Reconsidering the role of the reference monitor [computer system security]

This paper reexamines the role that the reference monitor plays in providing security for a computer system. The reference monitor, aided by a few supporting mechanisms, establishes the system security perimeter at its own boundary along which it enforces the system's security policy. In this view, the reference monitor is the primary security enforcing component of a trusted system. For this reason, the reference monitor is the focus of the TCSEC approach to assurance.<<ETX>>