Appearance
IPC Boundary Tests (HARD-IPC)
Validate that host-to-sandbox and sandbox-to-host interprocess communication (IPC) channels are isolated. You ensure that untrusted processes cannot control sandboxed apps or exfiltrate data via local IPC mechanisms.
Objectives
- Deny cross-boundary IPC attempts by default.
- Prove isolation for common Windows IPC surfaces.
Controls Under Test
- Window messaging:
WM_COPYDATA, custom registered messages - COM/OLE/ActiveX automation (ROT,
IDispatch) - Shared memory (file mappings):
Global\\/Local\\segments - Mailslots:
\\.\\mailslot\\<name> - Local RPC endpoints: LRPC/ALPC (for example,
ncalrpc) - Atom tables:
GlobalAddAtom/GlobalFindAtom - Named pipes:
\\.\\pipe\\<name>
Test Scenarios
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| HARD-IPC-01 | Window messaging: WM_COPYDATA (host→sandbox) | From the host, locate a sandbox window. Send WM_COPYDATA with an arbitrary payload to the sandbox window. | Pass: Message is not delivered or is ignored; no effect on sandbox app. Audit: action: deny, reason: crossBoundaryIPC, ipc.channel: "wmCopyData", integrity.hash present. |
| HARD-IPC-02 | Custom window messages (host→sandbox) | From the host, register a custom message (for example, RegisterWindowMessage("HARD_IPC_TEST")) and send it to the sandbox window. | Pass: Delivery fails or is ignored; sandbox does not act on host message. Audit: action: deny, ipc.channel: "windowMessage", name: "HARD_IPC_TEST". |
| HARD-IPC-03 | COM/OLE/ActiveX automation (host→sandbox) | Start any COM LocalServer in the sandbox (for example, an application exposing automation). On the host, attempt to bind via GetActiveObject/CoGetObject and invoke an automation method. | Pass: Binding fails or calls are denied; no cross-boundary control. Audit: action: deny, reason: crossBoundaryIPC, ipc.channel: "com", include progId/clsid when available. |
| HARD-IPC-04 | Shared memory (file mappings) | In the sandbox, create a named mapping Global\\HARD_IPC_TEST. From the host, attempt to open/read/write the same mapping (and vice versa). | Pass: Open fails or content is not shared across boundary. Audit: action: deny, ipc.channel: "sharedMemory", name: "Global\\HARD_IPC_TEST". |
| HARD-IPC-05 | Mailslots | In the sandbox, create \\.\\mailslot\\HARD_IPC_TEST. From the host, attempt to write to that mailslot (and vice versa). | Pass: Write fails or is not delivered across boundary. Audit: action: deny, ipc.channel: "mailslot", name: "HARD_IPC_TEST". |
| HARD-IPC-06 | Local RPC endpoints (LRPC/ALPC) | In the sandbox, expose an RPC endpoint (for example, ncalrpc:[HARD_IPC_TEST]). From the host, attempt to bind and call using a generic RPC client. | Pass: Bind/call fails or is unreachable. Audit: action: deny, reason: crossBoundaryIPC, ipc.channel: "rpc", endpoint: "HARD_IPC_TEST". |
| HARD-IPC-07 | Atom tables | In the sandbox, create an atom HARD_IPC_TEST using GlobalAddAtom. From the host, attempt GlobalFindAtom/delete (and reverse). | Pass: Atom not visible across boundary or operations denied. Audit: action: deny or outcome: notFound, ipc.channel: "atomTable", name: "HARD_IPC_TEST". |
| HARD-IPC-08 | Named pipes | In the sandbox, create a named pipe \\.\\pipe\\HARD_IPC_TEST. From the host, attempt to connect/read/write (and vice versa). | Pass: Connection/read/write fails across the boundary. Audit: action: deny, reason: crossBoundaryIPC, ipc.channel: "namedPipe", name: "HARD_IPC_TEST". |
Evidence Requirements
- Golden fields:
category,action,rule.id,integrity.hash. - Recommended IPC fields:
ipc.channel(wmCopyData|windowMessage|com|sharedMemory|mailslot|rpc|atomTable|namedPipe),name/endpointwhen applicable,reason(for example,crossBoundaryIPC).
Troubleshooting
- Verify the target process/window truly runs inside the sandbox and the sender runs on the host (or reverse for negative control).
- Ensure policy enforces deny-by-default for cross-boundary IPC; some channels may be allowed by explicit policy in specialized deployments.
- For COM/OLE, confirm the server actually registers in the sandbox (ROT) before attempting host automation.
Known Limitations & Negative Space
- This suite focuses on local IPC isolation. It does not cover browser-specific DDE extensions or application-specific plug-in bridges.
- Kernel-side covert channels and timing channels are out of scope for these procedures.
