A reference monitor can be an abstract, logical or physical component in a system. As a physical component, think of it like a bouncer at your club: You want to get in? Well, he or she decides.
A reference monitor can be implemented anywhere: At the operating system level (e.g. access to files and folders), in your database management system (e.g. an authentication role), in your app, or wherever it’s needed.
In October 1972, James P. Anderson & Co. conducted a study for the Electronic Systems Division (ESD) of the United States Air Force.
The Anderson report defined the reference validation mechanism as follows:
an implementation of the reference monitor concept ...
that validates each reference to data or programs
by any user (program) against a list of
authorized types of reference for that user.
The report also gave three design requirements that a reference validation mechanism must meet:
a. The reference validation mechanism must be tamper-proof.
b. The reference validation mechanism must always be invoked.
c. The reference validation mechanism must be small enough to be subject to
analysis and tests, the completeness of which can be assured.
The Reference Monitor must also be designed in such a way that an attacker cannot bypass the mechanism and violate the security policy.
A subject can initiate requests for resources and use those resources to accomplish a task.
An object is a resource used to store, access, or process information.
Access control includes procedures to allow or deny requests from subjects that want to access objects. It does so using a previously defined security policy.
A subject’s access to an object is also called an operation. Operations can read or modify an object.
The security policy defines the conditions under which accesses by subjects to objects are mediated by the Reference Monitor.