In the late 1960s, a great deal of research and
development was dedicated to the problem of achieving security in
multiuser computer systems. Much of the development work involved
attempts to find all the things that could go wrong with a system's
security and then to correct those flaws one by one. It became apparent
to the researchers that this process was ineffective; effective system
security could result only from a basic model of the structure of
a secure computer system. The reference monitor concept was proposed
as such a model and gained wide acceptance.
Reference Monitor Concept
According to the reference monitor concept, a
computer system can be depicted in terms of subjects, objects, an
authorization database, an audit trail, and a reference monitor, as
shown in “Reference Monitor”.
The reference monitor is the control center
that authenticates subjects and implements and enforces the security
policy for every access to an object by a subject.
Active entities, such as user processes, that gain access to
information on behalf of people.
Passive repositories of information to be protected, such as
Repository for the security attributes of subjects and objects.
From these attributes, the reference monitor determines what kind
of access (if any) is authorized.
Record of all security-relevant events, such
as access attempts, successful or not.
How the Reference Monitor Enforces Security Rules
The reference monitor enforces the security policy
by authorizing the creation of subjects, by granting subjects access
to objects based on the information in a dynamic authorization database,
and by recording events, as necessary, in the audit trail. In an ideal
system, the reference monitor must meet the following three requirements:
Mediate every attempt
by a subject to gain access to an object
Provide a tamperproof
database and audit trail that are thoroughly protected from unauthorized
observation and modification
Remain a small, simple,
and well-structured piece of software so that it is effective in enforcing
These are the requirements proposed for systems
that are secure even against penetration. In such systems, the reference
monitor is implemented by a security-related subset, or security kernel,
of the operating system.