Appearance
Devices Egress Tests (DM-DEVICE)
Validate that device-based egress channels (printers, removable storage/USB, camera, microphone, Bluetooth/NFC) cannot exfiltrate data when policy denies it.
Objectives
- Enforce device deny posture for sensitive environments.
- Verify optional watermarking/attribution when printing is permitted.
Controls Under Test
- Device controls (printers, removable media, camera/mic, Bluetooth/NFC).
Canonical Tests
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| DM-DEVICE-01 | Print to Local/Virtual PDF | Initiate print of a sensitive document to a local/virtual PDF device from an app inside the Sandbox. | Pass: Print is blocked (or watermarked per policy). Audit: category: "device", device.type: "printer", action: "deny" (or process with watermarkTemplateUsed), rule.id, integrity.hash. |
| DM-DEVICE-02 | USB Mass Storage Write/Export | Connect a removable USB mass storage device. Inside the Sandbox, attempt to export or write a file to the device. | Pass: Access is denied; no data is written. Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", action: "deny", bytesWritten: 0, rule.id, integrity.hash. |
| DM-DEVICE-03 | Camera/Microphone Streaming | Attempt to start camera/mic in an app that can record/stream. | Pass: Device access denied unless explicitly allowed. Audit: category: "device", `device.type: "camera" |
| DM-DEVICE-04 | Bluetooth/NFC Transfer | Attempt to transfer/beaming a file via Bluetooth/NFC from inside the Sandbox. | Pass: Operation blocked. Audit: category: "device", `device.type: "bluetooth" |
| DM-DEVICE-05 | Removable Storage Attach (Enumeration Denied) | Attach a USB removable storage device while the policy denies removable storage. Validate whether the device enumerates inside the Sandbox. | Pass: Attach is blocked or not exposed to the Sandbox; device is not enumerated/mounted inside the container. Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", eventType: "attach", action: "deny" (or exposure suppressed), vendorId, productId, serial (when available), rule.id, integrity.hash. |
| DM-DEVICE-06 | Removable Storage Detach (Cleanup/Safe Removal) | Safely eject or physically remove the USB device after attempted use. Verify Sandbox handle cleanup and absence of dangling mounts. | Pass: Cleanup completes; no open handles or mounts remain; no residual access after detach. Audit: category: "device", device.type: "storage", device.class: "usbMassStorage", eventType: "detach", action: "process", cleanup: "success", bytesWritten: 0, openHandles: 0, rule.id, integrity.hash. |
| DM-DEVICE-PRINT-01 | Printer Enumeration Blocked | With device-level printer restrictions enabled, open a print dialog in a simple app (for example, Notepad). | Pass: No printers are enumerated/available inside the Sandbox. Audit: category: "device", device.type: "printer", action: "deny" (or exposure suppressed), rule.id, integrity.hash. |
| DM-DEVICE-PRINT-02 | Print Job Denied | With restrictions enabled, attempt to print any document to a local/virtual device. | Pass: Print job is denied; no spooled output. Audit: category: "device", device.type: "printer", action: "deny", bytesWritten: 0, rule.id, integrity.hash. |
Evidence Requirements
- Include the Golden Fields:
category,action,rule.id,integrity.hash. - For removable storage, prefer:
device.type("storage"),device.class("usbMassStorage"),eventType(attach/detach), and identifiers (vendorId,productId,serial) when available.
Troubleshooting
- Validate device enumeration inside the Sandbox reflects policy (for example, printers list is empty when blocked; removable storage does not appear as a mount or drive).
- Confirm runtime/device settings are applied via policy flags; ensure no per-app overrides enable devices.
- For USB tests, verify host policies do not mask Sandbox behavior (host OS-level blocks vs Sandbox denies).
Known Limitations & Negative Space
- Optical print to paper cannot be technically prevented; use watermarking and physical controls as compensating measures.
- Some virtual devices can masquerade as allowed classes; keep allowlists minimal and validate device identifiers.
