Guidelines for Reference Monitors in Embedded INFOSEC Applications

This paper addresses the enforcement of the principle of least privilege in embedded INFOSEC applications through the development of a security component, the Reference Monitor (RM). The concept of the principle of least privilege has been around since the mid 1970´s. The enforcement of this principle grants the most restrictive set of privileges for an authorized task. The RM component is useful for an embedment that is developed with a separation kernel that does not have built in security policies. The RM component resides outside the separation kernel and enforces a system-wide security policy through a combination of Discretionary Access Control (DAC) mechanisms and Mandatory Access Control (MAC) mechanisms. This paper discusses the architectural guidelines and the implementation of a RM component in an embedded INFOSEC application.