Notes - Computer Security MT24, Reference monitors

The part of the OS which implements access control, deciding whether a given subject may access an object.

Because if a process were allowed to perform any processor instruction, it could issue instructions to overwrite the operating system and disable the reference monitor.

The relevant security property is integrity.

• Processors support a notion of security level (typically user mode/ring 3, kernel mode/ring 0).
• Each thread of execution and each page of memory is marked with a level.
• The level of a process determines the set of processor instructions it can execute.
• These prohibitions are enforced by a reference monitor built into the processor.

• It relies on the underlying access control system supported by the processor.
• When the OS starts, it requests access to kernel mode.
• The OS starts a reference monitor running in kernel mode.
• Other processes on the OS run in user mode, and so can’t attack the reference monitor process.

• A user requests access to a resource
• Access is granted
• A change of authorisation occurs revoking the access
• The user performs the access

User mode, they just have additional privileges given by the OS reference monitor.

• Tricking the reference monitor into granting access it should not (e.g. by exploiting the TOCTTOU problem).
• Tricking the processor into executing code which will alter or disable the reference monitor (e.g. by finding bugs in parts of the OS running in kernel mode).

An unprivileged entity invokes an entity with higher privileges to perform actions for them which violate the security level.