A reference monitor (Engl. Reference monitor ) is in the IT security a logical unit (an abstract model , or even a concrete implementation ) for the control and enforcement of the access rights is responsible. This means that the reference monitor decides for each access of a subject (i.e. an actor such as user or process ) to an object (data of any kind) based on rules whether the access is allowed. The following properties are decisive:
- Subjects cannot access objects directly, but only through the reference monitor.
- The reference monitor itself must be protected against manipulation.
- Secondary data (especially the definition of rules, log files, etc.) must be protected against manipulation.
- The reference monitor must have a well-defined interface .
- The behavior of the reference monitor must be clearly specified and the rules must be implemented correctly.
- The implementation of the reference monitor must be correct. Possibly. a formal verification is required for this.
These properties of the reference monitor of a security system are important criteria for assessing the security of computer systems. They are a prerequisite for certification for the higher levels of the common security certificates such as TCSEC and ITSEC .