August 2nd, 2009

The assurance that the components are enforcing the abstract idea of the reference monitor is proved through testing and functionality.

— Shon Harris, All-In-One CISSP Exam Guide 4th Ed., p. 328

Nnnnnnnno, actually testing can’t possibly give that kind of assurance, and I’m not sure what “functionality” is supposed to mean here – it runs fine, so it must be working as expected?  The Third Commandment of the Reference Monitor, which had just been given in the text, is that it must be small enough to be completely verified.  That verification is the assurance.

