Using proven Reference Monitor patterns for security evaluation

Abstract

The most effective approach to evaluating the security of complex systems is to deliberatelyconstruct the systems using security patterns specifically designed to make them evaluable. Just suchan integrated set of security patterns was created decades ago based on the Reference Monitorabstraction. An associated systematic security engineering and evaluation methodology was codifiedas an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paperexplains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of securitypatterns for large, complex and distributed systems and how those patterns have been repeatedlyand successfully used to create and evaluate some of the most secure government and commercialsystems ever developed.