In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system.
have ever been independently verified, or what level of computer security it was intended to provide.
The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered with, and has undergone complete analysis and testing to verify correctness.
The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control and is considered to express the necessary and sufficient properties for any system making this security claim.
[4] Peter Denning in a 2013 oral history stated that James Anderson credited the concept to a paper he and Scott Graham presented at a 1972 conference.