The Protection of Information in Computer Systems (with M. Maekawa)
Citation: Tanenbaum, A. S., & Maekawa, M. (1978). The Protection of Information in Computer Systems. Proceedings of the IEEE, 66(9), 1031-1044.
Core Contribution
Introduced the reference monitor concept as the formal model for operating system security. Described the Bell-La Padula model for multilevel security and established the principle of complete mediation (every access must be checked against the security policy).
Key Concepts
- Reference monitor: The component that mediates all access between subjects and objects
- Complete mediation: Every access must be checked, not just first access
- Security kernel: The minimal trusted computing base implementing the reference monitor
- Bell-La Padula: No read up (simple security property), no write down (*-property)
- Authentication vs authorization: Knowing who you are vs what you can do
Why It Matters
This paper established the theoretical foundation for operating system security that remains relevant today. Every secure OS design since 1978 has been influenced by these ideas. The concept of a security kernel is still used in systems like SELinux and Android’s SELinux enforcement.
Connection to Modern Systems
- Linux capabilities: Break-glass mechanisms derived from principle of least privilege
- SELinux: Implements type enforcement based on Bell-La Padula
- Android permissions: Reference monitor pattern for app access control
- Virtualization: Hypervisors as security kernels
See Also
- Operating Systems (access control in Linux)
- Security course (OPSEC, access control)