Skip to content

Visual Studio

Validate Visual Studio (Devenv) behaviors under the Secure Sandbox.

Objectives

  • Enforce network controls for NuGet and other extensions.
  • Verify debugger isolation.
  • Prevent data exfiltration via clipboard and drag-drop.
  • Ensure file system writes (build artifacts) are contained.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Visual Studio installed.

Controls Under Test

  • runtime.networking.egressDefaultAction.
  • runtime.files.contexts.
  • runtime.dataMotion.rules[] with channel: "clipboard"|"dragDrop".
  • Process isolation settings.

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-APP-VISUAL-STUDIO-01NET-EGRESS-01NuGet RestoreManage NuGet packages.Traffic traverses proxy; blocked if package source not allowlisted.
SCEN-APP-VISUAL-STUDIO-02HARD-PROCESS-02Debugger AttachAttempt to attach debugger to host process.Isolation: Cannot see or attach to host processes.
SCEN-APP-VISUAL-STUDIO-03HARD-HOST-03Build ArtifactsRun a build generating binaries.Artifacts written to sandbox/overlay; not visible on host unless path mapped.
SCEN-APP-VISUAL-STUDIO-04DM-CLIP-01Clipboard OutboundCopy code; paste to host.Denied/processed per policy.
SCEN-APP-VISUAL-STUDIO-05DM-DRAG-01Drag-Drop OutboundDrag file to host.Blocked per policy.

Evidence Requirements

  • network events: destination, action.
  • fileOp events: write attempts.
  • dataMotion events: channel, action for clipboard/dragDrop.
  • process events.