1. Need for protection
    1. Low security
      1. Keep machines administered
      2. Keep files private
      3. Allow only authorized users to access machines
    2. High Security
      1. Absolutly cannot break
      2. Defined by Gov as things like C2, B2, etc.
      3. Requires auditing, testing, etc.
    3. Very High Security
      1. Purpose -- keep cooperating processes from communicating
      2. Label data as secret, top secret, etc.
      3. Keep track of flows, prevent all flows from low to high.
  2. Types of access
    1. Read
    2. Write
    3. Append
    4. Exec
      1. Different from read
      2. Can need memory protection.
    5. Create
      1. Only makes sense for directories
      2. Useful for tmp directory
    6. Delete
  3. Types of protection schemes
    1. Access control matrix
      1. List each file, user.
      2. Versitle, easy, but files*users in size.
    2. Access control lists
      1. Becoming popular
      2. Just list within the ACL what users can access what files.
      3. Can list groups instead of users.
      4. EXAMPLE: file1: user1 (RW) user2 (R)
      5. Can include wildcards, but must be careful to make fast.
      6. Often includes default (for files not listed).
      7. Utility programs or OS must move/copy ACL entries with files.
    3. Lockwords
      1. Password per file/directory/subdir-tree
      2. Must remember the passwords
    4. Unix scheme
    5. Tokens (Andrew) Capabilities
      1. Each app has one or more tokens
      2. Presenet token when want to access the file.
      3. Tokens can never be revoked.
      4. Groups implemented by sharing tokens.
      5. Cannot remove one member from a group.