Is the Reference Monitor Concept Fatally Flawed? The Case for the Negative

Traditionally, the burden of proof in a debate rests upon the affirmative side of the resolution, which is worded to advocate change. here, this is just as it should be. The reference monitor (RM) model has passed the critical test imposed by the methodology of science: it has been a productive concept for the field of computer security since its introduction. The call to abandon a productive model, however intellectually stimulating, should not be heeded simply for the sake of novelty. It is our hope that this debate will stimulate an examination of foundations, but we do not believe that such an examination, carefully undertaken, supports the affirmative case. There are several related topics which are not the focus of this discussion. We will not discuss the merits or demerits of any particular access control policy: the RM model is neutral with respect to policy enforced. We will not discuss the merits or demerits of any particular criterion based upon the RM model: the model precedes these and is not responsible for infelicities that may occur in a particular application of the model. We will not discuss architectural instantiations of the model: e.g. a “monolithic” instantiation versus a partitioned, subsetted, or even more radically distributed instantiation. No one is claiming that only monolithic or homogeneous implementations are encompassed by the model: quite the contrary. The resolution is the conjunction of two propositions, both of which must be successfully argued by the opposition: First, that the RM model is “fatally flawed”. We understand this to mean, not “incomplete” (for the RM model is manifestly incomplete, being policyneutral). Rather, we understand this to mean that the model does not deliver what it promises: an abstract model of prerequisites to be met by any system that claims to be “secure” with respect to the enforcement of access controls. With respect to this position, the negative case will be based upon arguments that if any of the three primary ingredients of the model are sacrificed, the resulting system is demonstrably insecure, in that an approach for compromising the controls is