In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference monitor are:
- The reference validation mechanism must always be invoked (complete mediation). Without this property, it is possible for an attacker to bypass the mechanism and violate the security policy.
- The reference validation mechanism must be tamperproof. Without this property, an attacker can undermine the mechanism itself so that the security policy is not correctly enforced.
- The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the policy is not enforced.
For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of computer security it was intended to provide.
The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and sufficient properties for any system making this security claim.
According to Ross Anderson, the reference monitor concept was introduced by James Anderson in an influential 1972 paper.
Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept.
Famous quotes containing the words reference and/or monitor:
“In sum, all actions and habits are to be esteemed good or evil by their causes and usefulness in reference to the commonwealth, and not by their mediocrity, nor by their being commended. For several men praise several customs, and, contrarily, what one calls vice, another calls virtue, as their present affections lead them.”
—Thomas Hobbes (1579–1688)
“It is indeed typical that you Earth people refuse to believe in the superiority of any world but your own. Children looking into a magnifying glass, imagining the image you see is the image of your true size.”
—Franklin Coen. Joseph Newman. The Monitor (Douglas Spencer)