Jump to content

Reference monitor

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by SyntaxPolice (talk | contribs) at 22:06, 15 June 2011 (adding references & impact of the model). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

"Reference monitor" redirects here. For broadcast reference monitor, see Video monitor. For audio reference monitor, see Studio monitor.

In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. According to Ross Anderson [1], this concept was introduced by James Anderson in an influential 1973 paper [2]. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and sufficient properties for any system making this security claim [3].

  • The reference validation mechanism must always be invoked (complete mediation).
  • The reference validation mechanism must be tamperproof (tamperproof).
  • The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (verifiable).

For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor,[4] although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of computer security it was intended to provide.

The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness.

The Reference Monitor concept was introduced in the Computer Security Technology Planning Study (Oct, 1972) by James Anderson & Co.

Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept.

References

  1. ^ Anderson, R. (2008). Security engineering - A guide to building dependable distributed systems (2nd ed.). New York, NY: John Wiley & Sons Publishing, Inc. Chapter 8, "Multilevel Security"
  2. ^ Anderson, J. 'Computer Security Technology Planning Study', ESD-TR-73-51, US Air Force Electronic Systems Division (1973). Section 4.1.1 http://csrc.nist.gov/publications/history/ande72.pdf
  3. ^ Irvine, C. E. (1999). The Reference Monitor Concept as a Unifying Principle in Computer Security Education. IN PROCEEDINGS OF THE IFIP TC11 WG 11.8 FIRST WORLD CONFERENCE ON INFORMATION SECURITY EDUCATION, 27--37.
  4. ^ http://www.microsoft.com/resources/documentation/windowsnt/4/workstation/reskit/en-us/archi.mspx?mfr=true

See also

Stub icon

This security software article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Reference_monitor&oldid=434485773"