Professional Documents
Culture Documents
Emmylou Bice
Ashton Mozano
June 8, 2020
Assignment 4.1
Abstract
The reference monitor concept which was originally introduced by James P Anderson in 1972 is
implemented in a majority of systems today to enforce processor and/or user access control
policies on operations and files in the system. The reference monitor has become a key factor in
determining the security effectiveness of the system. With today’s technology becoming more
complex with a smaller footprint, it is important we analyze the systems to ensure the security is
maintained and effective. We will analyze the effectiveness of the reference validation
mechanism in enforcing these access control security policies within a Samsung Galaxy phone
1
Assignment 4.1
In 1972, James Anderson introduced the idea of a reference monitor to enforce the
security policy of systems. The reference monitor enforces “authorized access relationships
between users and other elements of a system” to enhance the security of resource sharing
(Anderson, 1972, p 16). In today’s technology, we observe systems becoming more complex in
processing and architecture with a smaller footprint. With the systems becoming more complex
in design, we can imagine that the security implementations have also evolved and improved. In
this report, we will analyze the effectiveness and differences of the reference concept
implementation in Samsung Galaxy Phones running Android 10 compared to the original 1972
To analyze the reference validation mechanism, we must first understand the reference
monitor concept. As mentioned, the reference monitor is “an abstract machine that mediates all
access subjects have to objects” to prevent unauthorized access or modification as seen in Figure
1 (Harris & Maymí, 2016, p304). The implementation of this is called the reference validation
mechanism (RVM) which employs three principles: the RVM must be tamper proof, always
invoked, and simple or small enough to be analyzed and tested for correctness (Anderson, 1972,
p17).
2
Assignment 4.1
Figure 1: Reference Monitor Concept. From Computer Security Handbook, Set, 6th Edition,
by Bosworth, S., Kabay, M. E., & Whyne, E. ,2014.
In a standard computer operating system (OS) architecture, there are 5 levels of access
protection, Level 0 to Level 4. Level 0 is the most trusted level with the highest level of privilege
and level 4 is the least trusted with the least level of privilege. In this model, level 0 is where the
Linux kernel resides as well as the reference monitor, level 3 is where the system applications
reside, and level 4 is outside the system where the users reside. The rings of protection are
detailed in Figure 2 with the exception of level 4. Analyzing the Samsung Galaxy Android 10
phone’s architecture, the architecture mirrors that of a standard computer OS. Using this model,
we will analyze the Samsung Galaxy Android 10 security policies with respect to the reference
monitor concept.
3
Assignment 4.1
Figure 2: The parts of the protection ring. From Layers of an Operating System, by
Futurelearn, n.d., https://www.futurelearn.com/courses/computer-
systems/0/steps/53514#:~:text=The%20operating%20system%20manages%20a,CPU%20and%
20access%20to%20memory.&text=Processes%20are%20executed%20in%20layered,subseque
nt%20layer%20has%20decreased%20access.
The Samsung Galaxy Android 10 system enforces a few security policies which we can
see the relation to the reference monitor concept. The following details these policies as well as
features to protect the reliability and integrity of security. It protects sensitive data
like crypto keys, protects itself from application modification, isolates application
address spaces, and enforces read, write, and execute for memory page protections
(NIST & NSA, 2020, p9). To enforce these, the reference monitor verifies that the
user or process (subject) has permissions to read the sensitive data, modify the
user group will have access to read sensitive data. This permission level is not
accessible to device users/owners right out of the box, therefore standard device
owners will be unauthorized to make these types of modifications. This feature can
4
Assignment 4.1
easily be tested by logging into the device and navigating through the directory file
2. Device Access Control. The device has the option to set a device access control
policy. To gain access to the contents in the phone, the user (subject) must
(BAF) such as a fingerprint of face recognition set by the device owner (NIST &
NSA, 2020, p8; Gossamer, 2020, p11). The device passes the inputted authentication
which resides at level 0. The reference monitor it checks the list of acceptable
authentication credentials to verify that the individual trying to access the device has
the proper knowledge to access the contents. For example, if the phone was set to
only allow access via the thumb fingerprint of the owner, the reference monitor would
only allow the user access provided they presented the correct fingerprint. Once
verified and authenticated, the user has access levels of the owner of the device. This
setting can be turned off by the device owner to allow anyone to access the device,
however, the reference monitor is till in place where all users have full owner access
features without explicit permission. When the owner downloads applications for the
camera, location services, or the file system. An example is the Facebook Application.
Facebook will request permissions to the camera, location services, contacts, file
system, and microphone to name a few. The owner sets the permissions for the
5
Assignment 4.1
Facebook application and the reference monitor enforces this policy. If the application
is provided these permissions, it can request access to the other applications whenever
it is running. The reference monitor verifies that the application (Facebook) has
access to the other applications (ex. Microphone). If it doesn’t have the proper
permissions, then the reference monitor will deny the access and the application will
not use those features. If the user decides to use a feature requiring permission to use
another application, the user will be prompted and the reference monitor access
from accessing each other, applications cannot access other memory spaces within the
kernel. The device implements address space layout randomization (ASLR) to protect
4. Audit Storage Protection. The device “shall protect the stored audit records in the
audit trail” (Gossamer, 2020, p23). Only the root user or administrator is allowed to
read or export internal audit logs of the device and Linux processes can access audit
files only with system permissions (Gossamer, 2020, p58). A normal user or the
owner of the device does not have access to these types of files. The reference
monitor ensures that the individual logging in is not an administrator or root account
and restricts access to the logs. Similarly, the reference monitor verifies that the
With the many security policies, we can see the reference validation mechanism has been
implemented and is verifying permissions of the user or application when trying to access
specific objects within the filesystem. Although the reference validation mechanism has been
implemented, like on computers, the security isn’t impenetrable. The Samsung Galaxy Android
6
Assignment 4.1
10 device is intended for standard users to use the system right out of the box. However, users of
the system are able to change their unprivileged state to a privileged state by “rooting” the phone
with applications that essentially trick privileged applications into running custom code that
allows you to manually update the firmware on the device to give you privileged access. The
application obtains permissions to modify the source code on the device, essentially getting
access to level 0. Although in terms of the reference monitor, the reference monitor does its job
and verifies that the tricked application has permissions and allows it to run the custom code to
update the firmware. Once this happens, the general device user has privileged access to level 0
rather than just level 3 (application). If this happens, then the device security is breached and
depending on the user, if knowledgeable in security or not, may expose the device to other
potential threats. This however is not an issue with the reference validation mechanism, but
7
Assignment 4.1
References
Anderson, J. (1972) Computer Security Technology Planning Study. Retrieved on June 6, 2020,
from https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-
the-21st-nissc-1998/documents/early-cs-papers/ande72.pdf
Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer Security Handbook, Set, 6th
https://www.futurelearn.com/courses/computer-
systems/0/steps/53514#:~:text=The%20operating%20system%20manages%20a,CPU%20and%20acc
ess%20to%20memory.&text=Processes%20are%20executed%20in%20layered,subsequent%20layer
%20has%20decreased%20access
Gossamer. (2020) Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 10 –
https://www.commoncriteriaportal.org/files/epfiles/st_vid11042-st.pdf
Harris, S., & Maymí, F. (2016). CISSP All-in-One Exam Guide (7th ed.). New York, NY:
McGraw-Hill Education.
NIST & NSA. (2020) Samsung Galaxy Devices on Android 10 – Spring. Retrieved on June 7,