Polaris

Viruses, those nasty pieces of software that run when you launch an email attachment, edit a file with macros, or visit web pages that use scripts, are an ongoing problem. Why can't programmers just fix the flaws these viruses exploit? The reason is that these kinds of viruses aren't exploiting flaws; they're using the system the way it was designed to be used.

All commonly used operating systems, not just Windows, base their security on the identity of the logged in user. That means every program you run can do anything you can do, whether you want it done or not. It is this flaw in the basic design of our systems that viruses exploit. They do things you're allowed to do that you don't want done.

The problem is the excess authority that every program gets. There's no reason why Solitaire needs the ability to search your disk for secrets and send them to your competition. There's no reason why Excel needs the ability to put a Trojan horse in your startup profile. Yet, on today's system that's simply the way things work.

The Virus Safe Computing Initiative at HP Labs is attempting to address this problem by enforcing the Principle of Least Authority (POLA) at the smallest possible granularity. Our first offering is Polaris, a package for Windows XP that allows you to configure most applications so that they launch with only the permissions they need to do the job you want done. Polaris doesn't change the operating system or the applications; all that changes is the way applications are launched.

POLA at this level of granularity may sound like a user interface nightmare, with the application constantly nagging the user with “May I?” dialog boxes. If that were the case, we'd get no security because nobody would use Polaris. Fortunately, Polaris doesn't work this way. We have found from our earlier work that combining designation with authorization makes most of the security decisions disappear into the background.

The Alpha release of Polaris is currently available under a controlled roll-out. While we'd like reference accounts, we're limiting the number of test sites for the time being. If you have a compelling need, please contact Alan Karp at alan.karp@hp.com. Marc Stiegler is the lead developer, and Tyler Close has resolved several knotty issues. Our summer intern, Ka-Ping Yee, made opening additional files more transparent. Mark Miller made significant contributions to the design.

Why the bear for a logo? Because it's the POLAbear, of course.

Publications

"Polaris: Virus Safe Computing for Windows XP," Marc Stiegler, Alan Karp, Ka-Ping Yee, Mark Miller, Technical Report HPL-2004-221, Hewlett-Packard Laboratories, Palo Alto, California · December 21, 2004.

"Enforce POLA on Processes to Control Viruses," Viewpoints Column, Alan Karp, CACM, vol. 46, #12, pp. 27-29 · December 2003.

POLA Today Keeps the Virus at Bay, Alan Karp, Technical Report HPL-2003-191, Hewlett-Packard Laboratories, Palo Alto, California · September 19, 2003.