Explanation: The reference monitor concept is an abstract machine that ensures that all subjects have the necessary access rights before accessing objects. Therefore, the kernel will mediates all accesses to objects by subjects and will do so by validating through the reference monitor concept.
The kernel does not decide whether or not the access will be granted, it will be the Reference Monitor which is a subset of the kernel that will say YES or NO.
All access requests will be intercepted by the Kernel, validated through the reference monitor, and then access will either be denied or granted according to the request and the subject privileges within the system.
1. The reference monitor must be small enough to be full tested and valided
2. The Kernel must MEDIATE all access request from subjects to objects
3. The processes implementing the reference monitor must be protected
4. The reference monitor must be tamperproof
The following answers are incorrect:
The security kernel is the mechanism that actually enforces the rules of the reference monitor concept.
The other answers are distractors.
Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330
also see
http://en.wikipedia.org/wiki/Reference_monitor