Appearance
Host Isolation and File System Tests (HARD-HOST)
Validate that the sandbox cannot modify or corrupt the host system.
Objectives
- Enforce read-only mounts where required and ensure overlay writes do not touch host.
Test Scenarios
| ID | Test Scenario | Procedure | Expected Outcome |
|---|---|---|---|
| HARD-HOST-01 | Ransomware Sim | 1. Mount: Host Documents as read-only.2. App: Attempt to delete/overwrite MyDoc.docx. | Pass: Access Denied / Operation Failed. |
| HARD-HOST-02 | Path Traversal | 1. App: Access ..\\..\\Windows\\System32\\drivers\\etc\\hosts. | Pass: Cannot navigate outside of configured mounts. |
| HARD-HOST-03 | Ghost Writes | 1. App: Write file to C:\\Users\\Public.2. Host: Check directory. | Pass: File is not present on Host (written to sandbox overlay only). |
| HARD-HOST-04 | Alternate Data Streams | 1. App: Write echo "secret" > file.txt:hidden. | Pass: Stream not written to host, or contained within overlay. |
| HARD-HOST-05 | Hot‑Add Volume Write Redirection | 1. With the app running, attach a new volume/partition (for example, create E: in Disk Management).2. App: Attempt to save E:\\leak.txt. | Pass: Write is denied or virtualized to the sandbox overlay/Storage Context; no host write occurs. Audit: category: "fileOp", `action: "deny" |
Evidence Requirements
- Audit category:
fileOpor relevant enforcement events with action/outcome.
Troubleshooting
- Validate mounts are configured as read-only where required; ensure test files live on mounted paths, not ephemeral temp paths.
- Check for inadvertent host path exposure via mounts or environment variable expansion.
Known Limitations & Negative Space
- Overlay-based containment prevents host writes but does not replace host anti-malware; run AV/EDR on host volumes.
- Tests cover host file visibility and writes; kernel-level side channels are out of scope for this procedure.
