Skip to content

Host Isolation and File System Tests (HARD-HOST)

Validate that the sandbox cannot modify or corrupt the host system.

Objectives

  • Enforce read-only mounts where required and ensure overlay writes do not touch host.

Test Scenarios

IDTest ScenarioProcedureExpected Outcome
HARD-HOST-01Ransomware Sim1. Mount: Host Documents as read-only.
2. App: Attempt to delete/overwrite MyDoc.docx.
Pass: Access Denied / Operation Failed.
HARD-HOST-02Path Traversal1. App: Access ..\\..\\Windows\\System32\\drivers\\etc\\hosts.Pass: Cannot navigate outside of configured mounts.
HARD-HOST-03Ghost Writes1. App: Write file to C:\\Users\\Public.
2. Host: Check directory.
Pass: File is not present on Host (written to sandbox overlay only).
HARD-HOST-04Alternate Data Streams1. App: Write echo "secret" > file.txt:hidden.Pass: Stream not written to host, or contained within overlay.
HARD-HOST-05Hot‑Add Volume Write Redirection1. With the app running, attach a new volume/partition (for example, create E: in Disk Management).
2. App: Attempt to save E:\\leak.txt.
Pass: Write is denied or virtualized to the sandbox overlay/Storage Context; no host write occurs.
Audit: category: "fileOp", `action: "deny"

Evidence Requirements

  • Audit category: fileOp or relevant enforcement events with action/outcome.

Troubleshooting

  • Validate mounts are configured as read-only where required; ensure test files live on mounted paths, not ephemeral temp paths.
  • Check for inadvertent host path exposure via mounts or environment variable expansion.

Known Limitations & Negative Space

  • Overlay-based containment prevents host writes but does not replace host anti-malware; run AV/EDR on host volumes.
  • Tests cover host file visibility and writes; kernel-level side channels are out of scope for this procedure.