Virus Safe Computing for Windows XP

Polaris (Principal Of Least Authority for Real Internet Security) is a package for Windows XP that demonstrates that we can do better at dealing with viruses than has been done so far. Polaris allows users to configure most applications so that they launch with only the rights they need to do the job the user wants done. This simple step, enforcing the Principle of Least Authority (POLA), gives so much protection from viruses that there is no need to pop up security dialog boxes or ask users to accept digital certificates. Further, there is little danger in launching email attachments, using macros in documents, or allowing scripting while browsing the web. Polaris demonstrates that we can build systems that are more secure, more functional, and easier to use.

People often forget that POLA means two things at the same time. Not only must you prevent the application from having more authority than it needs to do the user's job, but also you must ensure that the application has enough authority to do that user's job. Granting too much authority is why there are viruses that hijack applications. Granting too little authority means that the application is useless, like a spreadsheet program in a web browser sandbox that cannot save the result on your hard disk. Polaris gives neither too much nor too little authority: while a polarised application cannot in general corrupt or infect files on your computer, the application can indeed store information to any file that the user explicitly specifies by either double-clicking on the file or by selecting the file in a dialog box. Thus, the Polaris system dynamically adjusts the authority of the application to do what the user wants.

Unlike static sandboxes, Polaris does not appreciably affect the user experience. In fact, one HP executive used a pre-Alpha version of Polaris for three days without knowing it was on his machine. Polaris does its magic without changing applications or the operating system. Nor does it rely on intercepting system calls. Instead, when users "Polarize" an application, the "Polarizer" creates a restricted user account for that application. When users launch the application, either explicitly via the shortcut the Polarizer created or implicitly by opening a file of the appropriate type, Polaris uses a variant of the Windows runAs facility to open the program in its account. The bulk of the Polaris software hides this fact from the user.


CACM article

If you don't want to build Polaris from the source, you may use the HP-built executables for non-commercial use.

License agreement for the HP-built executables
The HP-built executables

The source is covered under the more liberal MIT X license, so compile from source if you wish to use Polaris more generally. No HP-built executables are needed.

Source code


This version is a first prototype, which means there are a number of things we didn't do and a number of bugs we didn't fix. For example, this version does not support linked files. However, almost 100 people have used Polaris, some of them for several years, and have reported few problems. A few have them have reported that Polaris saved them from some nasty virues.

Polaris is NOT supported by HP. Send all questions to alan.karp at