Skip to content

Turbo Security Validation Framework

Executive Summary

The Turbo Security Validation Framework establishes a rigorous, repeatable method to verify the performance and behavior of the Turbo Secure Sandbox runtime. It serves as a primary assurance artifact for customers and auditors, demonstrating how the platform enforces a Zero Trust posture across the endpoint application surface.

  • Network Governance: Verifies that outbound traffic is governed by policy, including deny-by-default egress, proxy-enforced routing, TLS inspection, and resistance to bypass techniques (DNS evasion, direct-IP, protocol tunneling).
  • Data Motion Control: Validates the boundaries for how information moves in and out of the runtime (clipboard, drag-and-drop, screen capture, peripherals) with context-aware restrictions to prevent exfiltration.
  • System Hardening: Confirms the structural integrity of the execution environment, including storage isolation, process anti-tampering, and memory protections so the host cannot compromise the sandbox and the policy engine cannot be disabled.

Methodology & Document Structure

To ensure comprehensive assurance, the framework unifies three complementary layers of testing:

  • Verification Matrix (Atomic Testing): A catalog of functional tests that validate individual control mechanisms in isolation (for example, a specific clipboard paste block).
  • Scenario Validation (Real-World Workflows): Application- and tool-specific procedures that map abstract controls to concrete user workflows in browsers, IDEs, and office suites.
  • Integration Testing (End-to-End Chains): Cross-domain flows that validate precedence and fail-closed behaviors when multiple controls interact (for example, ensuring a file blocked by network policy cannot be offloaded via a peripheral device).

Verification Matrix

DomainRisk/FeatureSub-AreaTest IDsSuite Link
NetworkEgress ControlEGRESSNET-EGRESS-*Egress Validation
NetworkDNS EvasionDNSNET-DNS-*DNS Validation
NetworkProtocol BypassPROTONET-PROTO-*Protocol Validation
NetworkTraffic InspectionENCRYPTNET-ENCRYPT-*Encryption Validation
NetworkNetwork IsolationISOLATENET-ISOLATE-*Isolation Validation
Data MotionClipboard ExfiltrationCLIPDM-CLIP-*Clipboard
Data MotionClipboard EvasionCLIPBYPASSDM-CLIPBYPASS-*Clipboard Bypass
Data MotionDrag & DropDRAGDM-DRAG-*Drag & Drop
Data MotionScreen CaptureSCREENDM-SCREEN-*Screen Capture
Data MotionWeb ExfiltrationWEBDM-WEB-*Browser Uploads
Data MotionPeripheral ControlDEVICEDM-DEVICE-*Devices
Data Motion3rd Party ProcessingPROCEXTDM-PROCEXT-*External Processors
HardeningStorage IsolationFILESHARD-FILES-*Files & Storage
HardeningFile System BypassFILESBYPASSHARD-FILESBYPASS-*Files Bypass
HardeningHost IsolationHOSTHARD-HOST-*Host Isolation
HardeningPolicy IntegrityPOLICYHARD-POLICY-*Policy Integrity
HardeningProcess IsolationPROCESSHARD-PROCESS-*Process Isolation
HardeningIPC BoundaryIPCHARD-IPC-*IPC Boundary
HardeningMemory ArtifactsMEMHARD-MEM-*Memory & Swap

Scenario Validation

Scenarios map app- or tool-specific procedures to tests in the Canonical Test Catalog.

TypeDescriptionID PrefixExamples
AppsApplication-specific proceduresSCEN-APP-*Adobe Acrobat Reader, Google Chrome, Cursor, Microsoft Excel, Microsoft Word, MobaDiff, MobaTextEditor, MobaXterm, Notepad++, Perforce GUI, Qt Creator, System Notepad, Visual Studio, Visual Studio Code
ToolsCLI and utility proceduresSCEN-TOOL-*Command Prompt, Cygwin, Pageant, Perforce CLI, PowerShell, PSFTP, PuTTY, PuTTYgen, Python, System tar, WinSCP
RemoteRemote access clientsSCEN-REMOTE-*NoMachine, RDP (MSTSC), RealVNC Viewer, TigerVNC, VNC Viewer
SystemOS features and platform flowsSCEN-SYSTEM-*Mounted Drives, Printing, Turbo CLI, Turbo Launcher

Integration Testing

Integration testing covers cross-domain, end-to-end flows that chain canonical tests to validate precedence, consistency, and fail-closed behavior.

FlowID PrefixLink
Proxy Fail‑Closed UploadsINTEG-PROXY-FAIL-*Proxy Fail‑Closed Uploads
Files → Open With → Browser → UploadINTEG-FILE-ASSOC-*Files → Open With → Browser → Upload
DNS/Direct‑IP Uploads BlockedINTEG-DNS-BYPASS-*DNS/Direct‑IP Uploads Blocked
IPv6 Parity for Web UploadsINTEG-IPV6-PARITY-*IPv6 Parity for Web Uploads
PAC/WPAD Hygiene — No Direct FallbackINTEG-PAC-FALLBACK-*PAC/WPAD Hygiene — No Direct Fallback
Cross‑Channel PrecedenceINTEG-DM-PRECEDENCE-*Cross‑Channel Precedence
Device → Upload BlockINTEG-DEVICE-UPLOAD-*USB to Browser Upload Block
External Processor Redaction ChainINTEG-PROC-REDACT-*External Processor Redaction Chain
Audit Failure Gated, Fail‑Closed EgressINTEG-AUDIT-FAIL-*Audit Failure Gated, Fail‑Closed Egress
Policy Rollback/Tamper Blocks Launch & EgressINTEG-POLICY-ROLLBACK-*Policy Rollback/Identity Tamper Blocks Launch and Egress
Named Network HTTP AccessINTEG-NAMED-NET-HTTP-*Named Network HTTP Access

Product Scope & Assumptions

Architecture & Enforcement

  • Runtime Containment: All validation assumes applications are launched via the Turbo Launcher and executed within the Secure Sandbox runtime.
  • Enforcement Scope: The runtime is the sole enforcement point for policy load integrity, data‑motion boundaries (clipboard, dragDrop, screenCapture), proxy‑designated network egress, storage isolation, and audit integrity.
  • Fail‑Closed Default: The default posture is deny‑by‑default. If policy or audit integrity cannot be established, the system is designed to block access.

Configuration Prerequisites

  • Policy Dependence: Security outcomes are directly tied to configuration. In particular: which applications are authorized to run in the Secure Sandbox, the default deny posture, and whether proxy‑only egress and certificate pinning are enabled. When proxies are not designated or not enforced, egress controls that rely on proxy routing do not apply.
  • Environment Fidelity: Validation must occur within the customer’s specific environment. Factors such as Identity/SSO claims, EDR agents, and local network configurations (DNS/PAC/WPAD) significantly impact behavior. Lab tests lacking these integrations may not reflect production reality. Effective behavior depends on configuration and integrations (policy, named networks/proxy routing, certificate pinning and CA trust, identity/SSO claims, EDR/DLP/monitoring agents, DNS/PAC/WPAD).

Out‑of‑Scope Behaviors & Non‑Goals

Host‑Level Compromise

  • Admin Privilege: If a user or process obtains local administrative privileges (or kernel/boot control), Turbo enforcement can be bypassed. Production deployments must enforce least privilege and OS hardening/EDR; this validation assumes a non‑compromised host without end‑user admin rights.
  • System Integrity: This release does not prevent the execution of processes outside the Secure Sandbox runtime, nor does it protect against kernel/binary tampering or EDR evasion. Preventing out‑of‑runtime launches is not a stated capability of this release and is outside the scope of this validation.

Physical & Out‑of‑Band

  • External Capture: Actions outside of software control, such as photographing a screen with a mobile device, are not prevented. Watermarking acts as a deterrent, not a physical barrier.

Behavioral Limitations

  • Low‑and‑Slow Exfiltration: The product detects policy violations at the boundary (e.g., massive clipboard paste). It does not claim to detect "low‑and‑slow" attacks where a user manually exports data in small, allowable batches over time, beyond the explicit, policy‑governed boundary checks enforced when data crosses clipboard, drag‑and‑drop, or upload channels inside the runtime.
  • Operational Pairing: Mitigation of the above risks requires pairing Turbo with OS hardening, EDR/DLP monitoring, and identity‑based allow‑listing, together with correctly configured enterprise proxies and certificate pinning.
  • Insider Threat Resistance: Resistance to a determined internal attacker with prolonged, interactive access is not a design goal of this release. As noted above, low‑and‑slow exfiltration and out‑of‑band capture remain outside the product’s control; controls focus on in‑runtime, policy‑governed channels.

Evidence Standards

Auditors should verify that all forensic artifacts conform to the following JSON schema to ensure chain-of-custody.

json
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "required": [
    "category",
    "channel",
    "action",
    "integrity",
    "rule",
    "classification"
  ],
  "properties": {
    "category": {
      "type": "string",
      "const": "dataMotion"
    },
    "channel": {
      "type": "string",
      "description": "The data channel (e.g., clipboard, dragDrop)"
    },
    "action": {
      "type": "string",
      "enum": ["allow", "deny", "process"]
    },
    "integrity": {
      "type": "object",
      "required": ["hash"],
      "properties": {
        "hash": {
          "type": "string",
          "pattern": "^[a-fA-F0-9]{64}$",
          "description": "SHA-256 hash of the event for tamper-evidence"
        },
        "prevHash": {
          "type": "string"
        }
      }
    },
    "rule": {
      "type": "object",
      "required": ["id"],
      "properties": {
        "id": {
          "type": "string",
          "description": "ID of the policy rule that triggered this event"
        },
        "priority": {
          "type": "integer"
        }
      }
    },
    "classification": {
      "type": "object",
      "required": ["normalized"],
      "properties": {
        "normalized": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Normalized tags (e.g., ['CUI', 'ITAR'])"
        }
      }
    }
  }
}