In computer security, a reference monitor is an abstract machine that is responsible for enforcing the system's security policy. It controls access to objects (like files or system resources) by subjects (like users or processes) within a system. According to the Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book, a reference monitor should have the following properties: 1. **Tamper-Proof**: It should be impossible for unauthorised users to modify the reference monitor. 2. **Always Invoked**: It must be invoked for every access attempt and can't be bypassed. 3. **Verifiable**: It should be small and simple enough that it can be tested and verified, to ensure it is implementing the security policy correctly. In practical implementations, the reference monitor concept might be implemented by the access control component of an operating system, for example. It can also refer to a part of a trusted computing base that verifies and controls access to an object by a subject based on a set of permissions and rules.