In the late 1960s, a great deal of research and developmentwas dedicated to the problem of achieving security in multiusercomputer systems. Much of the development work involved attemptsto find all the things that could go wrong with a system's securityand then to correct those flaws one by one. It became apparent tothe researchers that this process was ineffective; effective systemsecurity could result only from a basic model of the structure ofa secure computer system. The reference monitor concept was proposedas such a model and gained wide acceptance.
Reference Monitor Concept
According to the reference monitor concept, a computer systemcan be depicted in terms of subjects, objects, an authorizationdatabase, an audit trail, and a reference monitor, as shown in Reference Monitor. The reference monitor isthe control center that authenticates subjects and implements andenforces the security policy for every access to an object by asubject.
Figure 1 ReferenceMonitor
The following table describes the elements shown in Reference Monitor:
Item
Element
Description
1
Subjects
Active entities, such asuser processes, that gain access to information on behalf of people.
2
Objects
Passive repositories ofinformation to be protected, such as files.
3
Authorizationdatabase
Repository for the securityattributes of subjects and objects. From these attributes, the referencemonitor determines what kind of access (if any) is authorized.
4
Audit trail
Record of all security-relevant events,such as access attempts, successful or not.
How the Reference Monitor Enforces SecurityRules
The reference monitor enforces the security policy by authorizingthe creation of subjects, by granting subjects access to objectsbased on the information in a dynamic authorization database, andby recording events, as necessary, in the audit trail. In an idealsystem, the reference monitor must meet the following three requirements:
Mediate every attempt by a subjectto gain access to an object
Provide a tamperproof database and audit trail thatare thoroughly protected from unauthorized observation and modification
Remain a small, simple, and well-structured pieceof software so that it is effective in enforcing security requirements
These are the requirements proposed for systems that are secureeven against penetration. In such systems, the reference monitoris implemented by a security-related subset, or security kernel,of the operating system.