Polaris (Principal Of Least Authority for Real Internet
Security) is a package for Windows XP that demonstrates
that we can do better at dealing with viruses than has
been done so far. Polaris allows users to configure most
applications so that they launch with only the rights they
need to do the job the user wants done. This simple step,
enforcing the Principle of Least Authority (POLA), gives
so much protection from viruses that there is no need to
pop up security dialog boxes or ask users to accept
digital certificates. Further, there is little danger in
launching email attachments, using macros in documents, or
allowing scripting while browsing the web. Polaris
demonstrates that we can build systems that are more
secure, more functional, and easier to use.
People often forget that POLA means two things at the same
time. Not only must you prevent the application from
having more authority than it needs to do the user's job,
but also you must ensure that the application has enough
authority to do that user's job. Granting too much
authority is why there are viruses that hijack
applications. Granting too little authority means that
the application is useless, like a spreadsheet program in
a web browser sandbox that cannot save the result on your
hard disk. Polaris gives neither too much nor too little
authority: while a polarised application cannot in general
corrupt or infect files on your computer, the application
can indeed store information to any file that the user
explicitly specifies by either double-clicking on the file
or by selecting the file in a dialog box. Thus, the
Polaris system dynamically adjusts the authority of the
application to do what the user wants.
Unlike static sandboxes, Polaris does not appreciably
affect the user experience. In fact, one HP executive
used a pre-Alpha version of Polaris for three days without
knowing it was on his machine. Polaris does its magic
without changing applications or the operating system.
Nor does it rely on intercepting system calls. Instead,
when users "Polarize" an application, the "Polarizer"
creates a restricted user account for that application.
When users launch the application, either explicitly via
the shortcut the Polarizer created or implicitly by
opening a file of the appropriate type, Polaris uses a
variant of the Windows runAs facility to open the program
in its account. The bulk of the Polaris software hides
this fact from the user.
If you don't want to build Polaris from the source, you
may use the HP-built executables for non-commercial
License agreement for
the HP-built executables
The source is covered under the more liberal MIT X
license, so compile from source if you wish to use Polaris
more generally. No HP-built executables are needed.
Polaris uses a kernel driver to work around a bug that
Microsoft claims is not security related. We believe this
kernel driver is the reason Polaris does not work with
Windows Vista. If you run without it, you are vulnerable
to an attacker who mounts a Shatter
attack after launching a process via the COM server.
However, you're probably safe until Polaris becomes widely
This version is a first prototype, which means there are a
number of things we didn't do and a number of bugs we
didn't fix. For example, this version does not support
linked files. However, almost 100 people have used
Polaris, some of them for several years, and have reported
few problems. A few have them have reported that Polaris
saved them from some nasty virues.
Polaris is NOT supported by HP. Send all questions to alan.karp at hp.com.