Appearance
Turbo Security Validation Framework
Executive Summary
The Turbo Security Validation Framework establishes a rigorous, repeatable method to verify the performance and behavior of the Turbo Secure Sandbox runtime. It serves as a primary assurance artifact for customers and auditors, demonstrating how the platform enforces a Zero Trust posture across the endpoint application surface.
- Network Governance: Verifies that outbound traffic is governed by policy, including deny-by-default egress, proxy-enforced routing, TLS inspection, and resistance to bypass techniques (DNS evasion, direct-IP, protocol tunneling).
- Data Motion Control: Validates the boundaries for how information moves in and out of the runtime (clipboard, drag-and-drop, screen capture, peripherals) with context-aware restrictions to prevent exfiltration.
- System Hardening: Confirms the structural integrity of the execution environment, including storage isolation, process anti-tampering, and memory protections so the host cannot compromise the sandbox and the policy engine cannot be disabled.
Methodology & Document Structure
To ensure comprehensive assurance, the framework unifies three complementary layers of testing:
- Verification Matrix (Atomic Testing): A catalog of functional tests that validate individual control mechanisms in isolation (for example, a specific clipboard paste block).
- Scenario Validation (Real-World Workflows): Application- and tool-specific procedures that map abstract controls to concrete user workflows in browsers, IDEs, and office suites.
- Integration Testing (End-to-End Chains): Cross-domain flows that validate precedence and fail-closed behaviors when multiple controls interact (for example, ensuring a file blocked by network policy cannot be offloaded via a peripheral device).
Verification Matrix
| Domain | Risk/Feature | Sub-Area | Test IDs | Suite Link |
|---|---|---|---|---|
| Network | Egress Control | EGRESS | NET-EGRESS-* | Egress Validation |
| Network | DNS Evasion | DNS | NET-DNS-* | DNS Validation |
| Network | Protocol Bypass | PROTO | NET-PROTO-* | Protocol Validation |
| Network | Traffic Inspection | ENCRYPT | NET-ENCRYPT-* | Encryption Validation |
| Network | Network Isolation | ISOLATE | NET-ISOLATE-* | Isolation Validation |
| Data Motion | Clipboard Exfiltration | CLIP | DM-CLIP-* | Clipboard |
| Data Motion | Clipboard Evasion | CLIPBYPASS | DM-CLIPBYPASS-* | Clipboard Bypass |
| Data Motion | Drag & Drop | DRAG | DM-DRAG-* | Drag & Drop |
| Data Motion | Screen Capture | SCREEN | DM-SCREEN-* | Screen Capture |
| Data Motion | Web Exfiltration | WEB | DM-WEB-* | Browser Uploads |
| Data Motion | Peripheral Control | DEVICE | DM-DEVICE-* | Devices |
| Data Motion | 3rd Party Processing | PROCEXT | DM-PROCEXT-* | External Processors |
| Hardening | Storage Isolation | FILES | HARD-FILES-* | Files & Storage |
| Hardening | File System Bypass | FILESBYPASS | HARD-FILESBYPASS-* | Files Bypass |
| Hardening | Host Isolation | HOST | HARD-HOST-* | Host Isolation |
| Hardening | Policy Integrity | POLICY | HARD-POLICY-* | Policy Integrity |
| Hardening | Process Isolation | PROCESS | HARD-PROCESS-* | Process Isolation |
| Hardening | IPC Boundary | IPC | HARD-IPC-* | IPC Boundary |
| Hardening | Memory Artifacts | MEM | HARD-MEM-* | Memory & Swap |
Scenario Validation
Scenarios map app- or tool-specific procedures to tests in the Canonical Test Catalog.
| Type | Description | ID Prefix | Examples |
|---|---|---|---|
| Apps | Application-specific procedures | SCEN-APP-* | Adobe Acrobat Reader, Google Chrome, Cursor, Microsoft Excel, Microsoft Word, MobaDiff, MobaTextEditor, MobaXterm, Notepad++, Perforce GUI, Qt Creator, System Notepad, Visual Studio, Visual Studio Code |
| Tools | CLI and utility procedures | SCEN-TOOL-* | Command Prompt, Cygwin, Pageant, Perforce CLI, PowerShell, PSFTP, PuTTY, PuTTYgen, Python, System tar, WinSCP |
| Remote | Remote access clients | SCEN-REMOTE-* | NoMachine, RDP (MSTSC), RealVNC Viewer, TigerVNC, VNC Viewer |
| System | OS features and platform flows | SCEN-SYSTEM-* | Mounted Drives, Printing, Turbo CLI, Turbo Launcher |
Integration Testing
Integration testing covers cross-domain, end-to-end flows that chain canonical tests to validate precedence, consistency, and fail-closed behavior.
| Flow | ID Prefix | Link |
|---|---|---|
| Proxy Fail‑Closed Uploads | INTEG-PROXY-FAIL-* | Proxy Fail‑Closed Uploads |
| Files → Open With → Browser → Upload | INTEG-FILE-ASSOC-* | Files → Open With → Browser → Upload |
| DNS/Direct‑IP Uploads Blocked | INTEG-DNS-BYPASS-* | DNS/Direct‑IP Uploads Blocked |
| IPv6 Parity for Web Uploads | INTEG-IPV6-PARITY-* | IPv6 Parity for Web Uploads |
| PAC/WPAD Hygiene — No Direct Fallback | INTEG-PAC-FALLBACK-* | PAC/WPAD Hygiene — No Direct Fallback |
| Cross‑Channel Precedence | INTEG-DM-PRECEDENCE-* | Cross‑Channel Precedence |
| Device → Upload Block | INTEG-DEVICE-UPLOAD-* | USB to Browser Upload Block |
| External Processor Redaction Chain | INTEG-PROC-REDACT-* | External Processor Redaction Chain |
| Audit Failure Gated, Fail‑Closed Egress | INTEG-AUDIT-FAIL-* | Audit Failure Gated, Fail‑Closed Egress |
| Policy Rollback/Tamper Blocks Launch & Egress | INTEG-POLICY-ROLLBACK-* | Policy Rollback/Identity Tamper Blocks Launch and Egress |
| Named Network HTTP Access | INTEG-NAMED-NET-HTTP-* | Named Network HTTP Access |
Product Scope & Assumptions
Architecture & Enforcement
- Runtime Containment: All validation assumes applications are launched via the Turbo Launcher and executed within the Secure Sandbox runtime.
- Enforcement Scope: The runtime is the sole enforcement point for policy load integrity, data‑motion boundaries (clipboard,
dragDrop,screenCapture), proxy‑designated network egress, storage isolation, and audit integrity. - Fail‑Closed Default: The default posture is deny‑by‑default. If policy or audit integrity cannot be established, the system is designed to block access.
Configuration Prerequisites
- Policy Dependence: Security outcomes are directly tied to configuration. In particular: which applications are authorized to run in the Secure Sandbox, the default deny posture, and whether proxy‑only egress and certificate pinning are enabled. When proxies are not designated or not enforced, egress controls that rely on proxy routing do not apply.
- Environment Fidelity: Validation must occur within the customer’s specific environment. Factors such as Identity/SSO claims, EDR agents, and local network configurations (DNS/PAC/WPAD) significantly impact behavior. Lab tests lacking these integrations may not reflect production reality. Effective behavior depends on configuration and integrations (policy, named networks/proxy routing, certificate pinning and CA trust, identity/SSO claims, EDR/DLP/monitoring agents, DNS/PAC/WPAD).
Out‑of‑Scope Behaviors & Non‑Goals
Host‑Level Compromise
- Admin Privilege: If a user or process obtains local administrative privileges (or kernel/boot control), Turbo enforcement can be bypassed. Production deployments must enforce least privilege and OS hardening/EDR; this validation assumes a non‑compromised host without end‑user admin rights.
- System Integrity: This release does not prevent the execution of processes outside the Secure Sandbox runtime, nor does it protect against kernel/binary tampering or EDR evasion. Preventing out‑of‑runtime launches is not a stated capability of this release and is outside the scope of this validation.
Physical & Out‑of‑Band
- External Capture: Actions outside of software control, such as photographing a screen with a mobile device, are not prevented. Watermarking acts as a deterrent, not a physical barrier.
Behavioral Limitations
- Low‑and‑Slow Exfiltration: The product detects policy violations at the boundary (e.g., massive clipboard paste). It does not claim to detect "low‑and‑slow" attacks where a user manually exports data in small, allowable batches over time, beyond the explicit, policy‑governed boundary checks enforced when data crosses clipboard, drag‑and‑drop, or upload channels inside the runtime.
- Operational Pairing: Mitigation of the above risks requires pairing Turbo with OS hardening, EDR/DLP monitoring, and identity‑based allow‑listing, together with correctly configured enterprise proxies and certificate pinning.
- Insider Threat Resistance: Resistance to a determined internal attacker with prolonged, interactive access is not a design goal of this release. As noted above, low‑and‑slow exfiltration and out‑of‑band capture remain outside the product’s control; controls focus on in‑runtime, policy‑governed channels.
Evidence Standards
Auditors should verify that all forensic artifacts conform to the following JSON schema to ensure chain-of-custody.
json
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": [
"category",
"channel",
"action",
"integrity",
"rule",
"classification"
],
"properties": {
"category": {
"type": "string",
"const": "dataMotion"
},
"channel": {
"type": "string",
"description": "The data channel (e.g., clipboard, dragDrop)"
},
"action": {
"type": "string",
"enum": ["allow", "deny", "process"]
},
"integrity": {
"type": "object",
"required": ["hash"],
"properties": {
"hash": {
"type": "string",
"pattern": "^[a-fA-F0-9]{64}$",
"description": "SHA-256 hash of the event for tamper-evidence"
},
"prevHash": {
"type": "string"
}
}
},
"rule": {
"type": "object",
"required": ["id"],
"properties": {
"id": {
"type": "string",
"description": "ID of the policy rule that triggered this event"
},
"priority": {
"type": "integer"
}
}
},
"classification": {
"type": "object",
"required": ["normalized"],
"properties": {
"normalized": {
"type": "array",
"items": { "type": "string" },
"description": "Normalized tags (e.g., ['CUI', 'ITAR'])"
}
}
}
}
}