HP OpenVMS Guide to System Security > Chapter 2 OpenVMS Security Model

Structure of a Secure Operating System

  Table of Contents



In the late 1960s, a great deal of research and development was dedicated to the problem of achieving security in multiuser computer systems. Much of the development work involved attempts to find all the things that could go wrong with a system's security and then to correct those flaws one by one. It became apparent to the researchers that this process was ineffective; effective system security could result only from a basic model of the structure of a secure computer system. The reference monitor concept was proposed as such a model and gained wide acceptance.

Reference Monitor Concept

According to the reference monitor concept, a computer system can be depicted in terms of subjects, objects, an authorization database, an audit trail, and a reference monitor, as shown in Figure 2-1 “Reference Monitor”. The reference monitor is the control center that authenticates subjects and implements and enforces the security policy for every access to an object by a subject.

Figure 2-1 Reference Monitor

Reference Monitor

The following table describes the elements shown in Figure 2-1 “Reference Monitor”:

Item Element Description



Active entities, such as user processes, that gain access to information on behalf of people.



Passive repositories of information to be protected, such as files.


Authorization database

Repository for the security attributes of subjects and objects. From these attributes, the reference monitor determines what kind of access (if any) is authorized.


Audit trail

Record of all security-relevant events, such as access attempts, successful or not.

How the Reference Monitor Enforces Security Rules

The reference monitor enforces the security policy by authorizing the creation of subjects, by granting subjects access to objects based on the information in a dynamic authorization database, and by recording events, as necessary, in the audit trail. In an ideal system, the reference monitor must meet the following three requirements:

  • Mediate every attempt by a subject to gain access to an object

  • Provide a tamperproof database and audit trail that are thoroughly protected from unauthorized observation and modification

  • Remain a small, simple, and well-structured piece of software so that it is effective in enforcing security requirements

These are the requirements proposed for systems that are secure even against penetration. In such systems, the reference monitor is implemented by a security-related subset, or security kernel, of the operating system.