A proposed mechanism for implementation of non-discretionary access controls in a network environment

Abstract This paper investigates moving Lampson's reference monitor abstraction from the single system environment to a range of networked distributed systems which include interconnected office information systems. It suggests modifying our implementation of the abstraction from the traditional security kernel to a dual approach using a basic, node level reference monitor and a system level reference monitor that we choose to call a sentinel. An argument is presented that the sentinel meets the requirements of a reference monitor in that it provides separation, mediation, and can be formally verified. The approach to installing a sentinel is viewed as top down with great emphasis on the security mode implemented at each participating node.