Reference Monitors

Categories: Security

While reading some security books, I came across the term “reference monitor” a number of times. The books never really described it fully; the summary was something like “a component which validates all accesses from subjects to objects”.

I therefore researched a little, and found that the Linux Security Module (LSM) layer is an example of a reference monitor. The SELinux implementation of LSM is therefore also a reference monitor - and probably the sort of thing that the academic references mean.

With SELinux, a “security policy” is defined for the system, indicating which “labels” a caller (subject) needs to have in order to be able to access some resource such as a data-file, device-file, or network port. The SELinux layer within the kernel then intercepts every system-call made by a userspace program and validates it against the security policy.

Now the concept is a lot clearer to me…

A reference monitor can also be built in user-space for controlling access within a program, apparently. Maybe something like Spring’s aspect-oriented security annotations qualify?

Having a “reference monitor” was part of the old TCSEC certification standard which was replaced by the Common Criteria standard in 2005.