Assignment 4.

Assignment 4.1: Reference Monitor

Emmylou Bice

CSOL-500 – Foundations of Cyber Security

Ashton Mozano

June 8, 2020
Assignment 4.1

Abstract

The reference monitor concept which was originally introduced by James P Anderson in 1972 is

implemented in a majority of systems today to enforce processor and/or user access control

policies on operations and files in the system. The reference monitor has become a key factor in

determining the security effectiveness of the system. With today’s technology becoming more

complex with a smaller footprint, it is important we analyze the systems to ensure the security is

maintained and effective. We will analyze the effectiveness of the reference validation

mechanism in enforcing these access control security policies within a Samsung Galaxy phone

running Android 10.

1
Assignment 4.1

In 1972, James Anderson introduced the idea of a reference monitor to enforce the

security policy of systems. The reference monitor enforces “authorized access relationships

between users and other elements of a system” to enhance the security of resource sharing

(Anderson, 1972, p 16). In today’s technology, we observe systems becoming more complex in

processing and architecture with a smaller footprint. With the systems becoming more complex

in design, we can imagine that the security implementations have also evolved and improved. In

this report, we will analyze the effectiveness and differences of the reference concept

implementation in Samsung Galaxy Phones running Android 10 compared to the original 1972

reference model concept.

To analyze the reference validation mechanism, we must first understand the reference

monitor concept. As mentioned, the reference monitor is “an abstract machine that mediates all

access subjects have to objects” to prevent unauthorized access or modification as seen in Figure

1 (Harris & Maymí, 2016, p304). The implementation of this is called the reference validation

mechanism (RVM) which employs three principles: the RVM must be tamper proof, always

invoked, and simple or small enough to be analyzed and tested for correctness (Anderson, 1972,

p17).

2
Assignment 4.1

Figure 1: Reference Monitor Concept. From Computer Security Handbook, Set, 6th Edition,
by Bosworth, S., Kabay, M. E., & Whyne, E. ,2014.

In a standard computer operating system (OS) architecture, there are 5 levels of access

protection, Level 0 to Level 4. Level 0 is the most trusted level with the highest level of privilege

and level 4 is the least trusted with the least level of privilege. In this model, level 0 is where the

Linux kernel resides as well as the reference monitor, level 3 is where the system applications

reside, and level 4 is outside the system where the users reside. The rings of protection are

detailed in Figure 2 with the exception of level 4. Analyzing the Samsung Galaxy Android 10

phone’s architecture, the architecture mirrors that of a standard computer OS. Using this model,

we will analyze the Samsung Galaxy Android 10 security policies with respect to the reference

monitor concept.

3
Assignment 4.1

Figure 2: The parts of the protection ring. From Layers of an Operating System, by
Futurelearn, n.d., https://www.futurelearn.com/courses/computer-
systems/0/steps/53514#:~:text=The%20operating%20system%20manages%20a,CPU%20and%
20access%20to%20memory.&text=Processes%20are%20executed%20in%20layered,subseque
nt%20layer%20has%20decreased%20access.
The Samsung Galaxy Android 10 system enforces a few security policies which we can

see the relation to the reference monitor concept. The following details these policies as well as

maps it to the reference monitor concept.

1. Total Security Functionality (TSF) Protection. The device employs numerous

features to protect the reliability and integrity of security. It protects sensitive data

like crypto keys, protects itself from application modification, isolates application

address spaces, and enforces read, write, and execute for memory page protections

(NIST & NSA, 2020, p9). To enforce these, the reference monitor verifies that the

user or process (subject) has permissions to read the sensitive data, modify the

application, or read/write/execute memory pages (objects). Typically, only the root

user group will have access to read sensitive data. This permission level is not

accessible to device users/owners right out of the box, therefore standard device

owners will be unauthorized to make these types of modifications. This feature can

4
Assignment 4.1

easily be tested by logging into the device and navigating through the directory file

system structure to try and access sensitive device files.

2. Device Access Control. The device has the option to set a device access control

policy. To gain access to the contents in the phone, the user (subject) must

authenticate to the device via a correct password or Biometric Authentication Factor

(BAF) such as a fingerprint of face recognition set by the device owner (NIST &

NSA, 2020, p8; Gossamer, 2020, p11). The device passes the inputted authentication

credential information which resides at protection level 4 to the reference monitor

which resides at level 0. The reference monitor it checks the list of acceptable

authentication credentials to verify that the individual trying to access the device has

the proper knowledge to access the contents. For example, if the phone was set to

only allow access via the thumb fingerprint of the owner, the reference monitor would

only allow the user access provided they presented the correct fingerprint. Once

verified and authenticated, the user has access levels of the owner of the device. This

setting can be turned off by the device owner to allow anyone to access the device,

however, the reference monitor is till in place where all users have full owner access

control over the device.

3. Application Isolation. Applications cannot access other device applications or

features without explicit permission. When the owner downloads applications for the

App Store, applications will request permissions to additional applications such as

camera, location services, or the file system. An example is the Facebook Application.

Facebook will request permissions to the camera, location services, contacts, file

system, and microphone to name a few. The owner sets the permissions for the

5
Assignment 4.1

Facebook application and the reference monitor enforces this policy. If the application

is provided these permissions, it can request access to the other applications whenever

it is running. The reference monitor verifies that the application (Facebook) has

access to the other applications (ex. Microphone). If it doesn’t have the proper

permissions, then the reference monitor will deny the access and the application will

not use those features. If the user decides to use a feature requiring permission to use

another application, the user will be prompted and the reference monitor access

control table will be updated to allow access. Additionally, to prevent applications

from accessing each other, applications cannot access other memory spaces within the

kernel. The device implements address space layout randomization (ASLR) to protect

applications from each other (NIST & NSA, 2020, p9).

4. Audit Storage Protection. The device “shall protect the stored audit records in the

audit trail” (Gossamer, 2020, p23). Only the root user or administrator is allowed to

read or export internal audit logs of the device and Linux processes can access audit

files only with system permissions (Gossamer, 2020, p58). A normal user or the

owner of the device does not have access to these types of files. The reference

monitor ensures that the individual logging in is not an administrator or root account

and restricts access to the logs. Similarly, the reference monitor verifies that the

application has the permissions to access a particular audit log.

With the many security policies, we can see the reference validation mechanism has been

implemented and is verifying permissions of the user or application when trying to access

specific objects within the filesystem. Although the reference validation mechanism has been

implemented, like on computers, the security isn’t impenetrable. The Samsung Galaxy Android

6
Assignment 4.1

10 device is intended for standard users to use the system right out of the box. However, users of

the system are able to change their unprivileged state to a privileged state by “rooting” the phone

with applications that essentially trick privileged applications into running custom code that

allows you to manually update the firmware on the device to give you privileged access. The

application obtains permissions to modify the source code on the device, essentially getting

access to level 0. Although in terms of the reference monitor, the reference monitor does its job

and verifies that the tricked application has permissions and allows it to run the custom code to

update the firmware. Once this happens, the general device user has privileged access to level 0

rather than just level 3 (application). If this happens, then the device security is breached and

depending on the user, if knowledgeable in security or not, may expose the device to other

potential threats. This however is not an issue with the reference validation mechanism, but

permission issues on the tricked application.

7
Assignment 4.1

References

Anderson, J. (1972) Computer Security Technology Planning Study. Retrieved on June 6, 2020,

from https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-

the-21st-nissc-1998/documents/early-cs-papers/ande72.pdf

Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer Security Handbook, Set, 6th

Edition. Hoboken, NJ: John Wiley & Sons.

Futurelearn. (n.d.) Layers of an Operating System. Retrieved on June 7, 2020, from

https://www.futurelearn.com/courses/computer-

systems/0/steps/53514#:~:text=The%20operating%20system%20manages%20a,CPU%20and%20acc

ess%20to%20memory.&text=Processes%20are%20executed%20in%20layered,subsequent%20layer

%20has%20decreased%20access

Gossamer. (2020) Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 10 –

Spring Security Target. Retrieved on June 7, 2020, from

https://www.commoncriteriaportal.org/files/epfiles/st_vid11042-st.pdf

Harris, S., & Maymí, F. (2016). CISSP All-in-One Exam Guide (7th ed.). New York, NY:

McGraw-Hill Education.

NIST & NSA. (2020) Samsung Galaxy Devices on Android 10 – Spring. Retrieved on June 7,

2020, from https://www.commoncriteriaportal.org/files/epfiles/st_vid11042-vr.pdf