Access Controls Part 1: Computer Security Lectures 2014/15 S2

00:00

okay so this week we are talking about

00:02

access controls so access controls are

00:06

the things that it put in place on a

00:09

computer system that restrict what

00:12

people and programs are allowed to do

00:14

basically so very very important in

00:16

terms of security one of the most

00:18

important topics I would say uh in the

00:21

entire computer security like curriculum

00:24

so this is particularly important and

00:26

also something that I uh that is related

00:29

to research and things that that

00:31

I am involved in so there is quite a lot

00:36

of terminology in this lecture um but it

00:39

is quite important so just um bear with

00:42

me so as we know the term Access Control

00:45

can refer to physical security so we

00:48

when when there are access controls in

00:50

place it's literally you know doors and

00:53

Gates and all that sort of stuff that

00:54

keep people out when they're not

00:55

supposed to be you know in certain areas

00:58

so when you use a badge to swipe into an

01:00

area that's an access control um but

01:03

what we're focused on for this lecture

01:06

is the digital access control side of

01:08

things and it's very analogous like it's

01:09

a very similar concept and a lot of the

01:12

same Theory applies that we're about to

01:14

talk about but we are I'm particularly

01:17

focusing on the computer security side

01:20

of things so digital digital access

01:22

controls are the things that restrict

01:24

access to resources and the various

01:26

interactions with um you know different

01:28

programs and things on a F so it's all

01:31

about authorization so that's what a

01:34

subject's allowed to perform in order to

01:36

do that we need to have already done

01:38

authentication so the stuff from last

01:40

week about how do you know someone is

01:42

who they say they are you need to do

01:44

that first once you know that that

01:47

person is who they say they are now you

01:49

can start to enforce access controls so

01:51

you can say okay yeah so Chris come

01:54

tries to enter a room for example you

01:56

show your badge I check the photos the

01:58

same so okay you are authenticated

02:00

I I'm convinced that you're that you're

02:03

Chris uh then I might look at the list

02:06

of people allowed in the room and if

02:08

your name's on that list then you're

02:10

alled in so that first step is um

02:13

authentication checking who you are uh

02:15

and then the access control is the

02:17

authorization step where we actually

02:18

check what you're authorized to do um

02:22

and the important thing is this

02:23

immediates subject's access to objects

02:26

so subject is just the um person or the

02:30

thing doing something so in a computer

02:32

system it might be the program that's

02:34

running so that process is the the

02:37

subject of the access control it's

02:38

trying to do something and when we're

02:40

making Access Control decisions it's

02:42

what is that subject allowed to access

02:46

is that subject allowed to access this

02:48

object and object are just mostly static

02:51

resources so files but also if a

02:55

um you can also say an object might also

03:00

be a process because if a process is

03:02

trying to access another process in that

03:05

situation the the process that's acting

03:08

you would say is the subject and the

03:09

process they're trying to connect to is

03:10

the object um

03:13

and uh also if you're trying to access

03:16

the network that that might also be

03:18

referred to in those terms as well but

03:21

it's all about enforcing a security

03:22

policy so we need some policy so some

03:25

rules that state who's allowed to do

03:28

what um and then we're going to enforce

03:30

that with our access controls so we're

03:33

aiming for complete mediation which

03:35

means that we really want the security

03:38

to work and the program shouldn't just

03:40

be able to access some other program to

03:44

get the the files that they need to that

03:46

they want to access like there has to be

03:48

a consistent way that the security is um

03:52

enforced so for example if I was a

03:54

person standing at the door checking

03:56

name badges like are you allowed in this

03:58

room if there was another door at the

04:01

back of the building and no one was

04:02

guarding that that would fail the

04:04

complete mediation test right so that

04:06

would be a bad security design because

04:08

someone just come in through the other

04:10

door so in order to work we need to

04:12

actually have just like one way of

04:14

accessing a resource and we need to um

04:17

be able to carefully Define how that

04:21

behaves um and one of the ways that we

04:23

are sure that it's going to work is by

04:26

thinking about the trusted Computing

04:27

base so trusted Computing Bas or the TCB

04:31

is basically a term that represents all

04:34

of the software and hardware and all of

04:37

the parts and pieces that go together to

04:40

enforce the policy so if we're talking

04:43

about like a Linux or Windows system for

04:45

example that's basically most of the

04:47

operating system so uh let's just say

04:50

Linux for example the kernel every Pro

04:53

process is running on that system as

04:55

root um basically um

05:00

whatever login programs there are and

05:01

all all those sorts of things that's all

05:03

part of the trusted Computing base

05:04

because if there are any vulnerabilities

05:05

in any of that stuff the security is all

05:07

going to break so that you know the

05:10

security like the kernel is particularly

05:13

important that it is enforcing Security

05:15

in the correct way um so yeah even

05:19

Hardware so there's a news item I don't

05:21

know if you've heard from this week very

05:23

clever exploit where um basically by

05:26

flipping bits um in memory

05:31

in on a certain type of um Hardware it's

05:34

possible to basically corrupt um

05:37

different set of memory which can result

05:39

in privilege escalation in in Linux

05:42

basically I mean it's it's incredibly

05:44

it's incredibly clever but um so

05:46

Hardware also comes into it um so all

05:50

these things go together to actually

05:52

enforce uh the

05:54

security

05:56

um if we can if the person can basically

06:01

avoid the security controls then we're

06:04

you know it's not good so another

06:07

example that might be email in an

06:09

organization if you have this really

06:11

clever Access Control policy that

06:14

specifies which people within an

06:15

organization are allowed to access

06:17

certain files say it's a really

06:20

difficult system to use people might

06:21

just end up emailing all the files they

06:23

need back and forth between each other

06:25

and that's that's horrible right that's

06:27

the worst thing for security because now

06:28

they're going around the thing that's

06:31

supposed to keep those files controlled

06:33

and who can access them as soon as

06:34

people start just like ignoring that and

06:37

emailing things to each other then you

06:39

know that Security Systems Failing so

06:42

ideally it shouldn't be possible to um

06:45

not access things through our security

06:48

system reference monitor is basically a

06:51

concept that that there is this thing

06:55

that you use to access the files so

06:58

again on Linux it's the kernel every

07:01

time you go to access a file that

07:04

request is via a system call so a

07:06

program says to the Kel hey give me this

07:08

file and the Kel says uh let me just

07:12

check if that's okay and then if it is

07:14

okay it gives the um basically gives

07:18

access to that file to that program so

07:21

every single access to a file goes via

07:24

the kernel and a specific set of you

07:27

know the security subsystem Within the

07:29

kernel so that's basically reference

07:32

monitor where you have something that

07:34

mediates access to everything the

07:37

protection State against more

07:39

terminology um is like the this

07:43

complete state that the computer is in

07:47

in terms of you know all of the um

07:50

processes and all the identity

07:51

associated with them all security

07:54

context is the identity or the

07:57

information assigned to each sub subject

08:00

that is used to inform the access

08:02

decisions so uh if we were talking about

08:06

this exam the analogy that I've said had

08:08

before of you know standing at the door

08:09

I might you know check people's name

08:11

badges you know is David allowed into

08:13

this room is Chris allowed in the room

08:15

all in the room um the security context

08:18

in that situation is if I've checked

08:22

your name badges already the security

08:24

context is the information written on

08:26

your name badge that's the information

08:27

the person at the door is using to make

08:29

that decision so uh on a Linux system

08:32

that's the uid and the G and other

08:34

security information that is associated

08:37

with each of those processors so you

08:38

guys are processors on a computer and

08:40

you're trying to access something look

08:42

at your name badge what does your uid

08:44

say is that user allowed to access it

08:48

um

08:50

the thing the stuff happens on a

08:52

computer though where you might change

08:54

your name badge so you might Maybe I

08:59

don't know maybe Umar has permission to

09:02

sometimes act on taz's behalf right so

09:06

so you Tas may have in the past said

09:08

yeah I don't it's fine you can you can

09:10

you can access that file for me or go

09:12

into the room for me here here's a name

09:15

badge and then and and it's a piece of

09:17

paper that says you're allowed to use my

09:19

name badge or something and then you

09:20

might put your put taza's name badge

09:22

over the top of your name badge um and

09:25

in that situation you've assumed that

09:27

identity and that's okay but the act of

09:30

doing that is a transition in the

09:32

protection state of the system because

09:34

things have now changed and now you're

09:35

acting with a different set of

09:36

permissions so it's really important on

09:39

a computer system to clearly Define what

09:43

kinds of con security context changes

09:46

are allowed how are those um

09:49

transitions what are what are what are

09:51

you allowed to do what how are you

09:53

allowed to change it that needs to be

09:54

really tightly controlled obviously and

09:56

it might be that you need to actually go

09:58

up to someone else and say can you swap

10:00

open my name badge you know you

10:01

shouldn't just be able to randomly

10:03

change your own name badge um so again

10:06

that's an analogy for on a computer

10:08

where you might um change your uid so

10:11

that you can do something that you're

10:12

not normally allowed to do so um there

10:16

are various ways you can do that on a um

10:20

on a Unix

10:21

system um and that needs to be very

10:24

tightly

10:25

controlled so an access control Matrix

10:28

is the simplest way of

10:31

describing a uh Security State and

10:36

basically it's just a massive table

10:39

explaining every single access

10:42

permission that is possible and whether

10:44

it's allowed so in this case we have

10:46

user a user B you know a list of all the

10:48

different every single user is on this

10:51

table and every single resource that's

10:54

on the computer or in the room or

10:56

whatever is all uh laid out in this

10:59

tables and then for each of these cells

11:02

is whether or not that subject is

11:04

allowed to access to that object and in

11:06

what ways um

11:09

so in this example here user a is

11:12

allowed to read and write to file one

11:14

and actually that user owns that file so

11:17

they're allowed to change permissions

11:19

and things for that file um whereas user

11:22

B is not allowed to read or write to the

11:24

file they're only allowed to append to

11:25

the file so they can just stick

11:27

something at the end of it they can't

11:28

access what is inside the file or change

11:30

what's inside the file and and so on so

11:34

this is an access control

11:36

Matrix but this is basically an abstract

11:39

way of thinking about things because in

11:41

reality um you would never use this

11:45

system because just you

11:47

know how many

11:51

people you know this table is just going

11:53

to be massive once you've got 100 files

11:56

you know and 10 users it just become

11:58

becomes no unmanageable so that's not

12:01

the way that we um store information

12:03

about security but it is one way of

12:05

thinking about it um so we actually need

12:07

some kind of implementation to actually

12:09

enforce this and also you need to Define

12:11

what does this mean what does reading

12:12

mean you know what does writing mean and

12:14

owning what do own give you the ability

12:16

to do

12:18

so but the nice thing about an access

12:21

control Matrix this big table is you can

12:23

use it to express any policy you can if

12:25

you got this massive table if you can

12:29

Express anything this way so so I could

12:31

say that you know you three are allowed

12:34

to access these files and you guys are

12:35

allowed to access this in these ways and

12:37

everything like that um but yeah it's

12:40

mostly used for theoretical you know

12:42

analysis and things it's not actually

12:44

used in real life but we will come back

12:47

to that in order to explain you know

12:49

different types of security systems so a

12:52

policy um defines what's allowed so that

12:55

can either be formally or informally so

12:57

a formal policy might literally

12:59

be you know like this the this is what

13:02

these users are exactly about to do an

13:04

informal policy might be more like in a

13:06

business context the sorts of things

13:08

that you're supposed to do and and um

13:11

you know not not specifically specified

13:15

if it's just written in English it can

13:17

be you know a bit

13:19

ambiguous um but a security policy

13:22

basically defines what's secure um and

13:25

what what are the rules that we're

13:27

trying to enforce so if this is our

13:29

policy this Access Control Matrix here

13:32

if user B finds a way to write to file

13:34

one they've managed to subvert our

13:36

security system and we're in an insecure

13:38

State that's really we don't we never

13:41

want user B to be able to um you know

13:44

write to file one if they figure out a

13:47

way then things are horribly

13:49

broken

13:51

um and the way that we Define what our

13:54

policy is is going to be in terms of

13:55

like confidentiality integrity and

13:57

availability so again thinking about

13:59

those basic concepts in security um you

14:03

know are do we want people to be able to

14:05

read certain information we are they

14:06

allowed to change it and you know is it

14:08

available to them

14:09

basically um can you guys think of

14:13

practical examples of a security policy

14:16

just anything just

14:18

to you know we all know what the terms

14:22

mean yeah so for

14:25

example whether or not the information

14:28

is aailable

14:29

[Music]

14:31

Oran yeah yeah so you will um often

14:35

organizations will say whether certain

14:38

resources are supposed to be publicly

14:40

available and a lot of time there's a

14:41

lot of information that shouldn't be

14:43

available for the public and I don't

14:45

know can you think of an

14:47

example of when information that we

14:50

wouldn't want to

14:54

share that's a reason but yeah finances

14:57

finances is a good answer company

14:59

policies sorry company policies company

15:02

policies yeah you know some of that

15:04

stuff you don't really want everyone to

15:06

see um so yeah there's all sorts of

15:09

reasons why you don't want stuff to be

15:11

available and in that case um are we

15:14

talking about confidentiality Integrity

15:16

or

15:18

availability conf yeah so it's about

15:22

what someone has you know the ability to

15:24

read so that's confidentiality if we're

15:26

talking about whether someone can change

15:28

something we're talking about integrity

15:30

and whether it's something that's

15:31

available as

15:33

availability um yeah okay so you know as

15:38

as we've discussed a mechanism is

15:40

something that enforces a

15:42

policy um so for example a firewall is a

15:46

mechanism right it's a thing that does

15:49

something a model is a way of

15:51

representing a policy or types of

15:53

policies um so we're starting to get a

15:55

bit abstract so a way of representing

15:58

the the kinds of rules so for example

16:00

the um you know this Access Control

16:03

Matrix that's like a security model

16:07

um and again we are I'm introducing

16:10

quite a lot of terminology but this is

16:11

really important especially if you end

16:12

up working on the defensive side of

16:14

security you know or any type of

16:16

security it is important to understand

16:18

this stuff so okay we just s all this so

16:22

confidentiality deals with sorry

16:24

confidentiality policy deals o only with

16:27

confidentiality

16:29

so there are types of security systems

16:31

that the military use for example where

16:33

the most important thing to them is that

16:35

things St remain confident confidential

16:38

so there are security systems they have

16:40

that will basically won't stop someone

16:42

from altering information as long as

16:45

they can't see the stuff they're not

16:46

allowed to see like that's like the most

16:48

important thing to them an Integrity

16:50

policy Deals Only with Integrity they

16:53

really it doesn't matter what people can

16:55

see but it's super important that no one

16:58

can alter this information that's like

17:01

the most important goal for us and that

17:03

is often the case in like a commercial

17:05

setting um but in reality as like you

17:08

can probably guess when I'm saying this

17:10

most people want a bit of

17:12

confidentiality and integrity so we have

17:14

like a mixed model um so real life

17:16

policies do a bit of both um you know

17:19

but there usually is an emphasis on one

17:21

or

17:21

another so some types of access control

17:25

so these are Access Control models uh

17:27

there's nondescript access control which

17:29

is also known as mandatory access

17:31

control and there's discretionary Access

17:33

Control those are the two big ones so

17:35

I'm going to talk about those so

17:38

nondiscretionary access

17:40

control or mandatory access control um

17:43

it's one of those areas where the people

17:45

don't agree with the terminology that

17:46

you should be using basically manat

17:49

access

17:49

control is when a a system um

17:54

administrator or a Security

17:55

administrator gets to configure the

17:57

security role uh rules and that applies

17:59

to everyone so if I for example had this

18:03

list of who's

18:04

allowed hang on let's let's adjust the

18:07

analogy so it works better um say we've

18:11

got a room and uh this analog is really

18:15

boring got filing cabinets and there's

18:18

certain filing cabinets have different

18:20

types of information in them um so for

18:23

example one might be for finances one

18:25

might be for um use

18:28

uh Personnel information right and all

18:31

of you guys have name badges and you're

18:33

allowed in the room but someone's

18:35

standing next to these two filing

18:37

covenants and just checking that you're

18:38

allowed to access that filing Covenant

18:40

it's not a very good analogy but we

18:42

we'll go with it um so it's like it's

18:45

almost not even analogy it's like what's

18:47

happening on a computer so okay so

18:49

that's what's happening um if I get to

18:53

write all the

18:55

rules about that information then we've

18:58

got a mandatory access control system so

19:00

you guys have no say over what you're

19:02

allowed to access because I've labeled

19:05

all of the files in these and filing

19:07

covenants with information that says

19:09

this file is about Personnel information

19:13

this file is about um you know all the

19:16

everything in this folder is about

19:18

finances and then I've written on your

19:21

name tags you know your name and then on

19:24

my little piece of paper that no none of

19:26

you get to touch it says

19:28

list of names and who and whether or not

19:30

you're allowed to access certain things

19:32

right that's manag Access Control you've

19:34

got no choice you can't change any of

19:36

the security policies you are subject to

19:38

them uh and you have to basically uh

19:41

you've got no ownership over any of

19:43

those files either you just have access

19:44

to them and um the rules specify what

19:47

you're allowed to do so that is manager

19:49

access control so it works well when the

19:51

organization owns all of the data so all

19:54

the information is owned by the

19:55

organization and I want to keep like

19:57

tight control over what you're allowed

19:58

to do so for example in the military or

20:01

government that's often the case so I I

20:04

really know that you're only supposed to

20:06

access certain stuff um and it can

20:10

prevent the problem where you guys if

20:12

you were allowed to change who's allowed

20:13

to access what and you made a mistake

20:15

you might accidentally end up doing

20:18

something that you don't mean to do so

20:19

that stops you from making mistakes and

20:22

it's really predictable for me being the

20:24

person that's in control of all these

20:26

files and everything I know what's going

20:29

to happen it's it's quite

20:31

straightforward

20:33

um usually the way that works on a

20:35

computer is you you literally attach a

20:38

security context label to an object so I

20:42

attach some information to each

20:44

individual file on the computer um and

20:47

also I attach a separate label to every

20:50

single running um process or every user

20:53

on a system And Then There are rules

20:55

that say what's allowed to happen so

20:56

it's literally exact the analogy is not

20:58

too bad so in in this example if I had

21:01

certain um printouts and I put a sticky

21:04

note on it that said you know is this a

21:06

per is is this specific file a um you

21:12

know Personnel information or Finance

21:14

information and then I look up on my

21:16

name and I look you know is Chris

21:18

allowed to access finances uh I I say

21:21

yes so yeah okay so you you can access

21:23

it that's what happens on a computer

21:26

basically um

21:29

so uh so yeah there's rules that Define

21:31

what's that to happen um some ways of

21:35

modeling traditional mandatory access

21:38

controls is using like formal math so

21:40

there's like actual like a notation that

21:43

describes exactly how this model Works

21:45

um and the seminal models are very

21:48

important um traditional like papers and

21:51

um models that have been proposed uh

21:54

such as Bell and lapadula model which is

21:58

focused entirely on confidentiality and

22:00

the bber model which is um entirely

22:03

about strong

22:04

Integrity

22:07

um but uh it's starting to become the

22:11

case

22:13

where there are certain abil there is a

22:18

there are

22:20

some security features in things you

22:23

know consumer operating systems like

22:25

Windows and Linux where we can do things

22:27

like this

22:28

where we can Define security rules that

22:31

the users have no say over so for

22:33

example on Linux we can use SE Linux and

22:35

app armor and that stuff that we'll look

22:36

at in the next Topic in the module um

22:38

when we start looking at virtualization

22:40

sandboxing and

22:41

things um but for the most part systems

22:45

aren't based on what we've just

22:47

described right what I've just described

22:49

is not the way that most windows and

22:51

Linux systems work so the way that they

22:53

work is via discretionary access control

22:56

which is where users own the files and

22:59

get to choose who can access them

23:01

basically so in this previous thing

23:03

where I'm standing in front of the um

23:06

set of all all of these um files and

23:11

checking against my set of rules and

23:14

that's not exactly how it works I guess

23:17

my altering my analogy

23:20

slightly say we've got a um each user

23:25

has their own um file fer with their own

23:29

files in it um and you get to say who's

23:32

allowed to access them so in this

23:35

situation there might be a um a list on

23:38

the front of of a particular print out

23:41

where you get to say who's allowed to

23:43

access this file and I might still be

23:44

standing in front of the um the filing

23:48

covenants just to check that you're all

23:49

behaving yourselves but now you guys get

23:52

to Define what the policy is so um Chris

23:57

you might have

23:58

you know a certain file that you want to

24:01

share with David so you might change the

24:04

rules for that file and say David's

24:05

allowed to access this file and

24:07

obviously I'm standing there and check

24:08

that you only you get to write on the

24:10

front say who's allowed to access it but

24:13

now um you know it still might be that

24:17

that Stig can't can't come along and

24:20

access that file

24:22

sorry um because his name is not on the

24:24

list of who's allowed to access it but

24:26

if David comes along it's like yeah I I

24:28

know that Chris said that you're allowed

24:29

to access the file Chris owns the file

24:32

and maybe you're even allowed to say I'm

24:34

going to give away ownership of this

24:35

file to someone else and then you aren't

24:37

allowed to change those rules anymore

24:38

and the file is now owned by someone

24:40

else

24:41

yeah

24:46

Google yes yeah um yeah so you you get

24:49

to specify who's allowed to access the

24:51

file um yeah so like Google Drive that

24:54

that is a form of access controls so

24:56

there's a list of people and what

24:57

they're allowed to do on on that file um

25:01

and I don't think on Google Drive though

25:04

you can give away ownership of a file as

25:06

far as I'm aware but you can give full

25:09

letter yeah yeah so on on like a Windows

25:13

system or a Linux system you can give

25:15

the file away entirely if you want so

25:17

you can say uh yeah you own this file

25:19

now and then um you've got no longer

25:22

have any control over the permissions on

25:23

it

25:26

um but yeah so there are um ways of a

25:31

user controlling um their own files

25:35

basically and you can basically specify

25:38

what other people are allowed to do but

25:39

as you can imagine it's a little bit

25:41

chaotic right so all there's so many

25:43

interactions and ways that permissions

25:44

can change so if you are an organization

25:47

like the military that's not going to

25:49

suit your needs very well is it but for

25:52

real everyday life it works quite well I

25:54

mean it's we get by with it on on Linux

25:57

and windows

25:58

um you know we've got by on that system

26:01

for a really long time I mean it

26:03

works

26:05

um so that's that's what we're used to

26:07

using uh if you're using older version

26:09

of Windows like Windows Millennium

26:11

edition if anyone here can remember that

26:13

and earlier so like you know talking

26:15

about like Windows 98 Windows

26:19

95 Windows

26:22

3.11 there was no access controls at all

26:25

there's literally nothing in place to

26:27

stop

26:28

you from accessing each other's files it

26:30

was just freefor all in all senses of of

26:33

the word there there was no controls

26:34

there at all

26:36

um there only in Windows NT the server

26:40

systems where they actually had some

26:42

form of security actually there for

26:44

access controls and Windows XP provides

26:46

discretionary access controls but almost

26:48

everyone runs as administrator on

26:50

Windows XP for practical reasons because

26:52

if you don't run as administrator Vol

26:55

programs complain and crash um

26:58

but um you know since Windows Vista

27:02

there is actually user access control uh

27:05

is available in Windows and

27:08

um it now you're if you're using Windows

27:13

it's good because you can run as not an

27:19

administrator just a phone call from

27:22

Australia

27:23

um so

27:26

um

27:28

yeah so now you can actually have a um

27:31

Windows system where you run and you you

27:33

know it's not Poss you know hopefully it

27:36

makes it harder to just accidentally

27:38

screw up your whole system or for a

27:40

security problem to cause a huge huge

27:44

impact um but that's something we can

27:46

talk about again later Unix has had

27:49

discretionary Access Control since the

27:50

1970s so all along there've been

27:53

Security in place on a Unix

27:56

system so um the way that discretionary

28:01

Access Control usually works is the

28:04

process is a traded um based on user

28:08

identity so you know I talking about

28:09

name badges you know we've said this

28:12

before hopefully you got hopefully

28:15

you're sick of hearing me say it that

28:17

the processes on a Windows and a Linux

28:19

system is most of the security decision

28:22

is based on who started that program so

28:24

what is the user identity associated

28:26

with that program um in practice what

28:28

that

28:29

means is that

28:32

um programs can influence security

28:34

configuration so um you know a user a

28:38

program can then set permissions on your

28:40

own files and things like that because

28:42

the pro program is running with your

28:44

permission on that system and we're

28:46

going to come back to program security

28:49

throughout the module

28:50

really um so another kind of Access

28:54

Control in addition to ro base uh discre

28:57

access control and manager access

28:58

control one of the main models used to

29:01

describe access control is role based

29:03

access control and that's um usually you

29:07

use for non non um discretionary access

29:12

control so kind of a manager control

29:15

usually but basically the the idea is

29:18

that if we've got an organization

29:20

everyone who has certain roles within

29:22

the organization should be allowed to do

29:23

certain

29:24

things um and this is slightly different

29:28

from groups um but it's a similar

29:31

concept um but if we have a um I don't

29:36

know say a bank we might have a manager

29:39

role and people who are manager managers

29:42

in the bank get to access certain

29:43

information that everyone else can

29:44

access but rather than having to

29:47

manually give that person all those

29:49

permissions we just have a role that

29:50

they're allowed to assume at certain

29:52

times and maybe the same person has

29:54

multiple roles that they can activate at

29:56

various points so rather than just

29:58

giving that person always access to

30:00

everything because they're a manager

30:02

they might also have the role of being

30:03

an employee which gives them a basic

30:05

amount of access and then every now and

30:06

then they can escalate to being a

30:08

manager and then they get these extra

30:09

per missions so that's what role based

30:11

access control

30:14

is so I said we were going to come back

30:17

to that um Access Control Matrix and

30:20

this is where I will so an access

30:23

control list is the most common way of

30:25

describing permissions on a computer

30:27

system so an access control list or an

30:29

AAL is um attached to each object and it

30:35

describes the subjects that are allowed

30:37

access so um so it's like this so you

30:42

can see this diagram here this is the

30:43

original diagram we had but now attached

30:45

to each file is a list of all the

30:47

permissions for all the users on that

30:50

system

30:52

um so it basically stores all the rules

30:56

for that specific specific file attached

30:58

to each file so that's the way that um

31:01

windows and Linux works so and in

31:04

slightly different ways but similar so

31:06

on Windows they have a full access

31:08

control list associated with every

31:09

single file in the system if you go into

31:12

security properties for that file you

31:14

can see the list of all of the users and

31:17

um that are allowed to access that file

31:20

uh on Linux it's a slightly um

31:24

simplified version of that where you it

31:27

simplifies the permissions down to the

31:30

owner of the

31:31

file everyone in um a specific group

31:37

that the file has associated with it and

31:39

everyone else on the entire system so

31:40

rather than a list of every single

31:42

independent user on the system it kind

31:43

of groups people together into these

31:45

categories that's this the typical Unix

31:48

way of doing things um but it you know

31:51

it's

31:53

not Linux has lots of extra security

31:56

features in addition to that basic way

31:58

of doing things the Unix way and we'll

32:00

come back to that so basically the idea

32:03

is with an Ackle the rules are stored

32:05

with the object so that's

32:08

important capabilities yeah

32:11

sorry with ACLS

32:14

though especially Windows if you try to

32:17

edit a file access because of the ACL

32:19

yeah and you actually change you can

32:21

actually write you can actually append

32:23

the file say I'm right to it you when

32:28

you change it sometimes still you access

32:30

to it um it well no if you change the

32:35

permissions in theory and I'm not

32:37

advocating the fact that Windows does

32:39

security perfectly but if it's working

32:42

properly it well there might be multiple

32:45

layers of security things going on but

32:47

just looking at that one specific layer

32:50

right the akles because Windows uh

32:53

inherits permissions from folders and

32:56

things like that above it but but

32:58

generally the permissions on an

33:00

individual file should specify who can

33:03

access that file and if you own that

33:06

file you can change those submissions if

33:07

you don't you need to be an

33:08

administrator or the person who owns

33:10

that file to change those

33:12

submissions but you can

33:14

um yeah it should work as it's supposed

33:17

to so you can say if you're not allowed

33:19

access to it if you're actually using

33:22

your computer correctly and you've got

33:24

multiple users sharing that computer

33:26

they should have dependent user accounts

33:28

and then if you've got certain files

33:30

that you want everyone to be able to use

33:31

on that computer you would set the

33:33

permission so that everyone's allowed to

33:35

access it or certain users are allowed

33:36

to access

33:37

it um it's not good practice to have a

33:41

shared computer with everyone using one

33:43

account um it's just it's good to have

33:46

separate accounts for everyone even just

33:48

so that they don't set you don't have to

33:50

look at desktop backgrounds that you

33:52

don't like you know um but you know from

33:55

a security perspective you should be

33:56

using it

33:57

correctly um does that answer your

34:00

question sort

34:08

of

34:13

yeah okay that's fine uh so capabilities

34:17

is an alternative approach so instead of

34:20

attaching all of the information about

34:22

who's allowed to do what to the to the

34:23

objects we instead attach that

34:26

information to the

34:27

subject so basically we keep the rules

34:30

with the

34:31

processes so if for example um going

34:36

going back to our not that inventive

34:38

analogy of having physical files with

34:40

things attached to them if I had a print

34:42

out of something and I staple to it a

34:44

list of all the users that are allowed

34:46

to read that file that's an access

34:49

control list if instead I give you on

34:53

your name badge a thing that you can

34:55

clip onto it that has a list of files

34:57

are allowed to access we're now talking

34:59

about capabilities

35:01

so uh it's information that's kept with

35:03

the with the the actual subjects of the

35:06

system and obviously you need a way of

35:08

obtaining the actual capabilities um but

35:11

there's there will be some mechanism for

35:13

you to get proof a token that says

35:16

you're allowed to access something and

35:17

then when you go to access it you you'll

35:19

be allowed uh to access it so that's

35:22

what a capability

35:25

is says

35:28

Windows um is it okay to from security

35:33

perspective um to v as administrator

35:37

there only one account or you have an

35:39

administrator account you should never

35:42

ever ever run as an administrator you

35:45

should not log in as an administrator or

35:47

a root user ever because it's too easy

35:52

to well I could list how many reasons do

35:55

you want I'll give you two main ones

35:57

is that you can make mistakes that are

36:00

fatal hopefully not physically fatal but

36:02

you know you can make you accidentally

36:04

type in a command and you've just wiped

36:05

the Entire Computer like deleted the

36:07

operating

36:10

system Windows will let you do that well

36:13

there's been various problems with that

36:15

on on Windows as well but it but yeah

36:18

that still at least that's a level where

36:19

you actually need to authenticate like

36:21

on a on a Linux or Unix system you

36:24

should be logged in not as rout and then

36:26

you should have to elevate your

36:27

privileges to do the things that are

36:29

important so you type the root password

36:30

to prove that you're allow to do certain

36:32

things or if it's an auntu system you um

36:35

have the permission to basically use

36:37

your own password to do root things

36:40

which is similar to a Windows like user

36:42

account control where you can like

36:44

specifically escalate to do certain

36:45

things so the Windows security system

36:49

tries to have that balance where you

36:52

might be a administrator but you can't

36:55

just delete things without clicking

36:56

something on the screen but there have

36:58

been various problems with that

36:59

mechanism in the past so it's not it's

37:02

not perfect but it's better than

37:04

nothing um so if we're talking about

37:07

capabilities versus Arles capabilities

37:09

require applications to be aware of them

37:11

and they're they can well they're

37:13

considered to be hard to manage uh

37:15

although some people in the security

37:17

Community will strongly argue the

37:19

opposite but access

37:21

controlers are just easy in general

37:23

because we just store them with the

37:24

files so it's very straightforward

37:27

basically um and they're stored within

37:30

the file system and that's the way that

37:32

most Opera operating systems do things

37:36

um so on Windows and Unix which includes

37:38

Linux and Mac um we use AAL for

37:42

discretionary Access Control although

37:44

there are other security features that

37:46

we will talk about um in the next couple

37:48

of weeks so that's where I'm going to um

37:52

cover for now in today's lecture and

37:55

then next week we put pick this up and

37:57

talk about some specifics to do um

38:00

mostly with like Unix uh as the example

38:03

where we look at the way that the um

38:05

file per missions and access controls

38:07

and things work so the takeaway messages

38:10

from the lecture is the fact that we use

38:13

Access Control to imediate actions based

38:15

on what a subject's allowed to do and

38:17

there's a policy that defines what

38:18

you're allow what different people are

38:20

allowed to do so what you're authorized

38:22

to do um and there are things that we're

38:25

going to cover next next week about the

38:28

quite powerful and expressive ways that

38:30

we can do that in Linux um so yeah so

38:34

we're going to continue on with this

38:35

topic next week and go into some more

38:37

detail uh that's all I'm going to cover

38:39

this week