Reference Monitor (Dictionary Entry)

Definitions

Definition 1

The system component that mediates every access of subjects to objects in accordance with a security policy that governs these accesses.

Related Terms

• Entity (Dictionary Entry)

• Identity

• Object (Dictionary Entry)

Quotes

At the core of an access-control system is the secure evaluation of whether an established identity has access to a particular computing resource, also referred to as an object, A resource can be a service of some kind, an information receptacle such as a file or a Web resource such as a uniform resource identifier (URI). Access control is decided over an existing security context and a controlled resource. Modern access-control mechanisms are based on the reference monitor concept introduced in early 1970s by Lampson [LAMP74]. A reference monitor is the TCB component of a computing system that mediates every access of a subject to a resource in accordance with a security policy that governs such access. The policy may be implemented in the form of rules and attributes associated with a registry of subjects and a registry of objects. The rules can be static access rights (permissions), roles, or dynamically deduced rights. Figure 1.6 illustrates the concept of an access control reference monitor.

In addition to the mediation of access, a reference monitor should not be bypassed at all times, should support isolation of the security services from un-trusted processes, maintain system integrity, and prevent from tampering by users or system processes. The reference-monitor footprint should be kept small enough to be susceptible to rigorous verification methods. The gatekeeper approach of the reference monitor makes it an ideal component for the generation of audit trails reflecting access attempts to the resources within its confines.

While we're asking questions, let's get right to the most sacred cow of all, the reference monitor. I have never seen a rigorous proof that a reference monitor provides a secure system. Even such simple words as "mediates every access to every object" can become surprisingly fuzzy and open to a wide variety of interpretations. Certainly, the reference monitor concept is useful and captures some aspects of security. But, what is the fundamental notion of secure system that is embodied in a reference monitor? Let's see if we can state that definition and prove that a system (even a toy one) with a reference monitor satisfies it. Let's study what the logical consequences of that definition are. This surely would be very enlightening.

Are reference monitors an essential requirement for security, as the TCSEC imply? Is it possible to build a secure system without a reference monitor? Of course it is. Our research group has built and proved two secure systems, the Encrypted Packet Interface and the Message Flow Modulator. Both of these examples have full "code proofs." Neither of them contains a reference monitor. In both of these examples, there are many references to security sensitive objects that are not mediated. Also, neither of these examples is based on a state sequence definition of security. I'll be happy to match the security of these systems against the security of any reference-monitor based system.

Bibliography

See Also