Polaris (computer security)

From Wikipedia, the free encyclopedia

Polaris is a Microsoft Windows system for running application software with limited authority.

Configuring an application to run under Polaris is known as "polarizing" it. This creates a "pet", an instance of the application which is isolated from other pets. A pet starts off without the authority to access any of the user's files, but Polaris grants it rights to access individual files as a result of actions the user takes:

Opening a file using the pet grants it the right to read and write the file. (File extensions can be associated with a pet.)
Polaris intercepts the pet's use of the Windows file chooser dialog box so that it acts as a Powerbox. This means that when the user chooses a file in a File dialog opened by the pet, the system grants the pet access to that file.

This design is based on CapDesk.

Polaris takes its name from POLA, the Principle of least authority.

Polaris was developed at HP Labs. As of July 2006, it has not been publicly released, although there are plans to put Polaris on consumer PCs that HP ships [1].

[edit] Implementation

Polaris launches applications under restricted user accounts using a variant of the Windows RunAs command.

Polaris does not grant applications the right to access a file by modifying the file's access control list (ACL). Instead, it copies the file into the user account that the application runs under. Polaris sets up a synchronizer so that if the application modifies its copy of the file, Polaris copies it back to the original. This has the advantage that the application's authority to change the file is revoked when the synchronizer is stopped.

Polaris must prevent the Shatter attack on Windows in order to be secure.