A reference monitor is an approach to implement a secure system based on access control. Any system can be depicted in terms of subjects, objects, an authorization database, an audit trail, and a reference monitor, as shown in Figure 1. The reference monitor is the control center that authenticates subjects and implements and enforces the security policy for every access to an object by a subject.
Figure 1: Reference Monitor
This is the basic design for the Reference monitor. It’s the bit in the middle that does all of the work. In an OS this is built deep inside, but it will work anywhere in any system.
Description of elements of the reference monitor
|Subjects||Active entities, such as user processes, that gain access to information on behalf of people|
|Objects||Passive repositories of information to be protected, such as files|
|Authorization database||Repository for the security attributes of subjects and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized|
|Audit trail||Record of all security-relevant events, such as access attempts, successful or not|
How the Reference Monitor Enforces Security Rules
The reference monitor enforces the security policy by authorizing the creation of subjects, by granting subjects access to objects based on the information in a dynamic authorization database, and by recording events, as necessary, in the audit trail. In an ideal system, the reference monitor must meet the following three requirements:
- Mediate every attempt by a subject to gain access to an object
- Provide a tamperproof database and audit trail that are thoroughly protected from unauthorized observation and modification
- Remain a small, simple, and well-structured piece of software so that it is effective in enforcing security requirements
Reference Monitor UML Object Model Diagram
Reference Monitor DB schema diagram