Reference Monitor Concept and Common Criteria Version 3


This talk will introduce the Reference Monitor Concept, a fundamental information security concept and trace the evolution of its principles to Common Criteria Version 3.

The reference monitor concept was first introduced in the Anderson Report in 1972. An implementation of the reference monitor concept is defined as a "reference validation mechanism." Three principles of the reference validation mechanism are specified as follows:

1. The reference validation mechanism must be tamper proof.
2. The reference validation mechanism must always be invoked.
3. The reference validation mechanism must be small enough to be subject to analysis and tests to assure that it is correct."

The Trusted Computer Security Evaluation Criteria (TCSEC), also known as the Orange Book, was used for IT security evaluations in the U.S. before the Common Criteria. The six hierarchical classes of requirements in the TCSEC are from lowest to highest: C1, C2, B1, B2, B3, and A1. The reference monitor concept is incorporated into the system architecture requirements of the TCSEC. The system architecture requirements are considered to be assurance requirements.

1. The first principle of "tamperproofness" came in at C1: "The TCB shall maintain a domain for its own execution that protects it from external interference or tampering"
2. The second principle of "always invoked" came in at C2: "The TCB shall isolate the resources to be protected so that they are subject to the access control and auditing requirements."
3. Finally, at Class B3, the third principle of "small enough to be analyzed" is required by specifying several specific system architecture requirements.

In the Common Criteria Versions 1 and 2, the principle of "tamperproofness' is expressed using the FPT_SEP family: Domain separation. The principle of "always invoked" is expressed using FPT_RVM: Reference mediation. The problem with specifying these as functional requirements is that they depend on the overall design of the TOE Security Functions (TSF), which is not addressed by the existing security assurance requirements. Also, since they were security functional requirements, they were technically not required at any evaluation assurance level (EAL). The "small enough to be analyzed" principle is addressed by the ADV_INT: TSF internals family.

Common Criteria Version 3 addresses the principles of domain separation and non-bypassability with a new family: ADV_ARC: Architectural design. The talk will go over the ADV_ARC requirements in CC Version 3 and the CEM as well as the additional guidance provide to aid in their interpretation.