Reference monitor concept. The reference monitor is a conceptual model for access control that states that all subject accesses to objects must be approved by the reference monitor.
- Tamper-proof -- The reference monitor must protect itself from tampering. No other process should be able to interfere with the reference monitor processes or security controls.
- Simple -- The implementation of the reference monitor (called the security kernel) must be small enough to be verified. A complex security kernel evades analysis and likely contains vulnerabilities.
To the extent that the security kernel is analyzable, the assessor should review the security kernel's ability to enforce each of the reference monitor aspects.