 All right, folks, let's get started today. First couple announcements. I made these all on Piazza, and all announcements will always be on Piazza, so look for those. Yesterday, one of the TAs hosted virtual recitations. The idea here is rather than having recitation sessions that you have to go to at fixed times. We're going to try virtual recitations, where one of the TAs will host a virtual recitation section, where they'll either go over the homework assignment or course content. Kind of a fixed lecture, like a normal recitation, and then leave time for questions at the end. So we'll be announcing when those are. They'll change timing every week, depending on which TA is teaching it and which TA is going to be covering that. We will record those, so you can find here Arvind held virtual recitation section going over assignment one and talking about that. So if you want additional help, please watch this and then look out for the next ones. The other thing that we're doing this year is the undergrad TAs are doing what we're calling assignment help sessions. So basically, they will be in Brickyard 221 and they'll be offering help on the assignments from one to four today and from six to seven tomorrow. So there's a number of undergraduate TAs. You can recognize them by their pictures on the website here. So if you're still working on the assignment, please head there and they'll be able to help you. Questions? Final thing, and this is very important. The grade that it shows on Gradescope is your grade. There's no hand grading or, oh, you mistyped a file name, we'll fix it for you. No, it has, like, just like when writing a program, you look in files where it doesn't, your grades are what they are on Gradescope. And so I've seen some people have submitted things and they don't have an actual readme file. They have a readme.txt file, and the grading system says that's a zero because it's not following the instructions. The instructions say you need to have a file called readme, not readme.txt, not readme.pdf, not readme.docx. It has to be just called readme, and it's giving you all of this output. So if you end up with a zero and you will say, hey, but, like, all I did was had this one problem. Like, that's too bad. It's telling you exactly what your score is right when you submit or right a little bit after you submit. So it's up to you to know your score and, I don't know, you're going to be happy with whatever that is. Questions on that? Cool. Then let's move on to access control. So we've talked a lot about kind of overview of security. We've looked at security through different lenses, and now we're going to get kind of more into access control. So we'll get into a little bit more depth, but access control is basically trying to do, let's say, decide a policy of who should be able to access what. And so when thinking through this, I think it's an important thing to maybe go a little bit more concretely based on examples. So let's say we have some university who has an academic integrity policy. What would be a concrete example of such a university? ASU. ASU? Yes, there's an academic integrity policy that you all are inviting to by being students at ASU. And as part of this policy, it includes copying homework with or without permission. So some CSE class has students do homework on a shared server. We can say it's similar to general.asu.edu. Student A forgets to read, protect their homework. So they maybe, whatever you could say it doesn't matter, but the point is in their home directory on this server, there's a file called, let's say, homework1.c. And they forgot to set the permissions such that other people can't read that file. So essentially other people can read that file. So student B then copies that file because they just copy that file into their directory. Now they have access to it and they submit it as if it was their assignment. So who did something wrong? Student B, who violated the policy, let's say. Student B, because you leave the door open or you unlock the store, you cannot enter the door without a contract. Right, so student B doesn't want to copy the file. So if you take that analogy to a house, it's like they, even if the house was unlocked, they went inside the house and took something out of it, or made a digital copy of it without a contract. Student B University also kind of violated the policy because they could have made it a more difficult bird-aider-share policy. Yeah, okay, so student B University of that fall is easy to blame, but maybe more specifically than blaming an entire university for the problem of homework assignment, maybe the administrator of the server. What could they have done? They were detected by default. Okay, so we're casting a lot of blame here. What about student A? Is everything clear at fault? Student A. Yeah, student A. Well, they forgot a policy. Ah, so they forgot a policy instruction? I guess that depends on what does the policy say, right? So, yeah, this is kind of an interesting debate here that we can have. Is it, I don't know, just student B fault because they copied it, chose to copy it, or is it student A fault? And how do you, I guess, distinguish the case where student A deliberately makes their file read-accessible so that student B can copy it versus the case where they just forgot or didn't know how to do that? Like everyone? Yeah. So, basically, student B directly violated, at least that's the policy that we have. Yeah, in different ways. Okay, yeah, I mean, again, I think it goes back to another point depending on what the policy says, right? If you can't share homework with somebody, that could be a violation of that policy, right? Even forgetting to re-protect a file could be seen as sharing. You know, I mean, to take that argument to the extreme, is it okay for student A to just post their assignment on the course forum and just say, well, this is how I did it? And then if anybody else copies from that, that's their fault. It's not my fault that they're going to copy it from me. My fault could potentially have greater consequences because more people than just student B could get to the file, but in this example, it doesn't seem like student A wanted anyone to see the file. Interesting. Okay, so yeah, so arguing kind of based on intent. So, forgetfulness versus maliciousness. It's interesting. Yeah. Anybody else? Yeah. You moved. Yeah. Used to be over there. That's very weird. Yeah. No way that A to choose policies versus I mean, intent doesn't really matter. For instance, if I was writing code here and the person's timing was looking at that code, it's still my fault. Which I kind of don't agree with, but it's unreasonable to assume that I can always protect it. Yeah, that's an interesting thing. To be perfectly honest, I don't know the intricacies of the policy. It's been a long time since I've read it. So one interpretation could be that the policy explicitly dislodged sharing such to the level that even if somebody is, we call that insecurity, like a shoulder surfing attack. So they're looking over your shoulder as you're typing your code and they're either just like typing into their phone or maybe into their computer exactly what that code is. And that's your fault for letting them do that. So what are some measures we can take to prevent this? Okay, we can clarify the policies that maybe specifically exactly say who's to blame. How do we distinguish from this case of forgetfulness versus maliciousness, though? I think that may be the problem that the ASU policy has. Yeah. Well, if you make it pre-protected by default, then the student A would have to intentionally open it up, which would then show some maliciousness. Yeah, so maybe there's mechanisms we can introduce in addition to this policy, right? We can say have the mechanism be that every file that a student creates by default is prevented, readable by everyone on the system. So then that way that would essentially prove that you would have to take an extra step to enable it to be readable. Okay, yeah, so maybe we could track that file across the network, right? Because there can also be, you know, we also need to, I don't know, think about or worry about forensics depending on how malicious student A wants to be, right? They could just write a temporary file very quick that somebody else could copy, and then they delete that file right away, and then now there's no, maybe, I don't know how they got my file. It's pre-protected. Maybe they shoulder-served me, and that's not my fault that they did that. Yeah, interesting. So maybe with through logs or other types of extra information we can say, oh no, but we saw that this file got created with the content of this other file, and then the other person copied that over. Yeah, so maybe tracking, so then more deliberate attempts, right, to kind of track where data is flowing through the system. Yeah, the trick is then how do you determine what is, I don't know, like if somebody's downloading the Linux terminal to compile it, you don't care about any of those files, you only really care about the homework files, and determining what those are could be tricky. Cool. Awesome. Okay, yeah, this is a good thing. So we need to kind of discuss some important security concepts that are going to come up here in the notion and the idea of access control. So we have this concept of authorization, and it's kind of at the core of everything we're talking about here. So authorization here basically means what can you do on the system, right? What are you allowed to do? And what's one of the key elements in order to enforce some type of authentication? Not necessarily a password, it's more high level, yeah. You need to be able to delegate, or like assign certain levels of classification? You may be to levels of classification to what? To like the system or whatever, so like you can assign like this person is like the janitor, so they don't need to. Maybe, that may be a way we implement that, but to even get there, we're missing an important part. You need to define who you are, right? If you just come up to the system and say, well, I'm the professor, and it says great, here's all your permissions, right? How do we know that somebody's not impersonating us? So we need this other idea of authentication, which we're gonna cover later, which essentially answers the question, well, who are you to the system, right? And if we even think now, we're going to be in more detail, but at a basic level, this is exactly what passwords and usernames are doing, right? You register an account at the start of the system, it says, okay, I know who you are based on this unique username and password combination, and you can prove that it's you later on when you give me those same username and passwords. I'll know that it's you and not somebody else. So that's how we can handle the who are you question, the authentication, and then the authorization can come in. Okay, now that I know who you are, what should you be able to access on this system? So really, and part of this, and when we're thinking about authorization, it goes back to even concepts we were already talking about in the overview, right? We talked about, okay, well, who should be able to do what? It's kind of tied in a little bit of what do they actually need to do their job? Right, so managing kind of trust and authorization and also risk. So why, how can we manage risk through authorization? Yeah, so only give access to people that need access, and there's probably a corollary there that's also important. Only give them just enough access, right? So access, we'll go into it in detail, but it's not a binary thing, right? You can either access it or you can't, right? They should just be able to read some information, but not write or alter or change it. Maybe they should be able to write information but not be able to read it. We'll get into a certain sense of this like that. Yeah, so if we can use authorization, this idea of, okay, what should people be able to do? That can actually help us mitigate risk in a system, right? Especially in cases where we talk about threats of insider attacks or insider threats. So what's an example of this? It's like when one of your engineers copies down to everything they can access and then goes to work for your competitor. Yeah, one of, ooh, that's a good one. What was the famous case where somebody was alleged to have done that? The guy who went from Google to Uber with the self-driving car technology. Which one? Edward Snowden. Oh, Snowden, yeah. Snowden is actually another good example, right? He was an admin at the NSA and he copied down a bunch of data and then released it publicly. Right? So you think about an organization that should know the benefits of mitigating risk and least privilege, only even keep access to what they need, still fell victim to a problem of an inside employee, an insider threat that accessed more information than they should have. What's the balance here? Yeah. You don't want to hurt the productivity of your employees if they have to go ask IT for permissions to access it? Yeah, does anybody work at a company where you can't install your own software on a system? Yeah, look around. They're a hands up. You could talk to these people about how annoying that is and how you have to do insane work arounds. Do things like block G chat so you'll find some other way to use Google chat in a different thing or... Or even if you think as a developer, if you had to ask IT and wait 24 or 48 hours for them to install some software and you need some certain tool to do your job to fix a bug right now, that can be incredibly annoying so you'll find ways around that problem. Yeah, so I think that's the other important thing to keep in mind here of... Especially considering what is the business, what are you actually trying to do? So that's part of risk, right? Part of the risk here is by limiting people's access to the system so much that they can't do their job or they hate their job and you have huge employee turnover and that could be another big problem as well. And all of this is leading us to this notion of access control. So authorization is what can you do on the system and kind of the way I like to think about it is authorization is essentially the policy who should be able to do what on the system and that's in terms of what we've been talking about and access control is the actual mechanism that's going to inform that policy. It's a little bit more muddy than this but we'll look at all different types of ways to model access control, we'll look at different access control systems and we'll talk about the differences between them but all of them are trying to implement and enforce this notion of who should be able to access what. And you know what the access control policy is like on your phones and in terms of apps. Ask you what. Ask you for access to the camera to maybe your files which is great because that means it's blocked by default and you have to allow it. What other kind of access do they have let's say to the rest of the system? Like are you worried that you download a flashlight app and then that app is going to steal all of your data from your banking app? Should you be worried about that? You definitely should be worried about that, right? The idea is and this is maybe basically like most operating systems like desktop systems that we think about Windows, Mac, usually every software you have that runs as you, right? Which means you download some random app from the internet from whatever a website or a crack version of some software that's running as your user which means you have access to all the files you have access to, all of your pictures all of your documents, everything. And this is one of the key things that they learned when moving from desktop operating systems to mobile operating systems is actually based on these concepts of authorization and access control what access does an app actually need, right? So you should give it the least amount of access possible to do what it needs to do. And like we just said the flashlight app should not be able to read the documents of the banking app. So they put really good restrictions and they're sandboxing each app so that by default it can hold and access things inside of its app. It can't talk to, it can't access any files from any other apps. Which is a huge win. So this is why you don't have to worry as much. But then of course you download a flashlight app and then what does it say? The flashlight app is an old example because it actually was malicious on Android. There was an app that got super popular and it turned out that it did not know where it was. What it's going to do is it's going to ask you for access to everything, right? Or a flashlight app is whatever you already have a built-in flashlight functionality but what about a game? It's like oh I need access to your location I need access to your pictures I need access to your microphone. All of a sudden you're giving this random app the ability to record you without your knowledge to track all the locations you go and visit to access all of your pictures. Who knows what that app is doing with that information? Cool and what we're going to first talk about is we're going to think about kind of access control in more abstract terms. So we're going to think about ways of how we can model access control kind of any arbitrary system and then we're going to look at different ways of enforcing that and we'll actually be using this then in the context of the UNIX file permission. So this is also a chance to learn exactly what all those bits are on the file permissions that we've been talking about. And basically we're going to talk about this in several different types of objects. So we have subjects in our system so subjects we can think of as just capital S, just a set of subjects and these are things in the system that can act. So what would be an example of things that can act? Users, what else? Groups? Yeah, possibly. What else? Software. Software programs. Yeah, your program that's running, right? Probably needs to act and do things perhaps on behalf of users and that's actually one of the things we're going to trip away about operating systems is actually on a UNIX-like system you as a user are never actually doing anything. You're asking other programs to do things on your behalf and they're acting as you. So in those terms everything is a process of what can a process do. So objects, so then we have things that can act and then we need some kind of notion of assets or objects in the systems that can be acted upon. We'll use this idea of a capital O object so it's a set of all the things in the system that can be acted upon. What are some examples? Block devices. Block devices? Oh, interesting. Maybe like block lists or any kind of like operating system level data that's important. Data tables. Data tables, more example. Ah, so the operating system let's say the operating system data itself maybe or the applications data it may not be in a file or it may be stored in a database or something else which actually is stored in a file or many files. Is that something you want other malicious people to be able to act upon? Yeah, you want to be able to restrict who could access that and what happens, right? Yeah. Yeah, mouse keyboard, printer and yeah, these are all great. So then, but then we have, okay, so we have things that can act, we have things that can be acted upon, right, we have our subjects, we have our objects and then we have some notion of rights. So basically what can be subject due to the object? And what these things mean are dependent on the system, right? So if we take for a second, what does it mean when you have read permission on a file? You can read the contents of that file. What does it mean if you have right permissions to a file? You can change the content, you can also delete the file, so deleting I believe is inherent in writing. What about in terms of directories? What does it mean to read a directory? You can list the contents of that directory, what about writing I know for a fact you can't move a directory unless you can move anything in the directory if you have permissions to but there may be a directory that you have right permissions on that has a file and you don't have right permissions in it that you can't delete. You can make new files, right? So this is why it's important to understand the system that you're actually talking about because you may think permissions like read and write are very clear and straightforward but actually how to get a system depending on the object it could mean something very counterintuitive like writing to a directory means that you can create new files in that directory. Cool. I'm going to start drawing now so everything has back up on slides so don't freak out too much my handwriting is not the best but I try. So we have let's say we have some system our subjects are man this is out of practice I guess okay so somebody give me some subjects like short letter names can't short like one letter A Z there we go okay so we have a set of objects R Q alright and we'll say a set of rates X W yeah we're not going to use the same letters here okay so now this system is basically complete right we know all the subjects we know all the objects we know what rights exist now how can we how should we be thinking about who can access what or we think in terms of access control right when we mean specifically here is which subjects have which rights on which objects how can we be thinking about this so we can say what so A on object R so we'll just we'll do this for now I'll maybe fix it a little bit so we can say subject A has rights which is going to be this set on object that should be lowercase R R so what rights do we want subject A to have on R X what is it X just X okay what are our options so it could be X it could be W what else X and W what else empty so what does empty mean no rights right we have no rights on that object and XW would mean we have all rights on that object all right let's we can maybe call it AR so if we want to do this what can we keep doing so we can set up the rights of object A on Q right which is going to be something null and then we can set up the rights of Z on R give it at least W yeah and then ZQ WX WX better that you're doing this than me creating that in advance okay but it's a little bit can be a little bit unwieldy to think through or another way of representing this is we could basically create a matrix of subjects objects right and we can put in each cell what the what rights the subject has on that object so we can do here we have our so we have A and Z and we have R and Q and then I can just put in here AR was Z sorry X AQ was empty set so I'll just put nothing there ZR was W and ZQ was XW cool so and we're kind of the only thing to think about is can A ever do anything to Z or can A do anything to itself the subject also being an object word processor okay give me a concrete example why is the subject an object there you need to open a file inside the program and then save it to the database of the software so you can open up the program itself in Word no like it needs to edit the resource file so it can track of changes okay so changes yeah I think that you could torture that and it would work yeah okay a user profile on a website yeah that's a good example so um maybe actually some of the work examples so you have your Facebook account you can edit you can also maybe think of maybe those are just objects though right maybe those are objects your profile data is an object on the system but it's not actually the thing that's acting although maybe you could say the thing that is acting that you can change is your maybe your username and password or changing your email which is an inherent part of your identity on that system yeah what else okay we're thinking about terminal systems um anybody so if we think of the UNIX model as a process is the subject right so a process that's running on the system can do things a process can try to kill another process right to terminate it um a process can also send signals to another process um so their permission is basically there yeah um right so then a subject okay yeah so the yes so then you have peripheral devices like a printer and that would be one subject and you've got another subject of your um will it do printers act? yeah okay we can go with that yeah that makes sense okay so yeah the printer would be a subject so we have to have rights and we want to mediate access between the web of the um text editor and the printer yeah that's great cool so now we need to so in most cases that's what we want again it depends on the system itself right so we need to extend this with A and Z right what rights do they have uh on each other um and for right now we'll just keep it I don't know throw randomly stuff in here so here's just another example I mean this is in the slides so you can review it later here's just some system and the nice thing here with this access um matrix model is I can represent all of the access control rules of this system so if I asked you uh does V have R1 rights on object G what did you say? no or you know every answer to every access control question you have can be answered very quickly using this matrix right uh you can look at this you can also one of the other nice things is you can answer questions like uh who can who has access to file G just you right not V uh and who has access to V or who has rights on object V no one right so you have all this information here contained within this table that is very easy to see and understand so now we're gonna actually make this more of a concrete example uh so we're gonna go to the UNIX model and we're gonna talk about um so we're gonna think in terms of subjects are a process so every process that's running on the system is an object and we'll think about files as objects so you can think files and directories maybe they're the same thing maybe a directory is a special instance of a file and the rights that we're thinking about are basically read, write, execute append and own so we talked about maybe read and write in terms of files what does execute on a file mean and specifically what does that mean to run it maybe perform an action depending on what the code is but how does that happen in our system it creates a process it creates a new process right so it actually adds to our system right so the other important thing to think about these aren't uh statically um static system where we just have a fixed set of subjects, a fixed set of objects because it's changing based on what's happening on the system right so if a process executes a file that actually creates a new process that has the code of that file that's run what about a append what's the difference between a append and write so append means we can add to the end of a file but we can't change what came what was there on that file whereas write provisions we can completely change the file why do we care about that distinction for like logs if you want to keep track of you want someone to be able to add something new to the log but you don't want them to be able to go back and change stuff yeah so logs and logs are great for friends and purposes trying to understand what happened to a system right if we know the system can force the fact that logs can't be just deleted by the attacker right the logs just always get appended to that way whatever the attacker does they can't delete or remove the log cool then what about own process like yeah so on a file well yeah I think created it is a good way to say that but it doesn't necessarily have to be the case because you can change ownership right but yeah essentially who owns that file and what does that allow you to do on a unique system if you're the owner of a file change permissions and what does that do in our model yeah so you can so in our model right so you decide what the permissions are for that file that you own right if you have ownership permissions of the file you can decide that other people can read or write to that file or execute it you can even change owner you can give ownership of a file to somebody else and now you no longer have it but somebody else can yeah exactly so it allows us to change so having ownership rights of a file allows us to change access on that file next question next question does it change an object to a process let's say it creates a new process based on that object so yes also sorry I meant object to yes object to our model they're they're the same cool so we have read write execute append own right there's a simplified version and we'll kind of go into why that is in a bit so let's build this up a little bit so we can say our subjects are we have A and B subjects and we have our objects so I can create a quick matrix here I can have a maybe a simple system like this process A and process B I have two files on the system homework file and a public file so the public file is readable by both A and B and writeable by A and the homework file is owned by B and is readable and writeable by B so now if we go through certain things like and we can reason about how this model changes so we can say things like okay does can A access the homework file read the file no can they write to it no is it possible based on what we know about the writes of a file and how this system works is it possible for A to read the homework file yes how yeah so B owns the file right so B can change the permissions of the homework we haven't defined it we can define a function of change we can think of it now of CH mod so that's basically what the file even heard running on Unix that allows you to change permissions of a file if you are able to do so so we can say B does B runs CH mod of homework A read and then what happens to this matrix yeah R cool so now A can read it awesome so let's go back as soon as this doesn't happen now what if I take away these right to own this file what if I take away these access to this file now I can ask two questions right currently is it possible for A to read this file can it ever be the case that A can read this file yes how there's nobody else on this system it's only A and B and we're assuming that everything else is perfect so we're just going based off this policy isn't there an assumption that every file needs an order a simplified unit model so you don't need to introduce complexities like that we can assign the ownership to nobody or something so is it ever possible that in this model A can access this file yes yes so the idea is well we don't okay so right now we don't have a new file right so if we had a new file function okay then let's walk through this so we have a new file function who does it let's say is B they want to create a file foo okay good we'll take this step by step so that's all this does is allow them to create a new file and by default let's say when you create a new file you have the owner of that file and that's the only permission you have right nobody else has permissions on that file so B says okay new file foo what does that do to my matrix put a new object which adds what to my matrix a new column a new column called foo and then now the permissions based on the semantics of new file that we just said is all it is is O so that B is the owner of that new file okay yeah yeah it depends on well let's keep going with this right so B can access this file create a new file foo then B can do chmod foo so B is going to do chmod B foo I'm going to say that now B can write to this file and read we'll say write and read so B is going to give itself write and read access and then we'll do another chmod B that foo so to foo that A can now read it so assuming we have the ability to read the contents of the homework file and write them now to object foo yeah so again this is so to answer the questions we were just talking about is it possible right what's really important is the semantics of what can happen because if I say well sorry on my system you actually can't make new files like such to be you you have to deal with the files that you're given so you can't make a new file is there a way for A to read the homework file yeah do you get file yeah that's another interesting one I would say that's inherent with read like a copy you can think of as read from one file and write to another file can't create files anymore so no more creating files simplified very simple maybe to the point of not usable but right so the other so this is kind of the what we're getting to here is if we think of this just in terms of the model you can talk about all the formalisms of this and if you have all the specifications of all the ways to update this matrix model in a formal way you can actually prove a statement like that you can say that it's never possible that A can read the contents of this file and so so this is why we think about so A it's nice to reason about access control at this level that we can see the whole system we can see who can do what the more difficult thing to do is reason about how the system can change and you have to reason about all possible ways that the system could change but the nice thing that this allows you to do is if you think about things in terms of this this model you can actually prove interesting properties of an access control system you can say it's never the case that A can do this and again your complaint may be and I think it's reasonable that well but this is hiding a lot of complexities of a real system like you just said I can't create a file so who's going to use your system if I can't create a file which I definitely agree with and this is again maybe the trap that comes in from there's a joke maybe you've heard it and I'm probably going to butcher it but there's a joke that a physicist I don't know I'm going to ruin it but the idea is if you're trying to I don't know he's terrible the punchline is assume a spherical cow so that's the punchline there is physicists like to deal with a simplified and mathematician a simplified model of the world so if you're talking about a cow they will say well assume a spherical cow that's the first step if you want to be able to formally prove something you need to make crazy simplifying assumptions about the system which may not hold in actual practice cool and okay so yeah so then let's talk about and think about what are some of the benefits and drawbacks of this type of access control model this matrix using this matrix model then we can talk at the high level right we can at what we talked about just a little bit right now we can also talk about the at the implementation level or actually let's talk about that in a second so we'll talk about a high level about what are some benefits and drawbacks of this model yeah if you have enough how much would be enough do you think okay so maybe for implementation reasons but what about let's say being able to reason about the correctness of such a system right as a human right if you have a thousand users and you have a thousand rows being able to say does this access control mechanism actually enforce the authorization policy that I want can be a difficult question to answer right what else a benefit would be it was a lot easier to read than the previous model yeah it's a lot easier than just having these pairs of a subject object rights subject object rights right it's a little more difficult to reason about if you can see exactly if you're interested in one particular file you can see all the access to that file if you're interested in one specific subject you can look at the row and see everything about that subject any other benefits, drawbacks then it's quite complex right so yeah then there's the other problems that we faced of how do you actually use this model such that it represents all of the functions like all of the actions that subjects in your system so you need those defined probably formally so you can reason about it and maybe to actually map what's actually implemented cool so now let's talk implementation so how would you implement this let's go back to the example right so think about a system an operating system moderating everything what do you actually need to do to implement this access control an access control matrix do you have a letter would you just do a bunch of C and C command sure you could do a bunch of commands but where is this matrix stored and who checks that you, so C and C commands allow a process to change the right to a file but where are those rights stored do we need some kind of super user to maintain this yeah we need where so one question would be where does this live and who updates this, where does it come into the system how is it created and instantiated in the first place and then who's updating it over time right as C H Mod comes in you wouldn't want necessarily an administrator or a human doing that every time that would be a little bit insane I was going to say is it stored in root yeah so the operating you can think of the operating system in root as essentially the same thing right so a root or is the administrator that has access to the whole system and that includes the operating system so what we're getting to here if you think about this just as a data structure as a matrix what is a matrix in terms of a data structure that you use to a program two dimensional array that's something complicated you've been doing that for a long time you just store that somewhere in the operating system but the important thing is you don't want any subjects to be able to just modify it your system was such that by changing the table and adding rows you don't have any kind of security mechanism so you need let's say the first implementation thing is you would need this you would need to ensure the integrity of this access control matrix right so that would be the first priority you could do that by let's say it's part of the operating system so only the operating system and administrators can mess with it maybe we start there what else what's the service that you connect to that handles all of the commission's changes oh interesting, okay so you can actually store it off of the system in another system that's interesting that's kind of how I can't remember active directory basically works that way and other systems I can't remember I want to say Kubernetes but I know that's wrong it's some system that starts with K I can't remember control happens on one central machine and the other machines essentially delegate to that system yeah possibly I mean you could create the tables to enforce some kind of inheritance or something like that what about in terms of actual so we just talked about it right a two-dimensional array so you have a system let's say all of you currently in this class run it to 370 so if I had to create a system for all of you to use how many users what I have 370 so it'd be at least 370 rows if we just think in terms of users and don't think about a process right now then what happens if one of you adds one file yeah one column which is 370 additional cells and then if you create another file and another file and more users so on a typical system what's going to be bigger the number of users the number of files files that'll be a lot bigger right every application install has doesn't the files each of those need to be a column in your matrix right and then we add a new user then when that's to happen yeah that's me a new row with all of the permission so you create a new user you have to think through now what permission should they have on what files right so no permission to anything yeah I just considered you all the same subject right a student then I have to think through well how do I make sure that like we talk about the coffee protection example right how can I make sure that you can transfer files from one user to the other so yeah one option would be simplify the matrix in some sense yeah we'll talk about it more when we get the crypto stuff but there are some things you can do but it becomes tricky but essentially one is this essentially this giant matrix is really great for reasoning about what should happen it's also great when you're thinking about a simplified model of a system so that you can actually reason about what's going on in terms of real systems and in terms of real implementations I don't think anyone actually implements it like this what we talked about right because of all the inherent challenges of and when you add a new user that's gonna as the number of files increase if you have a server with 500 terabytes worth of files right now you have just wrote these you're gonna have so many columns that adding new users would be kind of insane you can use some tricks there are tricks with you know a sparse matrix or whatever but still if you need people that have access to things it can cause a huge problem so the interesting thing is we could actually split up rather than thinking about this matrix in monolithic terms we can look at it in terms of different ways so we can for instance what if we just look at every what is this a column what if we look at every column right so rather than let's say storing at in one place in the operating system this huge matrix what if we stored with every file the list of people that can access it and what rights they have right and you can think that this is again the key tenant is that nobody else can modify it so it's kept by the operating system but the operating system would keep metadata about the homework file that user a has no permissions and user b has read and write permissions so this is a basic idea of splitting up this matrix so that rather than thinking about the whole thing we can actually implement it and store it in terms of columns right you can say okay for a given and we can maybe even do some nice optimizations saying well if a user is not in in the access control list and that means they have no permissions so I'm user a or I'm process a right I'm trying to access let's say I am process P I'm trying to read to the G file should that be allowed or not yes and how would you know as the operating system pretend you're the operating system what do you do yeah look at G files metadata for the access control list look in this list you say is P in this list great what access control does it have are and this is asking for our so that means that that person can read this file it's good allow that access and it's pretty quick because you can implement these in terms of hash tables so it'd be a constant time lookup and you won't have to scan the whole list and it could be very nice yeah yeah we have to think about how do we do that with subjects right so we could think the operating system could also keep metadata about a process about what rights other users have over that process yeah so it's the same notion of for each object in the system which includes subjects we need to store metadata with that object about who can access that yes but a simplified and this is what we're going to get to actually in one thing that's versus how it actually works but a abstracted version it's not a list of exactly every person on the system who can access it so if we take the same notion and we think about splitting up our matrix in terms of columns what's another way we can split it up oh good we steal somebody's answer I think that's against the academic don't just get rose we can think about in terms of rows right we can we can store with each subject everything that every object that it has access to and what rights of those objects right and of course again the same idea we wouldn't want them to be able to tamper with and change their their access so kind of historically these are called different things so like the access control list is the column so every object stores what subjects have access to it capability lists are the other notion of storing the rows so every subject has the list of objects that it has rights to and again same thing the operating system now process P says here's my capability list I would like to have read access to file G and the operating system will look at the capability list and say yes you do have read access to file G great access granted what are some of the differences between these two besides columns versus rows if you store it with the subject the other user can create a file and then has to update a file in another users domain yeah so this is where things get a little wonky and weird right in terms of updating so if we have this type of model if subject Q creates a new file that subject P has rights to all of the subjects is capability lists these we updated with access to this new file conversely the same idea actually also applies to access control lists but not one creating a file because when creating a file you would just put who has access in the access control list where but when do we need to go through and update everything a new user a new subject is added to the system we have to go through every single file in the system and add those rights that that user has yeah yeah you can have it both ways so if you want to assume that something in the list means you don't have access to it then you don't want to have it also be the case when something's not in the list you look up and do more additional work right you can think of maybe ways to optimize it but if you think about it just in terms of a fundamental model it's a little bit more difficult to think about that yeah so these are basically kind of inherent pros and cons changing different aspects of the system causes different problems yeah so yeah usually you only do one although you may be able to configure a system to use a combination of things I think here you go the sky's the limit in terms of implementation but yes on like a unique system Unix uses access control lists and so every time you ever edit a file you LS a file this actually happened to several people which I still don't understand how but if you ever forget out let me know they created a dot ssa slash config file in their local home directory but the permission for setup so that they as a user had had no read permission to the file only write permission and then when they tried to ssa to band it they couldn't read the home font their own file so it never got set up wasn't happening correctly so just either deleting that and starting over or changing the permission so that they could read their own file actually allowed everything to work that is fascinating yeah windows are the sub system thing seems to be causing a lot more problems than I hope it would but I've seen weird problems of people trying to install or update things as route and then they can't reach it yeah you're now a root user so when you create a file it's owned by route and so by default other people shouldn't be able to read that usually so yeah that can cause massive problems interesting I think I think for most cases because you may a lot of times you're not just opening a file for read you're opening a file to read and write to that file so rather than looking at two different permissions like right on a file you'd want to say what rights does this person have on this file and yeah and another type that's actually the type that we already talked about is kind of a relational table which kind of goes out to what we were talking about basically just subject access object so or any combination of the order doesn't matter so much the idea just being that we could think about it of listing exactly how we did and this is where we started from subject access object and so you look up you could look up subject and object and it would tell you all the access that they have all different types of things so let's see some interesting aspects here so for an access control list we need to be able to know the identity of users of subjects so we need to make sure that we know some way of subjects the interesting thing about capability lists and we'll get to this more in crypto but we don't necessarily if the system so this is actually where the Kerberos model comes in so with Kerberos you don't authenticate to the system you're trying to log into you authenticate to a third system that issues you some cryptographic ticket that says you have the capabilities to do x y and z on this system so you then present these capabilities to your system and then it says great you have these capabilities so that system is not ever verifying your identity or who you are or checking username password is trusting these cryptographic tokens these cryptographic capabilities of what you're allowed to do and this is but this can cause problems so this is why you know we'll get into those more in detail later but it's another kind of interesting way of thinking about this problem and this is why systems that use that model like Active Directory and I believe Kerberos will allow you to use these capability lists yeah so I think we actually this is a graphical representation of the different systems you got many files in a directory and each of the rights will be on there and we'll get to the UNIX access control oh no okay okay so other types of things that we can think about so for capability lists we can when thinking in terms of least privilege so we can think the security principle that we want to provide that objects that only have access to exactly what they need that when when they let's say the system grants a subject capabilities and a capability list they can give them just the capabilities that they need rather than as we mentioned going and updating every single file to give that subject access to exactly what they need you can actually have a much more fine-grained thing especially if you have like a backup service that's just running once a week so the backup service spins up it's a new subject in the system rather than giving read access to every single file the system to the backup system the operating system can just give the backup subject here's the capability list that you can actually read every time and then it goes away as soon as it's done you can also do cool things like doing expiration dates on those capabilities and all kinds of cool stuff so what about trying to review these systems so we said one of the nice things about having this matrix is we can actually try to look at it and review who can access what so what are these two system maybe changes that notion of access for me I said it's true in both models yeah the system gets bigger it becomes much more difficult to review right but let's say in a capability model we want to say who has access to a certain object we have to look at every single user's capabilities and sees is anyone have this capability right so in that sense an access control list can be better can enable better review of objects right we can look at an object we can know exactly what subjects have access to that object but the other way also works in reverse where a capability list we have better access review of subjects we can say okay what does this you know this subject this person what can they access right otherwise we have to literally scan the whole system look at every single file to see what things they can access again and again the idea of revocations what do we mean by revocation here removing access right revoking access so again similar idea if we want to revoke access to a certain object we can easily do that in an ACL model we can remove everyone's access just by modifying the metadata of that object and capabilities are better on a subject faces we're good so when we come back on Tuesday we'll talk about the UNIX access control list we'll actually look at exactly how that works