Access and use control using externally controlled reference monitors

This paper presents a mechanism for the consistent enforcement of security policies within a distributed system by extending the reference monitor concept in such a way that both a conceptual and actual separation of the specification and enforcement of security policies by the reference monitor, hence an externally controlled reference monitor, is obtained. An externally controlled reference monitor may enforce multiple policies simultaneously; for this multiple external reference monitors can be queried. To maintain the policy independence of the reference monitor, subjects, objects, and operations are modeled in a formal theory which can also be mapped to multiple operating systems providing a operating system-independent mechanism for specifying and enforcing policies. This policy mechanism is briefly discussed, as is an example of an interpretation element and the corresponding implementation techniques for retrofitting the externally controlled reference monitor onto existing operating systems