadn't been in for a long time and I went in and I had my badge on I must have had my badge I have to wear your badge and then somebody else saw me didn't recognize me and so questioned that I was actually an employee there and then took me to my boss so my boss could prove that I actually was an employee there which was weird but in like secure and that that facility wasn't secure but they did have another secure facility in that same building so it's kind of the same philosophy there so this kind of brings us back to capabilities so we can actually not require authentication of our subjects if we can control the propagation of capabilities and if people can't fabricate capabilities out of thin air right so in this sense so if we can guarantee that the capabilities are unforgible right which means that no there are no 3D printing machines that can make capabilities for our systems and that we control the fact that users or subjects in our systems can propagate those capabilities to other um jobs so which is better because we need to ATL probably better because it requires authentication it doesn't have to have authentication okay so one idea could be that you don't really have to worry about capabilities being propagated and being able to be forged it all depends on the system because if you have over 10 billion or even trillions of files and they have to do something where like oh I need to do something with 1 million files all of a sudden you just made your job a lot harder because if you access checks on all of those so capability would bear in that case more is another case of ACL choice interesting yeah so that's a good uh so depending on your workflow or your work model or your data the data that you're trying to access it definitely could be more effective one way or another going off of that so you kind of one of the key differences is that the ACL needs a central component to authenticate people and check every time they access some resource right whereas in the capability model you could have a more distributed type system where let's say you authenticate to one system and then you get some kind of token or capabilities that you can take to other systems and then prove that you have access to them rather than for every access that you want to do having to contact a central server to say wow are you actually who you say you are every single time so this can definitely be one of the benefits there cool so a little I mean this is just a visualization more so of what we've been talking about right we have our files in our system and so in the ACL type list each file will have the user rights on it whereas in the first subject basis our user will actually have the rights themselves so they will write that to the system so any questions on this is there anything you can't do in one that you can do in the other there are some fundamental differences there there's maybe efficiency is one thing and it's good in one way better than the others but maybe one is fundamentally more expressive and allows you to do things that the other one does not do so maybe you want to prefer that could you just want to use a picture of who you are and you get to an ACL system who would then use that and you actually have a problem with that yeah so maybe you could combine them it's not necessarily an either or choice going back to the theory so is there things that one can do that the other cannot and how would you prove that after a discussion it seems to me that on the per object basis just a like the ability to manipulate that object and make big changes to that seems easier like with you could say like if you were just like I want to make sure everyone can read it that just be seemingly easier to do because you're just changing file A but per subject base which would be a lot easier if you just wanted to completely give or revoke rights to a user to every file that would be easier on the per subject basis but I guess just kind of what are you more manipulating the user or the file and in that sense I guess what gets changed the most yeah so do you have a hand up I was just going to say something similar just the complexity of in an ACL the complexity of adding a new user goes up a lot as you have more files whereas the opposite is true for capability because if you add a new user when you do an ACL you have like a mill of files it takes forever but if you're adding a new file when you have a bunch of users and capabilities scenario then you have to touch every single user's capabilities right so you have to solve that problem how do you actually do the users then request their new capabilities do you notify them that they have new capabilities how do you deal with that could you solve that issue by kind of doing how like Linux and Unix kind of manager system where you can actually give like group commissions for files like if a user is sitting in a certain group commissions in some sense yes we'll talk about that in general but if you wanted to add a new user to the system and you wanted that specific user to have rights to all the files you have to go change every single file in the system in the per object basis but in the subject basis it's super easy to issue them a credential that they have access to all the files or the capability they have access to all the files so yeah we'll get to the Linux Unix system in a second what about fundamentally can you express or do something on the per object basis that you can't do on a per subject basis probably not why goal the big fat matrix that we talked about in the beginning and in theory as you can explain all of these are another way to implement that idea in a more abstract compact way for one to be more or less expressive than the other there would be equivalent solutions the same problem and the problem that they're solving fundamentally is making sure that certain subjects can or cannot perform certain operations on certain objects that's like the limit of their expressiveness that's what both of them do but I would assume that they're equivalent in that sense yeah so I'm actually just out of this right now so I don't know the answer but I believe that would be my intuition as they are exactly that reason they're both representing a matrix so whatever a matrix can represent splitting it up into columns or rows doesn't really matter it's still going to represent the same pattern as we talked about there's definitely different kinds of actual implementation differences between them and different performance trade-offs so those are some things I don't want to think about but I just want to kind of bring it back to that it's all from derived trying to implement this matrix access control matrix yeah so these are some other things to think about so we talk about least privilege so giving something the least amount of privileges able to do its job and it's actually I think we just touched on just earlier is that with capabilities you can give a subject let's say that it's a lot easier to create a subject to just do some things to some files and then it goes away so you don't actually have to go change every single file and you know that that subject is going to touch it just goes back to what we were talking about there so access review so we want to audit our access control policy and say okay we know we design it with this policy in mind but what state is the system actually in so if you have these two different models if you're trying to say what's the current state of the access control of the system how would you do that in terms of access control as versus capabilities admin you now want to review the access control that's actually implemented and say okay who can do what the only thought that comes to mind is barring the fact that subjects are also objects the object set is more static because we're associating that more with files and processes and so it might be easier although possibly more time consuming to iterate over all the files and look at the metadata on each file to be to try and analyze the processes running on the machine which is going to be turning off and on spinning up and spinning down it's a more dynamic set although there's less and little it kind of depends on what our goal is if we want to look at so if you want to ask the question for all files on a computer who can access what file and if you want to ask the question of all the processes that are running on the machine at this point in time what files can they touch and what rights do they have on those files so it depends on kind of our perspective there what kind of dependence is it like saying that so if we're going to do capability you could say that we say this user has or whatever it is has access to these file types and then just like abstract generalize generalization yes we haven't touched on that but yes you could define your rights in terms where you could say for instance they can touch any file in this directory right which could be a wide range of files on the ACL I kind of my intuition would be like you're going to have to worry about every file I'd be a recruiting massive file keeping track of that depending on the size of the system because of it it would increase with all the users so every file would have some variable size associated with it so if you had like a system file that was needed to be read every single user on the system that access control list would be huge because it would increase with all the users on the system yeah so basically exactly what we talked about right so the idea is if you want to do object-focused things then access control lists are much better if you want to do subject-focused things then capability lists are much better and revocation so we talked about this too right so what does revocation mean we want to remove rights how do we do that termination? yeah so maybe we terminate an employee they no longer work for us maybe an employee gets rather than terminated let's say we're a system admin but now they move to a development role or they move to some other role in the company they still should not have super user root access to all the systems they should have what developers have right so you want to revoke their rights so for ACL it's pretty clear that if we want to revoke the rights of our subjects to a specific file or a specific object ACL lists are clearly much better in terms of protecting your home directory it's a lot easier to be able to just change the permissions of your directory to say nobody can read or write to my home directory rather than try to so then how would we revoke being that capability system because all you need is this thing that says I have this thing so how would you do that can you revoke and we didn't really talk about we talked about non propagation would you have to create a new key then say this is the type of key you have to use from now on and then the old ones get pushed away or what's the word we need to depreciate it again? but how would you actually do that? you'd have to have some kind of mechanism to test which type of key it is okay that's interesting so you can have a for every let's say subject you can have like a key version number stored in some central location and then when you want to revoke it you increment the version number so you know if they try to access a resource with this capability you'll check that capability version number is five but you know they have version number six so then you could say hey sorry not that your access is denied but you need to re-acquire your capabilities yeah that's what we wanted to do with us yeah maybe you can create keys that last only a certain amount of time yeah so we could put a time stamp on our keys and we could specify that our system will only accept keys that are valid for a configurable amount of time because maybe we want 30 seconds maybe a minute maybe a day is fine with us in our organization because we're saying you know okay they can use the key for a day so we're worried about that we have audit systems in place and that would require people to re-authenticate and re-hit keys every day but that's fine maybe not every minute cool so it's definitely doable and it is done in many different ways some of which are the ones we talked about which is cool yeah so we kind of talked about this so we have a case where we want so we saw access control list is pretty simple right if you own a file that means I can modify its access control list so if I'm process P I want to write process Q read access to file F assuming of course I own file F then an access control list is easy the operating system modifies the thing the access control the access control list so the file say that process Q can now read that file and process Q tries to access it the system knows that it's process Q and so it knows that it can do that so that's an access control what about team abilities so is this replication necessarily it's actually kind of opposite in some sense right because we're trying to give somebody additional permissions not take away their permissions so how would you do this what are some possibilities so we have a situation like this we had already established that ownership allowed you to hopefully grant those privileges so so file F is definitely owned by process P so process P can do this according to our policy and then you have to have some sort of ability like instructions to allow that that would check first you just have to check if P had the ability which it does and then it would be able to grant that too who would be able to grant that I would imagine I imagine only the kernel is so I guess P would petition Q the kernel would check if P had the ownership since P does P would tell the kernel give this use to add it then we can kind of do this model where we talked about Q has to essentially re-establish its new capabilities so P could tell the system I own this file I want to grant Q access and so Q could then so the operating system would be good and then Q would either have to somehow P would have to tell Q can I make this change you have read access for capabilities so either the system knows to do this based on our kind of revocation versioning scheme or and so it just gets a whole kind of new permissions or it can either just get some kind of an additional permission so it doesn't have to be always you can actually kind of think about segmenting these capabilities out so that rather than re-acquire all of their capabilities Q could just say hey I should have read access to this file and it will give that so yeah definitely good points to do that okay cool I want to make sure we get this definitely this came up so Unix access control list this should be something that you're very familiar with because you've been building stuff for Linux system you have access to a shared server so Linux access so how many bits do it so okay let's step back for a second so we talked about it a little bit earlier in general how what does how does the Unix access control lists work you don't have to talk about everything you can just talk about one thing owner group is that what it is? other is the hoe so rather than for every so on a specific file right so on an object you can't specify arbitrary users have arbitrary permissions to this file so what's the owner so I guess maybe it's an additional piece of information I haven't talked about yet so on Unix every file has a user who owns the file so that would be the owner privilege and a group that owns the file so that's what you do ls-l that's those two user names next to the file so what the permissions mean is so what permissions do the what rights does the owner of the group owner of the file have the group that owns the file have and what permissions does everyone else on the system have and so this way rather than say it's an arbitrary number of bits or bytes that we have to spend for every single file on the system and the more files the file that's read or used by the most people would have the most size right that does not seem like a very scalable solution they restricted the types of access control policies that you can create in some sense and made some things difficult but now you're limiting so you only use 12 bits on each file to specify the permissions and so we think about them in terms of 3 3 bit 4 sets of 3 bits there we go so any of you know at the top of their head what the first 3 bits are but I think it's part of the access control actually I'm sure it's not part of the access control bits, you're definitely right I think maybe in the output of LX there's definitely a file or directory marker so it's a good response but as far as these bits as we'll see the interpretation of what these rights mean will differ depending on if it's a file or directory but I believe that's other information that's stored in this structure these are very unknown so that was more of a quiz so first 3 bits are the set so on the far left the set UID the set group ID and the sticky bit so as any of you know the set UID bit does I meant to look up what that does on directories I actually don't know on files we talked about a little while ago when you execute a process on Linux so when you type in slash bin slash ls or just ls the new process is the executable slash bin ls what are the permissions of that process so it inherits essentially our permissions so all the permissions on Unix are based off of the owner and the group so they will inherit our owner ID and our group ID from the process now as we talked about so there exists so the way let's see if I can do this real quick so if this blows up it's because it's false enough so close it looks like it's definitely more alright perfect so we talked about before that in the ETC password file so if we look can everybody see this screen should I make the font bigger people in the back bigger? it's cool no worries so we can see that the permissions on ETC password so we know it's owned by root root owns this file so that's what these two are here and so these are our 12 bits well ok not really these are our we'll look at it in a second they merge the three highest bits into other bits of the system so that was my confusion yes so it's three groups of four not four groups of three so is it a rearrangement of what we were talking about before because each hex character is four bits and so we have when we see each one the first one is for owner the second one is for root and then the third is for everybody else yes I think you're correct I think I was I'm thinking more in logical bits I could revisit exactly that over left there exactly ok so we know I think I believe this last bit represents the no no no ok let's go back so it's this last bit represents the first three bits so this will change depending on what the rest of it is I believe and so this is rewrite execute of the owner so those are three bits this is rewrite execute of the group and rewrite execute of other ok so we can see that it's who can write to this file based on the permissions here owner which is who root so on here when we look in this file remember we mentioned that it has the username it used to have the password which is why it used to be called past wd it does not anymore we'll go into that later it has the user ID so this is how you actually associate the name to the user ID in the system so in the file it's not storing that the group is the owner it's saying file ID 0 or user ID 0 is the owner the home directory these are I believe the group and this is the home directory of the user so this gets set the environment variable home gets set to this value and finally here is the shell so should users be able to change their own shell that they want to use that would be a nice thing to do right you as a user should be able to say I don't want to use whatever this is I want to use bin sh or bin something else the question is how to do that so do you give the entire system right access to this file anyone in the system could write to this file yeah but we would then anybody could change the user information anybody could add users could change anybody else's shell should I be able to change your shells no definitely not right so we need this restricted access here but the access control system that we have here is so coarse-grained that we can't actually specify that users should be able to change just this value in this file so the way unix gets around this there is there's chsh there's a program to change the shell now oh I guess I lied I need to look at what this bit is so the first bit okay any question that bit to what I've seen usually denotes if it's the directory or not okay then that's uh let's test that yeah you're right and maybe a link alright cool alright I'll figure that out I'll clarify that for Tuesday so we can see here now there's a different thing on this bit which is the S bit which is an S instead of an X here so what this means is that the file is executable and that highest bit the sticky bit is set and what the sticky bit means is that when we execute user bin chsh rather than this being run as let's see if I can show this um anything that's all from here um so why do this so chsh chsh chsh chsh the program will change the shell of the user so in order which means it needs to be able to write to that etc password file but it can't run with our permissions because if it ran as our permissions as a user we would just alter we would not be able to alter the file the file would try to read from the PC password file and the system would say go away you're not a valid user so what this sticky bit the set the setuid bit the setuid bit says that whoever executes this file will execute the process will run as the owner of this file so that's what the setuid bit means this file is executable and when you execute this file it runs as the user so it runs as group so this is why chsh chsh is able to change the etc password file even though you are running it as a user and this would ever finish I can actually show you that in action so setgroupid this is the same thing as the setuid so setgroupid is the same thing but with the group so when you execute that program it executes with the permissions of the group and of who owns the file not the person who executes the file so similar thing here alright let's see if this works there we go ok I just realized I need to actually log in to something thanks Siri super useless hahahaha ok so I'm going to change to nobody ok so I'm now running as nobody so if I type in cat let me go to this other terminal we can see that cat is now running as nobody do you agree cool ok so I don't actually want cat what I want to do is to change my shell or nobody yeah that's what I was worried about ok we'll try a slight v-tour and then su let's go I don't actually have any other users on the system this is the problem is there a way anybody see a user maybe sync if a root will run as root it doesn't penetrate the point I'm trying to make www I didn't know how to add a user I forgot I'm using a super secure password named password ok ok now I'm running as an add-in user I should be able to run so let's just verify again for purposes yes add-in is running then we can kill this and then we can see that the CHSH is running as root because it said UID has the say UID bit put this and we'll get into a sticky bit and all the other permissions are well what do you hope gentlemen