 Alright, folks, look at us starting on time, even very slightly early. Make up for all that time we missed, starting late last autumn. First up, super excited to introduce Stephen. He's going to be our third TA for this course, so hopefully you'll see him in office hours and see him online on the YATSA post, so I just hope he gets to introduce himself a little bit so you get to know him better. Okay, welcome again to our next to my name is Stephen Wears. I am taking your student course on my office hours first degree soon. I'm a graduate of CSUN, so I don't know too much about your classes out here, but I've seen a couple of taking a famous 340 out here, of course, and my background is more tied to security and networking. Do you have any specific questions about, especially with the intent to decide on security or any interesting game security, machine learning, episodes in this class will be, of course, happy to have you. Again, we'll post a minute more information, and hopefully we'll catch all your answers and get to handling questions, post, and so forth. Alright, cool. And then the next announcement is you thought you were going to break. Yes, and now a 72 is ready. Fresh and ready for you. Cool, so it's up live on the website. Two parts, well, there's technically 11 parts, depending on how you split it. Part two has 10 parts, but we'll get there in a second. Don't worry, don't worry about it. Okay, part two, the first part is Bandit. So Bandit is a very cool war game. So the idea is it's a series of challenges that have you explore running things on the command line. So this is going to help you as we go further in the class. There's going to be more and more to be interacting with a remote Linux system through SSH on the command line. This is essentially prepped to help you get ready for that, so that when we have the full assignment that's all about hacking things on a server that you can access to, you're very familiar with this. So there is, follow all the links here. At the basic what we're using is a great website called OverTheWire.org. They have a series of different war games that are all at different levels. Bandit is their beginner one that kind of teaches you the basics about poking around on a Linux server. So you'll start here. You'll start at level zero, and you have to make it so each level is worth 10 points. You make it all the way to 11, you've gotten 100% on that part. Does that part make sense? So all the instructions are here, yes. Two level, or do we need to do a clean level? You have to get two level 11, right? Every level is, so you start at zero and zero is worth zero points. And then one, two, three, so each one is worth 10. Solving 10 gets you two level 11. Is there an extra point for being 11 and beyond? Not yet, no. Yeah, same level. No, but feel free to keep going. I mean, this is something that is, you know, it's actually very interesting. It's helped you figure, like, locate things on file systems and all this kind of stuff. It's very cool. And it's really nice, but of course the question is how do you keep track of your progress on this system? Right? This is just a, if you look here, you actually just get to it by, I don't even remember level one, is you just SSH to a system. I think I'm going to go to level zero. The goal of this is to log on. So you SSH to band, like, follow the instructions here. You can get to level zero. And then to solve level one, you go forward. So it's about SSHing in the systems. So we need to track what you've done. As much as I love the honor system, where you tell me, yep, I'm definitely at level 11. I'd like a nice way to track. So there's actually a really cool website called WeChall.net. This is actually, like, a global security war game leaderboard type thing. So you can, oh man, I wonder if mine's on here. You don't want to actually sign in? So they have a bunch of different sites. Of course, the internet is bad, which is why I've been living with this. All right. There's a bunch. So if you're ever curious about where to go for different war games, doing something on your own time, this has a list of just tons of different kinds of war games. And so, let's see, if we go to mine. I was going to show you mine. But anyways, so it keeps track of your progress on these war games. So there's a nice little link that describes exactly how you can link. So you create a WeChall account. So you have an account on this global scoreboard. Have your hacker alias whatever you want. It doesn't matter if it's the same. Then every time you'll link the two, so you'll link the bandit with WeChall. And in that way, when you submit assignment two, which you definitely won't be able to see because I'm not logged in. Hello, I'm the guest. I don't know when. That's when you submit. What you'll submit is your WeChall username, which we go and look up and we'll see where you are and how we'll score you based on that. And you also submit a readme that says how you broke each level. So just keep track as you're going on. Just in a text, like just raw text. Note, please, for the love of everything, only no PDFs, no docs. Just raw text file. How did you do each level? It could be simple stuff. We just want to make sure that you've done it. And again, I'll reiterate. So these are open challenges. These have existed for a long time. I'm not there if you search for them. I would encourage you that ideas, this is practice for later. It's not. So I would suggest you do them on your own or definitely understand how to do them. That make sense? Questions on this? Do we need to be running the virtual machines for this? No, you'll be able to access their systems. Okay. Yeah. It's all hosted by overthewire.org, which is open to anyone. That's something special for you all. That's part one over here, right? Yes. We'll get into part two. So how do you wrote really awesome bug-free code for assignment one? Ooh, some of you. Yours doesn't count, because we don't even know the language that it was written in, so nobody could find bugs. So, you've been hired to evaluate the security of a smart house lock system. The owner is, the person who's hiring you is considering 10 different smart lock vendors that are really concerned about denial-of-service attacks. So what does denial-of-service attack mean in the context of assignment one? There's just something going on with the lock that's preventing a user from using the lock or putting a key in it. Right, so it's a program. So what would be the easiest way to demonstrate that you're doing denial-of-service? Crash. Crash. The program crashes. Has everybody crashed the program before? We've been office hours doing it very expertly. Yeah? You've all done this. Now you're going to do it on purpose to other people's code. So how insecure smart home lock systems can be by generating input that will crash the sample. So there's 10 different samples. I've taken samples from previous year's code of submissions, some from this year. I tried to have them make some that we created. I also modified them all, so if your sample was chosen, don't tell anybody that's just slightly easier for you. You've got maybe lucky on that one if you can find the bug that maybe existed in your code or didn't exist that I injected. So you'll notice. So part of the purpose of this assignment is to get you to read code, which most students don't understand is actually where you spend most of your time when you go out and actually program for a living. You're reading and developing code that's already been there. So you have to read other people's code. I've changed the syntax of all of these samples slightly. So you'll have to understand that, find a bug, and generate input that crashes the sample. Yeah. I think all of them are C++, but I think all of them are C++. Yes, correct. Unless maybe I ported your Python to C++. You can think of how people like to be made. If it's possible. Also, these are, you know, this isn't a code critique contest. So you wouldn't want somebody to say something negative about your code. Keep your comments to yourself. Actually, I think it's useful to look at these code. I actually learned some stuff about crazy C++ 11 teachers that I didn't know about by looking at this code. So learn something by looking at the code. Try to think how to do better to keep negative comments to yourself. So you can download all the samples. A through J. Your goal is to generate input to the application that will cause it to crash. And by crash, we mean a sanitation fault or otherwise crash or halt execution, right? So this is something that shouldn't happen. And every program, this will be something that will trip you up, every program is being run with the correct command line arguments. Across the board, everyone was very poor about dealing with command line arguments that didn't exist. So this is not a way to crash the program. Okay. Every program is being run like this. Secure house, something of blue bar, just like the example. So is there definitely, have you, please, and you know there's definitely many bugs in this? For sure. Yeah. So we may have injected new bugs. We may have injected alternate bugs. There may already be bugs there. It's up to you to figure that out. Okay. So for instance, what we mean is this is something you should do on your own. Here's a sample scene program that is not a secure house. We'll go over it very slightly in May. It has a line buffer of 1024. Character pointer test is equal to null. STANF, 123 bytes at most, has a string into line into that buffer. If string compare line with crash equals zero, what is that checking for? If they would use exactly crash and nothing more, right, crash, then character n is equal to star test. Why is that a null pointer dereference? Why is it null? Why did I put that comment? Is it a lying comment? Look, test is equal to null. Yeah, line is set as test is equal to null. So we know that dereferencing a pointer will cause the program to crash out of site fault. Right? One of the classic ways of causating a site fault. And then you should never see this because this should crash at this point. Otherwise, it'll print out whatever you typed in. So you can, you should download this locally, compile it, create a program, or sorry, create a task file just called test with the input of crash. And then if we run the program, so if we run a dot slash sample test and use redirection to type in as standard input the content of this file test, we'll get a segmentation fault. So then it's part of this. So if this was a sample, and let's say there is a sample that crashed with the input of just crash, it's unlikely, but who knows, maybe that's the case. Then you just upload this file test that has the content crash. We'll test it to see if it crashes it. If it does, you get points. Any questions on the overall how this works? Yeah. So we just need to find one method for one input that crashes. We'll just talk about one program for now. So for a sample, find an input that causes that to crash. So, you don't have to do all 10. You're happy or sad about that? You can do all 10. Yeah. I know sometimes, like... You want to do all 10. You can see your client can actually like lead to new votes, like certain ways. So which one are we using this pattern? Each. So inside you have to go sample folders. So like sample A has the made file, the source code, and the compiled executable that we use on the server. So you have the exact binary. If you find something that does depend on the compiler, it has to work on the exact binary, because that's what it's being tested on. So you mentioned that there's five of them, and then we're adding five more. So add some numbers here and five points. Out of 65 is... Oh, no, I haven't talked about the scoring yet. Okay. Let's pause that for a second. There's 10 families. That's the work starting with 3. I started saying you don't have to do all 10. Okay. So, okay. It's slightly complicated because this whole part is worth 65% of the overall assignment 2. But let's just consider that this is 100 points right now. Okay. Everybody with me on this picture? Okay. So then... So each table is then worth 15 points. So you only have to do 7 out of 10 for 100%, is that right? For at least 100%. And you get a maximum of 105 out of 100 on this part. So you can do all 10 if you want. It's still 105. If you do 5, it'll be 75. So 5 times 15. That makes sense. And then eventually that'll be scaled to 65% of this thing. Possibly super. Yeah. So 105 is essentially extra credit? Yes. 105 out of 100. If we submit all 10... Yes. ...could we do that as a security blanket and in case one doesn't work? You will know right away. So it's on the grading system. It tests it right away and it will tell you if it crackles or doesn't crack. So you'll know exactly whether it successfully crashed or didn't. And you'll have six... I think six submissions for each of these because it should be very simple. It's not supposed to be complicated. You'll know, you can test it locally. Does it crash? If so, yes. Then upload that file. It should crash. If there's a major discrepancy, we should talk. Yeah. So we'll keep it at 6. I hope you don't need 25. If it's not something you can't... You can't really plug and test the system either. It's going to crash or it's not. It's actually testing it very quick. Yeah. Is it six per? Six per. Six per. So... I can log in again. But I don't want to log in, I'm like... So abandoned. We shall use your name and greet me. Sample A, B, C, D, E, F, G, as I said, it's kind of 11 parts. But... So you upload this and then... So it will either say... I don't know. It's not too sad. So it will say, pass test crash sample A, or it will say, fail to crash it in your life, for some reason. So... You should be able to see exactly what you got if you crash this. Good. It will be able to tell people to even read other people's code. This is like... a major skill that you're developing. So... So we'll be submitting plain text copies of what we've typed into the crash room. Which one? You will upload the exact file that you used to crash it. So, like, test. So like, with that input redirection rate, like in that sample, you would upload the file called test that the contents of that file was crashed. Anything else? Like once? Like twice? Alright, cool. Back to access control. Alright. So we're talking to the Unix access control model. What were the... So we had 12 permission bits for each file. Four sets of three bits. What was that about? What were all these bits? Yeah. Read, write... Close. Read, write... Execute? Execute. For what? For who? For either the owner, owner, user and guest. Owner, user and... Sorry. Owner, group, and everyone else. So others. Very close. So yeah, so that's three bits for each of those three groups. What about the remaining three bits? Yeah. Set user ID, set group ID, and the sticky bit. So sticky bit we won't get into. You can read it out if there's like a whole Wikipedia article if you're interested in the sticky bit. I think it used to be something about keeping a program in memory so it wouldn't swap out. So like the memory contents were sticky in some sense, but now it's used definitely on a directory so that you can append, create files and not delete other people's files or something like that, that temp I know that the sticky bit is at. Thanks. All right. So, have we kind of conquered all models of access control? We've talked about access control matrix, access control list, capability list. We looked at a real access control system in the UNIX system. We just like done. This is the end of access control. Let's move on to the next topic. Yeah, so maybe, so maybe we could add some type of authentication to the file itself. So for instance, they zip files, even though it's very bad encryption, have a way to password protect a specific file. So we can think maybe we want to protect certain types of data or files rather than using an access control system. How do you bundle that access control into the file itself? So if you know the password, you can access the file. So how would you model a hospital with this, like an access control matrix? Does a hospital have any access control rules? Like what? Who can access a room? So who should be able to have access to a room? The doctor, every doctor in the hospital? No? Yes? Maybe? The employees may be assigned to that area, so it's a room in urgent care or something? Like who, so maybe the people just assigned to that area? What else? Yeah. It could depend on the medical technician, maybe a specialist who's not in that area, gets called in. They'll need access to that room to be able to deal with the patient. Get something else? I was just going to put another example, like access to one of the floors. Yeah. So access to maybe a whole floor, maybe you can have a whole floor for them access. Yeah. The California nurses and janitorial staff? Nurses, janitorial staff. Yeah. So these are all, so and then think about, so what happens if, let's say there's a medical emergency and somebody's rushing to a room but then the card doesn't work on the door? Is that a problem? So well, if you weren't following the access control rules, you're not a doctor that's assigned to this area. Sorry, you have to request access from the IT people. Yeah. So you maybe want some, so there's all these other things that aren't quite captured, right? So in terms of context, right? There's all these things in terms of context of what's going on. Is it an emergency or not? That title context, you may just say, you know, all the doors, like when there's an emergency going on, you want every medical person to be able to go in there and assist. And when there's not an emergency, if it's not life or death, then it's maybe, it's fine to go back to a more relaxed pulse. So we talked about a little bit of, we have until like, this notion of password protection of files, like content-dependent controls, or let's say, you know, there's, it could be interesting things to think about, like as an manager, you see the salaries of all the employees that report to you, but you may not be able to see the salaries of the entire company. So there's some controls there based on the content itself, controls, where you're, yeah, okay. So, yeah, we talked about some of this, right? And the company's earnings report is confidential until it's released publicly and then it's no longer confidential. So all these things can play into the context. So there's kind of this rich space of things that we're not thinking about. Also location. So should you be able to, let's say, access sensitive information directly at your terminal, at your desk, at work, that they provide for you? Should you also be able to access that at home from your home laptop, which is running God knows what software? Like, probably not. So those type of things come into that. Okay, now, we've been thinking about how to model access control. So we talked about a matrix, right? We can draw the matrix. We can split it up, columns and rows get access control lists or capability lists. But we didn't really talk about, and we kind of punted a little bit on the question of how do those rules in the matrix get updated? Right? So what are some of the ways that those rules change? How do those, where do those rights of who, what subjects have rights to what objects? Where do they come from? Could be the owner of the file. So you may have a model where the owner, so there's a concept of an owner, whoever owns the file gets to choose access to it. What else? Ooh, okay, that's interesting. So maybe you could have like shareable rights in some sense. So if you have a right to read a file, you could give that right to other people, but you can't let them write to that file. That's interesting. So the system admin, so an admin defines this matrix and that's what it is. There's no changing it. Yeah. So these are actually all different types of ways of different types of access control system. So this comes down to who can do what. So, and these are kind of important concepts because we'll see they come up in different, so for instance, well before we get into this, so users can change the, can control. So discretionary access control, an owner of a file can decide who has rights or access to that and can change that. And what circumstances is that good? Conversely, the negative, what circumstances is that bad? Yeah, the owner has a list of, give me an example. Don't have for you, but yeah, since you're going. I guess like your employee will hire like a company and you're going to struggle to get a promotion or something to grant read, write access to earn his reports to everyone. There you go. That's pretty malicious. That's good. Yeah. So you could, or the salary information, if you've granted read access to everybody in the company. You think that's going to cause incident? Riot. Riot maybe? Yeah. Or if the user is just an idiot. Yeah, what if the user makes a mistake? We'll say. We've all made mistakes, right? We don't want to necessarily assume our users are idiots, but we'd say it's very much human nature to make mistakes. We make mistakes. So what if the user accidentally makes a mistake? So for instance, I got locked out of a machine. I think I was in college. I'm not sure when, but I was admitting this machine and I don't know what. I was new at Linux and I'm trying to figure out why my software, I think it was a Ruby on Rails server, wasn't working. And so I just ran like chmod dash capital R 777 slash. So the rewrite execute set that for everyone, for every single file on the system. And my problem went away. It was actually great. Everything started working, like all your weird permission to go away. The problem was then the next time something happened with that server, I tried to SSH in and I couldn't SSH in. So I filed a support ticket and they said, well, your authorized key file, your SSH authorized key file is world writable and SSH will refuse to let you log in with a key when anyone could write to that file because it's a terrible idea and they also said and by the way, so we can change that file but by the way all your other files have this insane open permission. So we'll fix it. So yeah, so it's a good like users make silly mistakes all the time, right. And if the, you know, the key intellectual property of your company is subject to an employee's silly mistake or think about the military context, right. Classified information just happens to get leaked because somebody accidentally CH mods it plus R and gives everyone read access to it. Like that's not great, but it's a good thing to do and to restrict what people can do. So even if you own a file, that doesn't mean that you get to decide what happens to that file. So this is this notion of discretionary access control where the user, the owner gets to choose who has access versus mandatory access control where you can think of the system, you can think of the admin defines access and that's it and the owner can never change it. So the owner of the file and the system itself, so when you download these samples from the website, so you'll download them, you'll untar them, they'll become local files on your system, you're running a Linux system and you look at those files, who owns those files? You do, you're a user on that system, right, but do you actually own those files? I mean, did you, so is there anything that I could say well, would that be something I might want to do? What other situations does this come up? Does anybody ever watch the movie? No? I get a lot of guesses. Have you ever, so, do you own that movie? Yeah. DRM. Yeah, so like digital rights management, like DRM, what's that an attempt to do or control? Piracy in some sense, but what more fundamentally is it trying to share? Sharing or they're trying to, so there, you can think of the movie company as a company that is originating some data, some movie, and they want to control who has access to that, so they're giving you this movie to play on your iPad or laptop or whatever, and then they want to control that you can't give that to somebody else, even though that is, you can think of that as a file now on your system, you are technically the owner of that file, right, and you can think this actually makes sense I may want to collaborate with somebody outside the company and I may want to give them a piece of data but I don't want them to give that to somebody else, right, so it's not just in the concept of, I mean piracy is one way of thinking about this, but so propagation is a spread of information so this actually ties in here because it doesn't fit in nicely with discretionary where that owner can control or mandatory where the system can control. Another nice thing can be, well, can the originator of the object, the person who creates that object, can they decide who has access to that object? Do these distinctions make sense? So we're going to look at this a bit historically in a historical context so we can see why it's kind of important so we'll look at mandatory access controls so is anybody in or was in the military? So you can help me out maybe with all of these security labels, all that stuff I'll do my best but feel free to interrupt me so the military is one of the key places where we have this notion of mandatory access control so what does this system look like that we use or that's in use let's say in government, yeah confidential and then there's secret confidential, secret top secret top secret top secret SCI is that a level about it? Yeah, yeah it's like departmental audit they're all actually caveats to the clearances so like there's secret but then there's also like secret no point so like you can't share with your allies but then you know they're more like 5Is and like NATO like there's secret NATO so you can share with the NATO But and can you just decide to whatever I mean you have classified information so it's pretty clear that you need some kind of You don't want somebody who has classified documents just to be able to say, well, this is now world readable to everyone. So what's the process like for getting classified information publicly accessible? And then what happens? It takes like 20 years. And then what happens? It's gonna declassify, right? It's a process to get declassified. And it has to be reclassified now, a new piece of data at a new level, right? Okay, cool. So some of the things and concepts we've been talking about, security levels. So there's a notion of that there's, and nobody mentioned, but there's unclassified, right? So something that's not classified. We can think of unclassified, classified, secret, and top secret. We'll think about those four for now. Is it classified or confidential? I can actually not remember. There's confidential. There is confidential, which is between the two. Mm-hmm. It really depends. Well, clear. I think the confidential's less than possible. Yeah, it's like it shouldn't be released, but it is. It's more like Costco records, EIIs, and stuff. Mm-hmm. If you don't have to have a clear score, it shouldn't be like public health. Cool, okay, yeah, that actually makes sense. So what are we going after? So just to think about, in terms of this, we have security levels. We also don't just have this level. So this is actually a great explanation. So thinking about, so there may be data that will think U.S. centric, because that's where we are right now. And we have people who are familiar with that system, right? So we have, so you may have whatever data that's at the secret level, but that we may not want to share with foreign nationals, even if they're friendly foreign nationals, right? So we need some other notion on top of, so with levels, right, we have a nice, I'm gonna start drawing again, if I call it. Also we have kind of a nice hierarchy of levels, right? So we just think, so at the very top, we'll have top secret, secret, classified, unclassified, right? So what does this hierarchy mean in more practical terms? Yeah, so in some sense, right, it should be some type of pyramid, right? As you go up, the less people that have access to it, probably the more stringent is the criteria to get that access, but the laptop secret clearance, should I be able to read a classified document? Yes. Yes, why? Because you should have access to everything. I mean, it doesn't necessarily have to be, yeah. We're ignoring that for now. We're thinking just in broad terms, and if we only had a system with these four levels. You're considered more trusted, so you can only be trusted of the confidential. Right, so you're considered more trusted, so you can think of it that way, you got something to add? Right, and that's kind of the idea, is this hierarchy, right? So if you have top secret clearance, it's your cleared for everything there, and everything for the lovely. Right, similar with secret, now what about the reverse? So I have classified clearance, but should I be able to read a top secret document? Yeah, so that's violating the whole notion of what I'm trying to guarantee, right? So the thing about it both ways, there's the thought of what can a, think in terms of subjects and objects, what can a subject do that has a certain classification level, versus I'm gonna create some object, who do I want to be able to see that, okay? So then we talked about what are some of the problems with this model of just having these four levels? Permit sharing? Permit sharing, in what sense? Like for example, other agencies take on some of the, let's see if the department wants to share with the NSA or the CIA or anything like that. Yeah, so they have to make sure they're at the same level, right? They may want that to happen, they may not want that to happen. What was, so, somebody mentioned something about getting your job done? Who is that? Yeah, I think it was the guy in the background. Was it you? So, now if I give you top secret access or you get top secret access in a model like this, what can you read? Everything that's top secret. Do you need to read everything that's top secret in order to do your job? So this, in some sense violates the notion of least privilege that we've been talking about, right? Is you should have access to only those things you need to actually do your job. Other way to think about it is like I need to know basis, right? Like you don't really need to know it, so you shouldn't have access to it. Okay, cool. So, what do we do then to solve that problem? Just add more levels to this hierarchy? Yeah, what we wanna do is we wanna actually branch out and add some notion of categories, right? So this is where we have to learn. So, I'll put, like, NATO could be a category. The NUC for like nuclear, what would be some other categories? No form, no form, no form nationals, something like that. It's just an answer. Oh, it's it? Okay, a lot of categories, so. Maybe like alien. So now, how does this interact? So now we have a set of categories. The categories aren't paid to any specific level. So now how should these work? And how should these interact? So subjects should have a level and maybe a set of categories from this. And then what about objects? To grant them generally. Yeah, it should be grant, so, wait, we'll flip it around, so subjects are people, right? So people have some set and also objects, right? Same way, an object, so some piece of data, a document, whatever, has a level and then the categories that are associated with that. So then, how do I know if I can read something? So I have, and there's a document B that is classified. But I have top secret claims, I should be able to read everything that's talked about. You don't have that? Yeah, I don't have that label, right? Cool, everybody understand how this, intuitively how this works and why it's done this way, right? So you can even do this in office environments, right? Maybe talk about it in terms of military, just the most natural context because that's what that comes up. You can also think in terms of at a company, employee data, customer data, customer social security numbers, like privately identifiable or personally identifiable information for the act. We have these great levels that we just went through. Unclassified, uncompetential. Unclassified, confidential, classified, secret, top secret. You can have similar things in the commercial context, publicly sensitive, proprietary and restricted. So now, though, what policy do we want? So what policy do we want to enforce? So we talked about kind of loosely, right, in English terms about what we want to have happen with these different levels and we went through some examples. But what's the goal that we're trying to achieve? Yeah, so you want to restrict the possibility or eliminate, hopefully, the possibility that a file with just security levels, a object that is at a high security level is not read by somebody from a lower security level. Right? Cool. So we'll use another example. We have top secret, secret, combinator, unclassified, you change the classifier because you see. So use whatever your favorite thing it is. So now, let's see if we can actually come up with a way that we can, in some sense, prove or convince ourselves that we can design an access control system such that this can never be the case, so that we know that it's impossible for somebody to lead that. Would that be something that the military would be interested in? Yes, if you want mathematical, like, guarantee that no information can be leaked if you follow this system. So we'll apply some notation. And this is not meant to be incredibly complicated, but this is so L, we'll use the level of the security clearance. So that's a lowercase L. So if I was writing it by hand, I would stylize it, something like that. So the security clearance of subject S, and now we're just thinking about the level. So we think this should be pretty easy, right? We have four levels. So the security level of the subject S is LS. The security classification of an object O is LO. And then we have this other clause, and this is what we kind of mentioned, right? So there's this hierarchical relation between the levels, right? So here we're just using a lesson. We just mean that for all security levels, they have this total ordering, right? We can order them, we can do them vertically because that actually makes more sense looking at it top secret, secret, confidential, unclassified. You can think of it as a number line. So whatever you want, you can assign it zero, one, two, three, four, whatever you want, as long as you have a way to tell when something is at a higher level than another. Make sense? Questions on this notation? So let's, we're gonna derive these ourselves because you all are possible. So we have this notation that we'll stick with, blank canvas. So if I was gonna write some access control rules, yeah, please. This is possible if we're saying a question in some condition we can access the file. I mean, if we had, for one person, we have two, in two conditions, we can access the file in another condition, we cannot access the file. And we have two rules for one person? Could we have two rules for one person? I would, so we'll talk about that in a second. You need some way to declassify yourself or to change your classification level, but that's more tricky. So let's say no. The one person. So a subject has one security clearance. So one security clearance level, so they're either, so we have our four security clearance levels. We're writing a top secret. Secret, classified, unclassified. So every subject S, so if I said what's the level of atom, I can say that's top secret or one of these four. So it has to be one of these four. So every subject has a label and every object has a label. Okay, so what's our system that we've done for the pilot, both as a teacher and as a student, in the same class as we were, please, for example? Yeah, let's think about that. Save that for later because we'll talk about that in a second when we derive our rules. So a high level goal, we want it to be the case that no, a high level kind of English goal is we want you to case that an object that is at a high security clearance is never read by somebody from a low security clearance. So we're going to write a rule about reading. So we want to write some access control rule. So you have a subject S who wants to read an object O. You're going to write a rule using this notation. When can S read O? Yeah, in the L of S is greater than or equal to. So the security clearance of the subject S. Yeah, it's greater than or equal to the security clearance of O. Is greater than or equal to the security clearance of O. People agree? I think the subject of O, but yeah. This is the subject, subject of O. Right? Or sorry, the subject of O. No, for all, the topic, like is it? No, no, no, we're not, we're ignoring topics at all. Adjusting and adjusting in terms of these four levels. Because this is kind of a key trick of solving a problem, right? So the, we know that the whole problem is complex. We have labels, we have, but let's ignore the labels, focus on the simple one of just four rules, and then let's see what we can do there. Can we even, because we can't do it for this, then we're never going to be able to do it for a complex system. So we have this rule. So now if I said, can some subject S that have top secret, can they read an object of a classified? Yes, can they read a top secret object? Yeah. Can they read a classified object? What about somebody with secret things? Can they read something with top secret? No. Is that what we want? And secret can read secret, so they can, in some sense, read down, that's essentially the rule we've written here, right? So a subject can read down and read down to things that are more. A top secret person. You know stuff that the lower documents don't, so if you don't want to, you can, as it happens, you don't want people with higher level of knowledge to write to the lower level of knowledge in case they can infer, put something secret in those documents. Yeah. Okay, so then how would you express that? As soon as that whole of S has to be less than or equal to the lower. Do we agree? That doesn't make sense to have someone that doesn't have any of the top secret information to be writing top secret documents. So, let's think about this. Okay, let's take it in a couple of situations. I'll just write it. So we have the subject has top secret, does this allow them to write top secret objects? Yes, which we want, right? Do you make sense? And top secret, I think we should be able to create top secret documents. So top secret, should I be able to create classified documents? Should or not? What do you think? Raise your hand for should. Should or not? Okay, defender positions. I would say that you have to go through an admin to get it classified lower. So the users themselves, once they write it, because they have top secret knowledge, it must be top secret, but still an admin to approve the process to make it lower by verifying the information is not maintaining something that should be top secret or higher. Okay, so thinking of you, making it slightly more complex, but we just think that there's no admins, whatever, right? But you have top secret clearance, any document, what would you like, so any document that you create? Because you know the top secret stuff, it should be top secret, just in case you put something in there. Okay, alternative side. Yes? It's like saying to your manager, I'd like access to restricted information and then write emails. Like, do you need to be able to write like comms and stuff like that to people? What's the security property we're trying to guarantee? We're trying to guarantee that managers can't write emails? We're trying, well, if you're saying you can't write something that's lower or lower security and you don't want to be in this case on the last site, you'd be really interested to know what they're doing. Yes, but are we okay with that one? If our overriding goal is preserving the secret top secret information and guaranteeing that top secret information never gets released. My thought is that actually it should be equal to their level and not lower or lower. Strictly speaking, if anybody is top secret, they should keep their top secret information secret and since there are lower levels, there are people who can write the classified or unclassified at their level. They don't need to know the top secret stuff to write that, so it's just staying below that. Because you can keep on going lower. Interesting, okay. So this is a slightly different argument. You're arguing for no on the basis of you should only be able to write top secret information. So you should only be able to create documents at your level. Yes, so yeah. The nature of the top secret clearance is understanding the higher and knowing how to not put a top secret information in the lower document. Mm, I don't know that that's, I don't know that that's, well, I'd say that may be true in practice, but nothing in my mathematical model says that these people with top secret clearance are smart. They're humans just like everyone else, right? They can accidentally declassify information, which we want to absolutely guarantee. Writing top secret into counter to the email argument, that's why a lot of high government people on the top of those decks don't use like personal phone and personal devices to communicate that you have straight to communication requirements as far as how they do that. Interesting, yeah, more thoughts. So, what else? Yeah. I'll say, if somebody in secret is writing top secret documents, that's sort of like a red flag that they have some sort of knowledge they shouldn't have, it should be immediately investigated anyways. Interesting. We haven't got there yet. We're gonna talk about that in one second. We're thinking about writing, a top secret person's writing comment and so on and so forth. Yeah, so just in my mind, the top secret stuff is normally that they can make sure of everything altogether. And then when you go down the lower levels it gets a little filtered so you have less an idea of what's going on. So those filtered examples have to come from the big picture. So someone that has the big picture has to be creating those smaller pieces that don't let you see everything. Right, so yeah, these are all great practical arguments, right? But if I wanted, if you want to guarantee to me mathematically that it's impossible for somebody with top secret knowledge to ever leak it lower, you would not want anyone who has top secret requirements to ever be able to create a confidential document. Right, because there's always that possibility that they could accidentally introduce some top secret information. And of course, like everyone said here, this is an untenable situation, right? You've got generals who can't communicate with anyone below them, right? Which doesn't really make sense. But in the context of this model and being able to reason about it, this is something that we would want to disallow. So for the purposes of understanding the limits of this model, we want to say that somebody with top secret clearance should never be able to create something with lower. Does everybody agree with that? And I will give you all of your practical limitations. We'll talk about those in a second, but absolutely guaranteeing that no top secret information has ever leaked to somebody who does not have it. This is a key component that you have to have, right? Because it's always possible. And you'd think, this will even prevent, you know, I mean, if you were able to enforce this on a system, right, this would still be able to, like you can't have whistleblowers, they wouldn't be able to leak stuff out because everything they would create would be top secret. And so this is why they started with this model because it's a nice mathematical representation of this model that you can prove that it's never the case that this happens. Okay, we have some other things. So then we go get this model and we say, okay, what about somebody who has classified, should they be able to write and create a top secret object? Okay, so, yeah. Yes, why? What's the argument? Like, yeah, it's pretty useless in practice, but they're not making anything available that isn't already done. Okay, interesting, yeah? Could you look right and crawl, get in the other direction? Are we seeing? No, we're gonna create a new object. So we are creating a brand new object. Yeah, so we're not, we could talk about that in a second, that's an interesting wrinkle, yeah. I would say no, because they're not top secret anyways, and if they just write a million files, how do you know which ones are trash and which ones aren't? Could pay somebody to do that. No, because they won't be able to read it later. No, because they won't be able to read it later. That's an interesting argument and that's getting into the more practical concerns again about are they overwriting a file or are they appending to a file? What are they doing? Yeah, ooh, there's no reason to. What about somebody, let's say who's a spy who's only has classified clearance for whatever reason and they're on a mission and they've found some information about an adversary's nuclear capabilities that should be at the top secret level? Yeah. He doesn't have access to that information. He's not supposed to talk about it. They're generating that information, I would say. Yes. They need to report it somehow. Yeah. So here's the problem with not having access to that information is because maybe the top secret people already know about that and he's gonna be generating information that kind of contradicts and so it's generating documents that are making controversy to each other. Can that happen though, regardless? Quality of information is a difficult problem. Exactly. I was just gonna say, can't really determine once you get on a classified person in the government that you've received an email from a random group in another nation that contains a classified or secret information. Yeah, so we have a little bit. So you're poking interesting problems in this model, right? So even this notion of somebody who has classified clearance generating top secret information, at that point they actually know that top secret information so they could technically leak it out when creating another confidential file so you'd have to do that and then up their clearance to top secret as soon as you did that. In terms of both ways, but if we just go off of the specification you gave us and our only concern is not leaking information down and it doesn't even matter if it really doesn't, you know, just to qualify that's a bit. Right, so we think about it just in terms of this overriding goal of we never want to be the case that leaking top secret information to somebody who's classified happens. This doesn't, does this violate that goal? If it violates that goal then we can't have it. Does it violate that goal? Are there cases where that could be useful possibly? I mean, actually there you have a nice way of just maybe solve your email problem of your underlings can email you but you can never reply back and email them, right? Which is actually kind of nice. Right, so we can say we can allow it is kind of one of the things that's interesting to debate because it's something that's nice to have but again there are practical weirdness to it, yeah. So in this case, the classified person is writing the top secret file. Yes. Doesn't, like you said, it raises their writing to the top secret. No, let's say it doesn't. I mean, well, we'll say this classified person only has access to classified data, right? By definition. Yeah. They have classified, they can read every classified data. They can create now a new file that has top secret with whatever they want but they've fundamentally not leaked any information out. How is that any different from a top secret person writing as a classified person since a classified person is also technically writing at a top secret level? The top secret person has access to all the top secret information and so they can create lower classification files to leak data out, right? So I can create, I can just copy a top an actual top secret file. But deciding on the classification level, right? Like, see, maybe just doing something dumb but they're not actually leaking any information out of that. So in this case, how does the classified person know it's top secret? They have to know. So should every single person be writing top secret then? So nothing gets left out? Well, everybody in top secret can read everything, right? So, well, it would already be displayed. Yeah, so, second, you know, it's now it's impossible to read. It's, yeah, it's an interesting, weird case, I agree. But I think that going back to the overriding goal of never releasing top secret information, this doesn't harm you. Because a classified person has no way of knowing if this is actually top secret information or not. To them, it's just classified information. But, yeah, there's a weird case here. Let's see how we did it. Yeah, so we said the S is gonna read O, S, not good, look at that. So these are called, so in the model that we're creating, which was like created and proved, I actually don't know when, maybe 80s, maybe 70s, or even more this. The simple security condition, which involves reading and the star property, which involves writing. These are things we just literally decided. The way to think about this, which is kind of more conceptually easy and why we're using this vertical thing, is you can read down and you can write up. So someone with top secret can read down and somebody who's lower can write up. And then, just with these two properties, you can guarantee that the information flow will never float in top secret now. But this is a simple model, right? This is, so what are we missing from this model? Yeah, this category idea, right, of saying that, well, maybe somebody at the top secret level shouldn't be able to read all of the top secret information. We wanna compartmentalize our information a little bit, so we have our categories. So we can use these, I can't remember what an A stands for, does anyone wanna make up an acronym for this? Alien Control Entities, maybe? It's actually from somewhere. I looked up different labels for things. Because, so this is an interesting exercise, is if this, let's say this is a label of a category, is the name itself classified or not at what label? Why would, why couldn't it be classified? Yeah, it could be named like Tak Russia, like is the category, like you probably don't want everyone to know that. So A, you either create a level of indirection and you call it something random that means that internally. And then that way this random name can be unclassified or even classified at a lower level. So yeah, it's kinda funny to think like, you may not even know the names of the categories because the category names themselves could be at a higher classification level. It's like in movies you always see these weird like code names for projects. That project is no leopard, tiger thing. But then an interesting thing is, if you have, let's say a piece of document, how do you know that what classification of that document is? And are you allowed to read it? So you just slip open and start reading through the pages. Do they usually say at the top? Yeah, I should say have a cover page that says on the top but then you have a problem of what if the name is classified and you know what, weird. Anyway, this stuff's complicated. But we'll go with these three categories, just three. So we need to, so now how does our policy change? So what do we need to know about, how does our notation change? From the way that's beautiful, just the level of S, the level of the object is the object. The list of which categories or categories is set. But yes, we need the categories, right? Right there, yeah. Right, if you can't have more than one category, so you might as well use a set. It doesn't really make sense. So now, and now we need to think about both objects and subjects now don't just have a level, they also have a set of categories with them, right? So we can say that the subject, the security level and the object security level are both, let's say a couple, just use a couple L and C where I'm on this level and C is the set of categories. Crazy syntax. So now, how do we compare subject S with object zero? So now, we wanna control the same things, right? So we have the top secret secret classified of five. So now, how would I define some kind of rule? You could do, you use the old rule where if the clearance level of the subject is greater than or equal to the object, and then you would add if the, I guess the set of the object is the subset of the set of the subject that makes sense. So then, yes, that's good. And then if, how do we specify the subset? What's the simple reason? S? Like that, like subset or equal to? Yeah, yeah, it's a subset of this object. That's the object, yeah. That's correct. So we generate this, so we, why do we have this first clause that the level of the subject is greater than or equal to the level of the object? We don't need it, let's get rid of it. I know you came up with this. Yeah. I mean, it's the same as before where like, what the first line goes is it just gives you access to different levels and then the second one just more flying through. Yeah, we don't wanna throw away this notion of levels, right? We still don't want it to be the case that somebody with unclassified can read top secret documents. That's the entire security policy we're trying to convey, right? And so then the second line is saying, okay, the set of categories that S has must include the categories of all the categories of both. Yes. So a subset of relation, right? So this means that if we have a, now we can go through and run through some. Now, actually complicated or interesting examples. We have somebody with top secret clearance which has no categories. And you should think, when you think about this thing, you should think, doesn't that base case the simple examples still apply? So can somebody with top secret read something with secret no categories? We could run through each of these prior examples just with empty categories. That should be exactly the same, right? So now what about something more interesting? Like top secret empty set can they read the object that's secret with nuke? So two questions. What does our model say and what should it say? So what does this say? So is the security level, is top secret greater than or equal to secret? Yes. Is the empty set a subset or equal to the set of nukes? Yes. So we should be able to access this. I think so. It should be able to access this. Do we, should we be able to, so if we have no access to nuclear documents, we don't have a category for it, should we be able to read a document that has the category nuke? No. So what's wrong? Okay, the simple right way instead of the other way, the, or we're making a reading problem, but it's an object that really needs to be a subset of what you have, not the other way around. So you need to be considering this as an indication. You have a notification when you flip it. Yeah. No, I didn't. Like the whole thing. Yeah, that's fine. It should be on the left. That should be it. Yeah, I'm sure. That should be on the right side. So you had it right from the first one when we were saying it opened to the big set. But you had it on the subset. There you go. Perfect. That's a good question. The document must be a subset of u, which is how it should be. The document should be a subset of u. Cool. So the object is a subset of s? Okay. Yes. Yes. So in this case, is the set of, the set containing nuke a subset of nb set? No. No, it's not. Just when you said the subset, he said it. You said it as if you'd have the notation here. Got it. Awesome. Okay. So now we can do other things like, that are equal, can I read this back in? Yes. What about if the object has a nuclear nanities? No. No. No. Awesome. So actually, and the cool thing is, because, should you even have access to code? Because what this is saying is nuke is a subset. But if that were part of both, do you need both? I don't know if you can tell me. I would say that this shows that it's inbound, because I think having multiple categories in an object makes sense that you should have access to both for it to be doable, but that's just my point. What we're saying is this a subset of this, right? Or sorry, the other way around. So this is, We'll set the sign as my name. I didn't put it in. I didn't put it in. I didn't put it in. I didn't put it in. It's pretty backwards. I didn't put it in. No, I mean, this is fine. We're saying the nuke and ace is not a subset of nuke, which is true. So yeah, this is fine, that's nice. The nuke and ace is not a subset of nuke. And nuke is not a subset of... Yeah, yeah. That's what you said. So what about writing? What am I able to be? Do I still have write for everyone? Do I still have the level of O must be very, very equal to the level of S? And what's the... I should be like the same, I think she's gonna have to see that. Oh, this is really bad. Sorry. And a very cool thing is now we can actually, so we can actually represent this in terms of lattice. So actually, lattices pop up many, many times in different realms of C. Yes. So we have a subset relation. We're saying that the empty set is a subset of everything. So it's at the bottom, so it's a subset of nuke, nuke and ace. Ace is a subset of nato, ace, nuke, ace. Nuke is a subset of nuke, nato, nuke, ace. Nuke is also a subset of the full set. And it actually allows us to use this lattice to prove properties that we want about this. So this is actually, you just derived the double-haggula model, which is one of the most famous mandatory access control models in all of security. And it uses this notion of dominates. So this is like another type of lattice thing. So here we just defined that a new operator rather than dealing with this non-saturator, like trying to decide a subset, whatever. We defined it here, and then we said we use this dominates to define the speed operation, the simple security condition, and the right operation, the star property. And so using these, we can prove that. So be prepared, we're gonna go to these examples. First thing on Tuesday, we'll do that on Tuesday, and then we'll go to Thursday.