221:
193:, University of Minnesota. On pp. 37-38 Denning stated: "James Anderson . . . promoted it in his community, saying that the biggest contribution of that paper was the reference monitor. That became the standard notion in everything he talked about when he was talking about how to make a system more secure."
94:
The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered with, and has undergone complete analysis and testing to
35:
concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference
95:
verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control and is considered to express the necessary and sufficient properties for any system making this security claim.
154:
Irvine, C. E. (1999). The
Reference Monitor Concept as a Unifying Principle in Computer Security Education. In Proceedings of the IFIP TC11 WG 11.8 First World Conference on Information Security Education,
51:, i.e., amenable to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the security policy is not enforced.
164:
Anderson, R. (2008). Security engineering - A guide to building dependable distributed systems (2nd ed.). New York, NY: John Wiley & Sons
Publishing, Inc. Chapter 8, "Multilevel Security"
87:, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of
258:
110:
282:
131:
58:. Without this property, it is possible for the mechanism to not perform when intended, allowing an attacker to violate the security policy.
251:
173:
Anderson, J. 'Computer
Security Technology Planning Study', ESD-TR-73-51, US Air Force Electronic Systems Division (1973). Section 4.1.1
277:
106:
in a 2013 oral history stated that James
Anderson credited the concept to a paper he and Scott Graham presented at a 1972 conference.
244:
17:
190:
67:. Without this property, an attacker can undermine the mechanism itself and hence violate the security policy.
16:
This article is about the computer operating system component. For broadcast reference monitor, see
102:, the reference monitor concept was introduced by James Anderson in an influential 1972 paper.
88:
63:
228:
103:
99:
28:
206:
174:
21:
271:
80:
72:
44:, so that an attacker cannot bypass the mechanism and violate the security policy.
220:
84:
76:
75:
and 9x operating systems were not built with a reference monitor, whereas the
132:"Windows Kernel-Mode Security Reference Monitor - Windows drivers"
186:
232:
36:
monitor are captured by the acronym NEAT, which means:
175:
http://csrc.nist.gov/publications/history/ande72.pdf
113:(TCSEC) must enforce the reference monitor concept.
252:
8:
111:Trusted Computer System Evaluation Criteria
61:The reference validation mechanism must be
54:The reference validation mechanism must be
47:The reference validation mechanism must be
40:The reference validation mechanism must be
259:
245:
109:Systems evaluated at B3 and above by the
122:
7:
227:This security software article is a
217:
215:
20:. For audio reference monitor, see
231:. You can help Knowledge (XXG) by
14:
283:Computer security software stubs
219:
1:
91:it was intended to provide.
18:Broadcast reference monitor
299:
214:
79:line, which also includes
15:
278:Operating system security
191:Charles Babbage Institute
130:tedhudek (2018-10-16).
187:Oral history interview
185:Peter J. Denning,
136:docs.microsoft.com
240:
239:
89:computer security
33:reference monitor
29:operating systems
290:
261:
254:
247:
223:
216:
194:
183:
177:
171:
165:
162:
156:
152:
146:
145:
143:
142:
127:
298:
297:
293:
292:
291:
289:
288:
287:
268:
267:
266:
265:
212:
207:Security kernel
203:
198:
197:
184:
180:
172:
168:
163:
159:
153:
149:
140:
138:
129:
128:
124:
119:
31:architecture a
25:
12:
11:
5:
296:
294:
286:
285:
280:
270:
269:
264:
263:
256:
249:
241:
238:
237:
224:
210:
209:
202:
199:
196:
195:
178:
166:
157:
147:
121:
120:
118:
115:
69:
68:
59:
56:Always invoked
52:
45:
42:Non-bypassable
22:Studio monitor
13:
10:
9:
6:
4:
3:
2:
295:
284:
281:
279:
276:
275:
273:
262:
257:
255:
250:
248:
243:
242:
236:
234:
230:
225:
222:
218:
213:
208:
205:
204:
200:
192:
188:
182:
179:
176:
170:
167:
161:
158:
151:
148:
137:
133:
126:
123:
116:
114:
112:
107:
105:
104:Peter Denning
101:
100:Ross Anderson
98:According to
96:
92:
90:
86:
82:
78:
74:
71:For example,
66:
65:
60:
57:
53:
50:
46:
43:
39:
38:
37:
34:
30:
23:
19:
233:expanding it
226:
211:
181:
169:
160:
150:
139:. Retrieved
135:
125:
108:
97:
93:
81:Windows 2000
70:
64:Tamper-proof
62:
55:
48:
41:
32:
26:
73:Windows 3.x
272:Categories
141:2018-11-20
117:References
85:Windows XP
77:Windows NT
49:Evaluable
201:See also
155:27--37
229:stub
83:and
27:In
274::
189:,
134:.
260:e
253:t
246:v
235:.
144:.
24:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.