Skip to content

Drag-and-Drop Egress Tests (DM-DRAG)

Validate that drag-and-drop operations do not allow files or objects to leave the Secure Sandbox unless explicitly authorized.

Objectives

  • Enforce deny-by-default posture for outbound drag-and-drop.
  • Verify classification-aware rules and per-direction controls.

Preconditions

  • Policy sets runtime.dataMotion.settings.dragDrop.enabled: true and a deny-by-default posture.

Controls Under Test

  • runtime.dataMotion.rules[] with channel: "dragDrop" and direction: in|out|both.

Test Scenarios

IDTest ScenarioProcedureExpected Outcome
DM-DRAG-01File Drop (Outbound)1. Policy: dragDrop direction out = deny.
2. App: Drag file from sandbox window to Host Desktop.
Pass: Drag operation is blocked (cursor shows "no" symbol or drop does nothing).
DM-DRAG-02Inbound Block1. Policy: dragDrop direction in = deny.
2. Host: Drag malware.exe into sandbox window.
Pass: File is not transferred into the sandbox.
DM-DRAG-03Classification Filter1. Policy: Deny classifications: ["Confidential"].
2. App: Drag labeled file to host.
Pass: Labeled file is blocked; unlabeled file (if allowed) passes.

Evidence Requirements

  • Audit category: dataMotion with channel: "dragDrop", direction, action, outcome.
  • Include rule.id, priority, counts/bytes, and classification context where applicable.

Troubleshooting

  • Verify runtime.dataMotion.settings.dragDrop.enabled: true and the intended default posture.
  • Check rule ordering and priority; ensure the specific deny rule precedes broader allow rules.
  • Confirm classification detection is configured when rules reference classifications.

Known Limitations & Negative Space

  • These tests validate functional drag-and-drop control, not covert channels (for example, screen capture or OCR). See related procedures in Data Egress and Screen Capture.
  • Application-specific drag APIs may present unique formats; ensure format detection covers common cases.